Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2023, 15:27
Behavioral task
behavioral1
Sample
0x000300000002287f-434.exe
Resource
win7-20230220-en
General
-
Target
0x000300000002287f-434.exe
-
Size
63KB
-
MD5
2d7e104a199600d550879e132d877ee7
-
SHA1
9a702148bcb48c8f666d275b0b08bf2b1711e069
-
SHA256
4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
-
SHA512
c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33
-
SSDEEP
768:a3lDmSRCvHxiP7VIiz9JS8cwoLw9Qq2R1+KASmv7mqb2nFpwH1ovTGU6eLMnqGzl:acHWRbc78du1ibb2w+3bdGztpqKmY7
Malware Config
Extracted
asyncrat
CYB3R R4T 1.0.7
Default
ii-usd.at.ply.gg:25036
Cyb3r_R4tMutex_Cyb3rw4rrior1011
-
delay
1
-
install
true
-
install_file
syscall.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/2044-133-0x000002085E090000-0x000002085E0A6000-memory.dmp asyncrat behavioral2/files/0x00030000000230db-141.dat asyncrat behavioral2/files/0x00030000000230db-142.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 0x000300000002287f-434.exe -
Executes dropped EXE 1 IoCs
pid Process 3484 syscall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4264 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 404 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe 2044 0x000300000002287f-434.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2044 0x000300000002287f-434.exe Token: SeDebugPrivilege 3484 syscall.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2044 wrote to memory of 4112 2044 0x000300000002287f-434.exe 89 PID 2044 wrote to memory of 4112 2044 0x000300000002287f-434.exe 89 PID 2044 wrote to memory of 2296 2044 0x000300000002287f-434.exe 91 PID 2044 wrote to memory of 2296 2044 0x000300000002287f-434.exe 91 PID 4112 wrote to memory of 4264 4112 cmd.exe 93 PID 4112 wrote to memory of 4264 4112 cmd.exe 93 PID 2296 wrote to memory of 404 2296 cmd.exe 94 PID 2296 wrote to memory of 404 2296 cmd.exe 94 PID 2296 wrote to memory of 3484 2296 cmd.exe 98 PID 2296 wrote to memory of 3484 2296 cmd.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"'3⤵
- Creates scheduled task(s)
PID:4264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF8E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:404
-
-
C:\Users\Admin\AppData\Roaming\syscall.exe"C:\Users\Admin\AppData\Roaming\syscall.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD561f5339dbab00d413994520055e6d203
SHA10f6802af5a184d33a01ff80251f2c11db65d3d4a
SHA2560a0b313be845e2db6ae73c10bc737b3bca555c7ae520ca3abb94dca3e033d5b4
SHA512904161371c674c3f9598e3b2331938b81d7472fe270b0fc4cb199a1fe69b283cfe281625e045a951372417e33a11bd4aceb5b77952807a276d31155541bafc21
-
Filesize
63KB
MD52d7e104a199600d550879e132d877ee7
SHA19a702148bcb48c8f666d275b0b08bf2b1711e069
SHA2564f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
SHA512c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33
-
Filesize
63KB
MD52d7e104a199600d550879e132d877ee7
SHA19a702148bcb48c8f666d275b0b08bf2b1711e069
SHA2564f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
SHA512c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33