Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22/03/2023, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
AS000456879.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AS000456879.exe
Resource
win10v2004-20230221-en
General
-
Target
AS000456879.exe
-
Size
461KB
-
MD5
4101ca6880258f103df2c744efda4cde
-
SHA1
90aed0f7474acd6321af277d6f9f81cf0674405d
-
SHA256
d50074d48914764b355b89e387636cfbc2d5f5daf17b8afee1490c176afccfbf
-
SHA512
0668bf6b23e2fde4e6f5db97cf36a05c4819c5f12744f86e6cb0f799a0fad4ceaff43d0f15fe0b3bb417fa5143ce4b25c2b71a20d1102964606ae9182a77d049
-
SSDEEP
3072:IfY/TU9fE9PEtuoRbtv9BAthLEMw5m4i9zgngzRtunMK1L4PQw/ihbceYSgOt:+Ya64D1Mw5mZgnqiEPv/somt
Malware Config
Extracted
asyncrat
0.5.7B
Default
172.245.251.219:2015
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
resource yara_rule behavioral1/memory/1400-69-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral1/memory/1400-72-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral1/memory/1400-74-0x0000000000310000-0x0000000000322000-memory.dmp asyncrat behavioral1/memory/1400-75-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 1172 vubdwujj.exe 1400 vubdwujj.exe -
Loads dropped DLL 3 IoCs
pid Process 1964 AS000456879.exe 1964 AS000456879.exe 1172 vubdwujj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfoktdyh = "C:\\Users\\Admin\\AppData\\Roaming\\pyudmirbwg\\cluqa.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vubdwujj.exe\" C:\\Users\\Admin\\AppData\\Local\\" vubdwujj.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1172 set thread context of 1400 1172 vubdwujj.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1172 vubdwujj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1400 vubdwujj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1172 1964 AS000456879.exe 28 PID 1964 wrote to memory of 1172 1964 AS000456879.exe 28 PID 1964 wrote to memory of 1172 1964 AS000456879.exe 28 PID 1964 wrote to memory of 1172 1964 AS000456879.exe 28 PID 1172 wrote to memory of 1400 1172 vubdwujj.exe 30 PID 1172 wrote to memory of 1400 1172 vubdwujj.exe 30 PID 1172 wrote to memory of 1400 1172 vubdwujj.exe 30 PID 1172 wrote to memory of 1400 1172 vubdwujj.exe 30 PID 1172 wrote to memory of 1400 1172 vubdwujj.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\AS000456879.exe"C:\Users\Admin\AppData\Local\Temp\AS000456879.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe" C:\Users\Admin\AppData\Local\Temp\uszcl.zps2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
Filesize
143KB
MD52507ba304a6d9308621410c2d36296a7
SHA1e25523ae784746d60c47cf06eae60cf61e988050
SHA256aab883c874ded8ea1c747f001eca69bc9a8f8349ae7ee2dfd5e910f54bfe72f8
SHA5129ac7f6f5baf5715001faa34ec8cc655f1af87a2515ff7f93b131d965d8f93921b34abd5874a99b7a8ba064f783cd219652913724259fae846783a1a33ef016dc
-
Filesize
7KB
MD50af0a947a024be23f1ca48d932eacd1e
SHA1747ec7d3e0879017c45b911d20b90d9e7257e90d
SHA256429576f6e3310e8f0a0033207e8c11c565c545846dc292048feec5df38a1eca2
SHA512b9c6cdbfc1232fb290231217dea23bca16eb1db7658f19af4fad29f72b13c033f902487df8ca27d554b5f1c3f302a2bc9ef030870b5e71a80eaa1f78aa36e5dd
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
Filesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492