Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 06:56
Static task
static1
Behavioral task
behavioral1
Sample
AS000456879.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AS000456879.exe
Resource
win10v2004-20230220-en
General
-
Target
AS000456879.exe
-
Size
461KB
-
MD5
4101ca6880258f103df2c744efda4cde
-
SHA1
90aed0f7474acd6321af277d6f9f81cf0674405d
-
SHA256
d50074d48914764b355b89e387636cfbc2d5f5daf17b8afee1490c176afccfbf
-
SHA512
0668bf6b23e2fde4e6f5db97cf36a05c4819c5f12744f86e6cb0f799a0fad4ceaff43d0f15fe0b3bb417fa5143ce4b25c2b71a20d1102964606ae9182a77d049
-
SSDEEP
3072:IfY/TU9fE9PEtuoRbtv9BAthLEMw5m4i9zgngzRtunMK1L4PQw/ihbceYSgOt:+Ya64D1Mw5mZgnqiEPv/somt
Malware Config
Extracted
asyncrat
0.5.7B
Default
172.245.251.219:2015
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-69-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral1/memory/1392-72-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat behavioral1/memory/1392-74-0x0000000000530000-0x0000000000542000-memory.dmp asyncrat behavioral1/memory/1392-75-0x0000000000530000-0x0000000000542000-memory.dmp asyncrat behavioral1/memory/1392-76-0x0000000000400000-0x0000000000423000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
vubdwujj.exevubdwujj.exepid process 2024 vubdwujj.exe 1392 vubdwujj.exe -
Loads dropped DLL 3 IoCs
Processes:
AS000456879.exevubdwujj.exepid process 1920 AS000456879.exe 1920 AS000456879.exe 2024 vubdwujj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vubdwujj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfoktdyh = "C:\\Users\\Admin\\AppData\\Roaming\\pyudmirbwg\\cluqa.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vubdwujj.exe\" C:\\Users\\Admin\\AppData\\Local\\" vubdwujj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vubdwujj.exedescription pid process target process PID 2024 set thread context of 1392 2024 vubdwujj.exe vubdwujj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vubdwujj.exepid process 2024 vubdwujj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vubdwujj.exedescription pid process Token: SeDebugPrivilege 1392 vubdwujj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
AS000456879.exevubdwujj.exedescription pid process target process PID 1920 wrote to memory of 2024 1920 AS000456879.exe vubdwujj.exe PID 1920 wrote to memory of 2024 1920 AS000456879.exe vubdwujj.exe PID 1920 wrote to memory of 2024 1920 AS000456879.exe vubdwujj.exe PID 1920 wrote to memory of 2024 1920 AS000456879.exe vubdwujj.exe PID 2024 wrote to memory of 1392 2024 vubdwujj.exe vubdwujj.exe PID 2024 wrote to memory of 1392 2024 vubdwujj.exe vubdwujj.exe PID 2024 wrote to memory of 1392 2024 vubdwujj.exe vubdwujj.exe PID 2024 wrote to memory of 1392 2024 vubdwujj.exe vubdwujj.exe PID 2024 wrote to memory of 1392 2024 vubdwujj.exe vubdwujj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AS000456879.exe"C:\Users\Admin\AppData\Local\Temp\AS000456879.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe" C:\Users\Admin\AppData\Local\Temp\uszcl.zps2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fobmxw.vqFilesize
143KB
MD52507ba304a6d9308621410c2d36296a7
SHA1e25523ae784746d60c47cf06eae60cf61e988050
SHA256aab883c874ded8ea1c747f001eca69bc9a8f8349ae7ee2dfd5e910f54bfe72f8
SHA5129ac7f6f5baf5715001faa34ec8cc655f1af87a2515ff7f93b131d965d8f93921b34abd5874a99b7a8ba064f783cd219652913724259fae846783a1a33ef016dc
-
C:\Users\Admin\AppData\Local\Temp\uszcl.zpsFilesize
7KB
MD50af0a947a024be23f1ca48d932eacd1e
SHA1747ec7d3e0879017c45b911d20b90d9e7257e90d
SHA256429576f6e3310e8f0a0033207e8c11c565c545846dc292048feec5df38a1eca2
SHA512b9c6cdbfc1232fb290231217dea23bca16eb1db7658f19af4fad29f72b13c033f902487df8ca27d554b5f1c3f302a2bc9ef030870b5e71a80eaa1f78aa36e5dd
-
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
\Users\Admin\AppData\Local\Temp\vubdwujj.exeFilesize
4KB
MD5adba09c1a1bae1fca7a24748a8088b28
SHA11657b9e782e90e3ea7c97a0da9efde1568089d56
SHA2569fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b
SHA512c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492
-
memory/1392-69-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1392-72-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1392-74-0x0000000000530000-0x0000000000542000-memory.dmpFilesize
72KB
-
memory/1392-75-0x0000000000530000-0x0000000000542000-memory.dmpFilesize
72KB
-
memory/1392-76-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/1392-77-0x00000000046E0000-0x0000000004720000-memory.dmpFilesize
256KB
-
memory/1392-78-0x00000000046E0000-0x0000000004720000-memory.dmpFilesize
256KB
-
memory/1392-97-0x00000000046E0000-0x0000000004720000-memory.dmpFilesize
256KB