Analysis
-
max time kernel
146s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 01:15
Static task
static1
Behavioral task
behavioral1
Sample
38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe
Resource
win7-20230220-en
General
-
Target
38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe
-
Size
519KB
-
MD5
99d1d1a753ded2c46de75059bc9f27ce
-
SHA1
6b71e8875664df78b52d741756671549993cc79c
-
SHA256
38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612
-
SHA512
15c58058a531460712aa00e684d1025f3f86084719e85a331d824229cf059fc55ef972e24a9c391a1193d123cacab3fd92c59c934d070a0c8525d44b0e784409
-
SSDEEP
12288:2ToPWBv/cpGrU3yVtX+t4VjxjCY0RNdA4k5TuuxrGn:2TbBv5rUyXVj10/dAN5KudO
Malware Config
Extracted
asyncrat
0.5.6
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
eiviqnxpqs
-
delay
5
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat \Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat \Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat \Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe asyncrat behavioral1/memory/596-85-0x0000000000150000-0x0000000000162000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
tamer.sfx.exetamer.exepid process 1812 tamer.sfx.exe 596 tamer.exe -
Loads dropped DLL 7 IoCs
Processes:
38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exetamer.sfx.exepid process 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe 1812 tamer.sfx.exe 1812 tamer.sfx.exe 1812 tamer.sfx.exe 1812 tamer.sfx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tamer.exepid process 596 tamer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tamer.exedescription pid process Token: SeDebugPrivilege 596 tamer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exetamer.sfx.exedescription pid process target process PID 1724 wrote to memory of 1812 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe tamer.sfx.exe PID 1724 wrote to memory of 1812 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe tamer.sfx.exe PID 1724 wrote to memory of 1812 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe tamer.sfx.exe PID 1724 wrote to memory of 1812 1724 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe tamer.sfx.exe PID 1812 wrote to memory of 596 1812 tamer.sfx.exe tamer.exe PID 1812 wrote to memory of 596 1812 tamer.sfx.exe tamer.exe PID 1812 wrote to memory of 596 1812 tamer.sfx.exe tamer.exe PID 1812 wrote to memory of 596 1812 tamer.sfx.exe tamer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe"C:\Users\Admin\AppData\Local\Temp\38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exeFilesize
349KB
MD56f037981df7ed239e5f6b138a14ecbb3
SHA1d97bc2f25642e576b464f732e6518563b44fea1d
SHA2568ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899
SHA51235384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exeFilesize
349KB
MD56f037981df7ed239e5f6b138a14ecbb3
SHA1d97bc2f25642e576b464f732e6518563b44fea1d
SHA2568ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899
SHA51235384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exeFilesize
349KB
MD56f037981df7ed239e5f6b138a14ecbb3
SHA1d97bc2f25642e576b464f732e6518563b44fea1d
SHA2568ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899
SHA51235384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exeFilesize
349KB
MD56f037981df7ed239e5f6b138a14ecbb3
SHA1d97bc2f25642e576b464f732e6518563b44fea1d
SHA2568ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899
SHA51235384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198
-
\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exeFilesize
349KB
MD56f037981df7ed239e5f6b138a14ecbb3
SHA1d97bc2f25642e576b464f732e6518563b44fea1d
SHA2568ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899
SHA51235384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198
-
\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exeFilesize
349KB
MD56f037981df7ed239e5f6b138a14ecbb3
SHA1d97bc2f25642e576b464f732e6518563b44fea1d
SHA2568ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899
SHA51235384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198
-
\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exeFilesize
46KB
MD5a89bf20ec8b14beced21c9795063ff5d
SHA17fa675d4e3d120039a8325367c5935f3727aeddf
SHA256c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae
SHA512f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142
-
memory/596-85-0x0000000000150000-0x0000000000162000-memory.dmpFilesize
72KB
-
memory/596-86-0x000000001B0D0000-0x000000001B150000-memory.dmpFilesize
512KB
-
memory/596-87-0x000000001B0D0000-0x000000001B150000-memory.dmpFilesize
512KB