Analysis
-
max time kernel
53s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-04-2023 07:15
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
57KB
-
MD5
7422d3af2fc6d1f7ecef432d86353456
-
SHA1
fd470052846183329edd22a923d070ad71ba79cc
-
SHA256
ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4
-
SHA512
24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a
-
SSDEEP
1536:aIUw2xx5XbyB/licYH6GlQZXRwA2IJYkbHTH1lmK9Xx:aIUw2xx5Xb0/EcYH6GlQEANCkbHTNVx
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
A&H
aboreda.linkpc.net:6666
AsyncMutex_6SI8OkPnk
-
delay
10
-
install
true
-
install_file
WindowsUpdate.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1556-54-0x0000000000140000-0x0000000000154000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\WindowsUpdate.exe asyncrat C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe asyncrat C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe asyncrat behavioral1/memory/2044-68-0x0000000000950000-0x0000000000964000-memory.dmp asyncrat behavioral1/memory/2044-69-0x0000000000340000-0x0000000000380000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid process 2044 WindowsUpdate.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 672 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1296 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 1556 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tmp.exeWindowsUpdate.exedescription pid process Token: SeDebugPrivilege 1556 tmp.exe Token: SeDebugPrivilege 2044 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
tmp.execmd.execmd.exedescription pid process target process PID 1556 wrote to memory of 1032 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 1032 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 1032 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 1032 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 672 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 672 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 672 1556 tmp.exe cmd.exe PID 1556 wrote to memory of 672 1556 tmp.exe cmd.exe PID 1032 wrote to memory of 1208 1032 cmd.exe schtasks.exe PID 1032 wrote to memory of 1208 1032 cmd.exe schtasks.exe PID 1032 wrote to memory of 1208 1032 cmd.exe schtasks.exe PID 1032 wrote to memory of 1208 1032 cmd.exe schtasks.exe PID 672 wrote to memory of 1296 672 cmd.exe timeout.exe PID 672 wrote to memory of 1296 672 cmd.exe timeout.exe PID 672 wrote to memory of 1296 672 cmd.exe timeout.exe PID 672 wrote to memory of 1296 672 cmd.exe timeout.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe PID 672 wrote to memory of 2044 672 cmd.exe WindowsUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp.batFilesize
157B
MD58a327bf63b992df4786731524f1bf2af
SHA1e682c7fcbb35b83dba090dd54e6c722666002329
SHA256e48cc1976db7ba5a456609305b2c5c2b361265b270b25092249864a30cabac01
SHA512a285dfa2d26cac2af4fecb9697e986a0ccd0c263ae600fb2cf55acc1fd3507fc9eab19ff49b23ef3ce47158941c58abb1c0567a888840ecc9fd852aaabd48c49
-
C:\Users\Admin\AppData\Local\Temp\tmp4E5F.tmp.batFilesize
157B
MD58a327bf63b992df4786731524f1bf2af
SHA1e682c7fcbb35b83dba090dd54e6c722666002329
SHA256e48cc1976db7ba5a456609305b2c5c2b361265b270b25092249864a30cabac01
SHA512a285dfa2d26cac2af4fecb9697e986a0ccd0c263ae600fb2cf55acc1fd3507fc9eab19ff49b23ef3ce47158941c58abb1c0567a888840ecc9fd852aaabd48c49
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeFilesize
57KB
MD57422d3af2fc6d1f7ecef432d86353456
SHA1fd470052846183329edd22a923d070ad71ba79cc
SHA256ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4
SHA51224baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exeFilesize
57KB
MD57422d3af2fc6d1f7ecef432d86353456
SHA1fd470052846183329edd22a923d070ad71ba79cc
SHA256ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4
SHA51224baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a
-
\Users\Admin\AppData\Roaming\WindowsUpdate.exeFilesize
57KB
MD57422d3af2fc6d1f7ecef432d86353456
SHA1fd470052846183329edd22a923d070ad71ba79cc
SHA256ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4
SHA51224baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a
-
memory/1556-54-0x0000000000140000-0x0000000000154000-memory.dmpFilesize
80KB
-
memory/1556-55-0x0000000004A10000-0x0000000004A50000-memory.dmpFilesize
256KB
-
memory/2044-68-0x0000000000950000-0x0000000000964000-memory.dmpFilesize
80KB
-
memory/2044-69-0x0000000000340000-0x0000000000380000-memory.dmpFilesize
256KB
-
memory/2044-87-0x0000000000340000-0x0000000000380000-memory.dmpFilesize
256KB