Analysis
-
max time kernel
58s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04/05/2023, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe
Resource
win10v2004-20230221-en
General
-
Target
33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe
-
Size
1.0MB
-
MD5
40007c48c4a68c28353bc2263e46a8aa
-
SHA1
edc72a9967bda687d56ddfe0fddbca15d0c40035
-
SHA256
33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11
-
SHA512
2c6b5b33cf6338f8db9d81e51cdcd7782753dc25e26806a5ba8fa6c8982abc3c898c28751060f5c697a511c59ab6a4b9e24a234fa1f000ae14086815152fef77
-
SSDEEP
24576:NTbBv5rUanOuF+8bQybXmmNxrndGryTBZPa:HBjbs8bQSXVdGoBZy
Malware Config
Extracted
asyncrat
0.5.7B
Default
37.120.210.219:48408
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
resource yara_rule behavioral1/memory/1852-217-0x0000000000270000-0x0000000000780000-memory.dmp asyncrat behavioral1/memory/1852-219-0x0000000000270000-0x0000000000780000-memory.dmp asyncrat behavioral1/memory/1852-221-0x0000000000270000-0x0000000000780000-memory.dmp asyncrat behavioral1/memory/1852-222-0x0000000000270000-0x0000000000282000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1392 adtaa.pif -
Loads dropped DLL 1 IoCs
pid Process 1800 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run adtaa.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgwp\\adtaa.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\qgwp\\xlsetqc.ppt" adtaa.pif -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1392 set thread context of 1852 1392 adtaa.pif 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1392 adtaa.pif 1392 adtaa.pif 1392 adtaa.pif 1392 adtaa.pif 1392 adtaa.pif 1392 adtaa.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1852 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1800 2036 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe 28 PID 2036 wrote to memory of 1800 2036 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe 28 PID 2036 wrote to memory of 1800 2036 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe 28 PID 2036 wrote to memory of 1800 2036 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe 28 PID 1800 wrote to memory of 1392 1800 wscript.exe 29 PID 1800 wrote to memory of 1392 1800 wscript.exe 29 PID 1800 wrote to memory of 1392 1800 wscript.exe 29 PID 1800 wrote to memory of 1392 1800 wscript.exe 29 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30 PID 1392 wrote to memory of 1852 1392 adtaa.pif 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe"C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" Update-ed.l.vbe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif"C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif" xlsetqc.ppt3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD53ae20ce17c62eb5f5245231299021949
SHA120d193dc3fdee620995e22f128c5f92414710ac1
SHA256712d9958d3170f73f7bc4f7c6ed28caadbbeaf079050f58dda4fadfe0f4217f7
SHA512d542ac65a223dc5c2d314a80ef2d87562e0dedea6f1c7b586ce94fa8751601ebd55482aa200816ad6f03709623d6936913f94404684ee278efb3b18f370e7aac
-
Filesize
69KB
MD54d361bf174b8f3c66723f6064ee193bd
SHA13a02969739022aa8a505da0d7d88671d8a1acbdb
SHA256c26727e311cb18de7dd06f1874771d04b54b97b3d674b13e59e2fd2e30242629
SHA512a2991a75f1dba9747dfce7bc69b15c568aaa20b592703c9d9673be4394684deebb47be7c4d8d28461edec9caea6310c2f66ca464e65a1f3ec86e85cc79a94c33
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7
-
Filesize
36KB
MD5301e1eec6742011e08e120355c2b0764
SHA16e970f19e25d7fe0a065d0b7b30107eaaf775130
SHA256ae3c368a3963c3537e502cc6607e8035c91a090eb60ff33361c49aef57a2af33
SHA512b54ff0649341a09f15ef933f1bfc495a655c6ae0dd8e0cce1884af0fa7392b1376820bd429505e7b426537b522058877f90c07c7dfda29c6c7bb98ac62149c74
-
Filesize
86.1MB
MD5ef053f9b9f535a7a446b31089da3e14f
SHA1b34f1ed41e99fa59d3a81e1f94d9e0c442f8bd53
SHA256aec4c6528ce074e4a90a7949a1acde52f58d469fec9600ff259a65e25299b449
SHA5127f1990eb756fc21d59f18828eda6051d605bbc8f4206a4bc47047f15ae17565eae75fdfda1a217280c77b6b7f8fe9c3b72cac90466aa8b769ded166df1c45cf5
-
Filesize
1.2MB
MD5d08467871656edc79c1dfe974d91c450
SHA1226105367ba3663becdde32280b1714fdcacebcb
SHA2560323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7