Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2023 15:31
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20230220-en
General
-
Target
svchost.exe
-
Size
4.9MB
-
MD5
6a6d722b4d27203afa3c468ddc6b96b0
-
SHA1
de9c73b7f98ed83dd17903ef41021481e30ef369
-
SHA256
ddd4f8f5f13ada5e5b4bc3d0b0d1a49572b68f600ef3bda720566171f229c5c6
-
SHA512
2418cdd6cf0b8e561847094a82235c83e0a146a2cbe53160f659e4a06192b51a6b7b90bf853a7901e879fc6e833928c4d061bf660e684c73d8ed8465ea1e16ab
-
SSDEEP
49152:jc+tbK8sTWJ708s2iwe0bjIZaxzrzrx8l0n3JjpmdPvoM/ICr5TVD:Y+1KbTWJY8saPbjICzPrGYFpmdPg8V
Malware Config
Extracted
asyncrat
0.5.7B
Microsoft
megaplaneta01.ddns.net:4782
localhost:4782
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\svchost.exe asyncrat C:\Users\Admin\AppData\Local\svchost.exe asyncrat behavioral2/memory/2660-205-0x0000000000E80000-0x0000000000E92000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\svchost.exe asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2660 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2184 set thread context of 4200 2184 svchost.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
svchost.exeRegAsm.exedescription pid process target process PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 2184 wrote to memory of 4200 2184 svchost.exe RegAsm.exe PID 4200 wrote to memory of 2660 4200 RegAsm.exe svchost.exe PID 4200 wrote to memory of 2660 4200 RegAsm.exe svchost.exe PID 4200 wrote to memory of 2660 4200 RegAsm.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
902B
MD5448752a5d912569222e464a0ea7ab541
SHA1b6e81e17158a138502d1330f336c5fbd1d9884ff
SHA256b4e28bd179b559b9eefd3d919d79e3d0a87cfaf0d897ee0ce9fb40744ca7f0c4
SHA512bc3f3ffb2cee12b7e874d50c1404c4e640466bef512d5026fbd8589a00c0a5301e9013b7f20c9e84ff4da0d94716f5c89079699cd584eea9541a4a9ea1499b8e
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
45KB
MD5b1c69c02c0b584f5d922dfd04710df58
SHA15e0e4c71bff4b5c26c12ecec83ba39949ad52762
SHA256e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc
SHA512dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
45KB
MD5b1c69c02c0b584f5d922dfd04710df58
SHA15e0e4c71bff4b5c26c12ecec83ba39949ad52762
SHA256e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc
SHA512dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
45KB
MD5b1c69c02c0b584f5d922dfd04710df58
SHA15e0e4c71bff4b5c26c12ecec83ba39949ad52762
SHA256e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc
SHA512dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93
-
memory/2184-133-0x0000000000EA0000-0x0000000001396000-memory.dmpFilesize
5.0MB
-
memory/2184-134-0x0000000006400000-0x0000000006492000-memory.dmpFilesize
584KB
-
memory/2184-135-0x0000000006540000-0x00000000065DC000-memory.dmpFilesize
624KB
-
memory/2184-136-0x0000000007260000-0x0000000007804000-memory.dmpFilesize
5.6MB
-
memory/2660-205-0x0000000000E80000-0x0000000000E92000-memory.dmpFilesize
72KB
-
memory/4200-138-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4200-141-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4200-142-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB