Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-06-2023 15:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
307KB
-
MD5
884714bd845895cbd4377d1ba6df376e
-
SHA1
5a219cb01a10516eab59b2703d7bc4760fb5b5c0
-
SHA256
5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
-
SHA512
174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
SSDEEP
6144:Y1s6ZKvncbumIED8Qyl/RUpfPMm9Fy5RiLwFdhLoZxybN:pcbuLQyDebTLIdhLexG
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.3.101.190:2015
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/700-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 880 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 468 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 880 set thread context of 700 880 svchost.exe SetupUtility.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1684 700 WerFault.exe SetupUtility.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1168 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
file.exesvchost.exepid process 624 file.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe 880 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exesvchost.exedescription pid process Token: SeDebugPrivilege 624 file.exe Token: SeDebugPrivilege 880 svchost.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
file.execmd.execmd.exesvchost.exeSetupUtility.exedescription pid process target process PID 624 wrote to memory of 916 624 file.exe cmd.exe PID 624 wrote to memory of 916 624 file.exe cmd.exe PID 624 wrote to memory of 916 624 file.exe cmd.exe PID 916 wrote to memory of 540 916 cmd.exe schtasks.exe PID 916 wrote to memory of 540 916 cmd.exe schtasks.exe PID 916 wrote to memory of 540 916 cmd.exe schtasks.exe PID 624 wrote to memory of 468 624 file.exe cmd.exe PID 624 wrote to memory of 468 624 file.exe cmd.exe PID 624 wrote to memory of 468 624 file.exe cmd.exe PID 468 wrote to memory of 1168 468 cmd.exe timeout.exe PID 468 wrote to memory of 1168 468 cmd.exe timeout.exe PID 468 wrote to memory of 1168 468 cmd.exe timeout.exe PID 468 wrote to memory of 880 468 cmd.exe svchost.exe PID 468 wrote to memory of 880 468 cmd.exe svchost.exe PID 468 wrote to memory of 880 468 cmd.exe svchost.exe PID 880 wrote to memory of 796 880 svchost.exe DataSvcUtil.exe PID 880 wrote to memory of 796 880 svchost.exe DataSvcUtil.exe PID 880 wrote to memory of 796 880 svchost.exe DataSvcUtil.exe PID 880 wrote to memory of 1184 880 svchost.exe cvtres.exe PID 880 wrote to memory of 1184 880 svchost.exe cvtres.exe PID 880 wrote to memory of 1184 880 svchost.exe cvtres.exe PID 880 wrote to memory of 1628 880 svchost.exe aspnet_state.exe PID 880 wrote to memory of 1628 880 svchost.exe aspnet_state.exe PID 880 wrote to memory of 1628 880 svchost.exe aspnet_state.exe PID 880 wrote to memory of 1400 880 svchost.exe aspnet_wp.exe PID 880 wrote to memory of 1400 880 svchost.exe aspnet_wp.exe PID 880 wrote to memory of 1400 880 svchost.exe aspnet_wp.exe PID 880 wrote to memory of 1552 880 svchost.exe ngen.exe PID 880 wrote to memory of 1552 880 svchost.exe ngen.exe PID 880 wrote to memory of 1552 880 svchost.exe ngen.exe PID 880 wrote to memory of 1084 880 svchost.exe AddInUtil.exe PID 880 wrote to memory of 1084 880 svchost.exe AddInUtil.exe PID 880 wrote to memory of 1084 880 svchost.exe AddInUtil.exe PID 880 wrote to memory of 612 880 svchost.exe WsatConfig.exe PID 880 wrote to memory of 612 880 svchost.exe WsatConfig.exe PID 880 wrote to memory of 612 880 svchost.exe WsatConfig.exe PID 880 wrote to memory of 604 880 svchost.exe RegSvcs.exe PID 880 wrote to memory of 604 880 svchost.exe RegSvcs.exe PID 880 wrote to memory of 604 880 svchost.exe RegSvcs.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 880 wrote to memory of 700 880 svchost.exe SetupUtility.exe PID 700 wrote to memory of 1684 700 SetupUtility.exe WerFault.exe PID 700 wrote to memory of 1684 700 SetupUtility.exe WerFault.exe PID 700 wrote to memory of 1684 700 SetupUtility.exe WerFault.exe PID 700 wrote to memory of 1684 700 SetupUtility.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp243.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 1685⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp243.tmp.batFilesize
150B
MD5557bd695efe8977b592bfa87ed4e51ab
SHA11b384a4964ee557076f1448a24d005e7847be25a
SHA256fe5ddc10e3e2e3d6222a3e5794f10134a76b4ce682cfaa3f2b9fac000014f798
SHA5121522581325b7e64bde3f2c162d7c2cdfb397408237a5c264f38b636af4cedfdcff89a2c04cd8b4d24e137c197bf88a64de94063d49fa35c4192533ff6ba3cc38
-
C:\Users\Admin\AppData\Local\Temp\tmp243.tmp.batFilesize
150B
MD5557bd695efe8977b592bfa87ed4e51ab
SHA11b384a4964ee557076f1448a24d005e7847be25a
SHA256fe5ddc10e3e2e3d6222a3e5794f10134a76b4ce682cfaa3f2b9fac000014f798
SHA5121522581325b7e64bde3f2c162d7c2cdfb397408237a5c264f38b636af4cedfdcff89a2c04cd8b4d24e137c197bf88a64de94063d49fa35c4192533ff6ba3cc38
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
307KB
MD5884714bd845895cbd4377d1ba6df376e
SHA15a219cb01a10516eab59b2703d7bc4760fb5b5c0
SHA2565c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
SHA512174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
307KB
MD5884714bd845895cbd4377d1ba6df376e
SHA15a219cb01a10516eab59b2703d7bc4760fb5b5c0
SHA2565c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
SHA512174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
307KB
MD5884714bd845895cbd4377d1ba6df376e
SHA15a219cb01a10516eab59b2703d7bc4760fb5b5c0
SHA2565c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
SHA512174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
memory/624-54-0x0000000000FC0000-0x0000000001012000-memory.dmpFilesize
328KB
-
memory/624-55-0x000000001BF10000-0x000000001BF90000-memory.dmpFilesize
512KB
-
memory/700-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/880-69-0x00000000011E0000-0x0000000001232000-memory.dmpFilesize
328KB
-
memory/880-70-0x0000000002730000-0x00000000027B0000-memory.dmpFilesize
512KB