Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 15:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
307KB
-
MD5
884714bd845895cbd4377d1ba6df376e
-
SHA1
5a219cb01a10516eab59b2703d7bc4760fb5b5c0
-
SHA256
5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
-
SHA512
174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
SSDEEP
6144:Y1s6ZKvncbumIED8Qyl/RUpfPMm9Fy5RiLwFdhLoZxybN:pcbuLQyDebTLIdhLexG
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.3.101.190:2015
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1312-143-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 368 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 368 set thread context of 1312 368 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3376 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
file.exesvchost.exepid process 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 2100 file.exe 368 svchost.exe 368 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
file.exesvchost.exejsc.exedescription pid process Token: SeDebugPrivilege 2100 file.exe Token: SeDebugPrivilege 368 svchost.exe Token: SeDebugPrivilege 1312 jsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
file.execmd.execmd.exesvchost.exedescription pid process target process PID 2100 wrote to memory of 1688 2100 file.exe cmd.exe PID 2100 wrote to memory of 1688 2100 file.exe cmd.exe PID 2100 wrote to memory of 4108 2100 file.exe cmd.exe PID 2100 wrote to memory of 4108 2100 file.exe cmd.exe PID 1688 wrote to memory of 2136 1688 cmd.exe schtasks.exe PID 1688 wrote to memory of 2136 1688 cmd.exe schtasks.exe PID 4108 wrote to memory of 3376 4108 cmd.exe timeout.exe PID 4108 wrote to memory of 3376 4108 cmd.exe timeout.exe PID 4108 wrote to memory of 368 4108 cmd.exe svchost.exe PID 4108 wrote to memory of 368 4108 cmd.exe svchost.exe PID 368 wrote to memory of 1952 368 svchost.exe InstallUtil.exe PID 368 wrote to memory of 1952 368 svchost.exe InstallUtil.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe PID 368 wrote to memory of 1312 368 svchost.exe jsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D07.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6D07.tmp.batFilesize
151B
MD5d38e3e7e3fdb86ee4f2776acce366aab
SHA1808b33fcab5f1a9be0dd250f7513bb9884eb8f06
SHA256475aa41a0d1f0fc0e02263339b224c62ba52a69ba3390c3ba173cf67ef30b349
SHA51220c151f6742407f1444f624a5826b912d2f1b9717abc923be3004d23257c78f8577bdce71b00cbe1368926ccae160557ed9f303a72cc8e139626955ea66492d4
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
307KB
MD5884714bd845895cbd4377d1ba6df376e
SHA15a219cb01a10516eab59b2703d7bc4760fb5b5c0
SHA2565c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
SHA512174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
307KB
MD5884714bd845895cbd4377d1ba6df376e
SHA15a219cb01a10516eab59b2703d7bc4760fb5b5c0
SHA2565c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7
SHA512174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674
-
memory/1312-145-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/1312-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1312-148-0x0000000005FB0000-0x000000000604C000-memory.dmpFilesize
624KB
-
memory/1312-149-0x0000000006600000-0x0000000006BA4000-memory.dmpFilesize
5.6MB
-
memory/1312-150-0x00000000060C0000-0x0000000006126000-memory.dmpFilesize
408KB
-
memory/1312-151-0x0000000006FB0000-0x0000000007026000-memory.dmpFilesize
472KB
-
memory/1312-152-0x0000000007060000-0x000000000707E000-memory.dmpFilesize
120KB
-
memory/1312-153-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB
-
memory/2100-134-0x000001A672F50000-0x000001A672F60000-memory.dmpFilesize
64KB
-
memory/2100-133-0x000001A6589E0000-0x000001A658A32000-memory.dmpFilesize
328KB