Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 00:02
Static task
static1
Behavioral task
behavioral1
Sample
6e2fb9abe3419002ed655109d4ec85f5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6e2fb9abe3419002ed655109d4ec85f5.exe
Resource
win10v2004-20231215-en
General
-
Target
6e2fb9abe3419002ed655109d4ec85f5.exe
-
Size
234KB
-
MD5
6e2fb9abe3419002ed655109d4ec85f5
-
SHA1
781f1be80c1b4e563b2314aa24b8971e42b42a80
-
SHA256
fa725ece6f7cf6149d8b5a637f9f254efb105e184276666ba07ef9812564626b
-
SHA512
235edd74aef197bc62e7a244e71b2fa633d79e8add0a48340e9d8e8f5fc491a090968716d6d921e2beecb6115df097a65fed8ce1f33ce3167a4a46ce0534decf
-
SSDEEP
3072:oF8uspQjfwe2IhASAt7q80brmX71hEbaFSkjiRrP:oWpoVhA9t7vorva+
Malware Config
Extracted
asyncrat
0.5.7B
Default
45.76.155.94:6606
45.76.155.94:7707
45.76.155.94:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/2972-12-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/1832-16-0x0000000002F30000-0x0000000002F40000-memory.dmp asyncrat -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\HWMonitor\\HWMonitor.exe" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1832 powershell.exe 1832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1832 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1832 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 97 PID 3048 wrote to memory of 1832 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 97 PID 3048 wrote to memory of 1832 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 97 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99 PID 3048 wrote to memory of 2972 3048 6e2fb9abe3419002ed655109d4ec85f5.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e2fb9abe3419002ed655109d4ec85f5.exe"C:\Users\Admin\AppData\Local\Temp\6e2fb9abe3419002ed655109d4ec85f5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\HWMonitor\HWMonitor.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82