Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:45
Static task
static1
Behavioral task
behavioral1
Sample
A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
Resource
win10v2004-20241007-en
General
-
Target
A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
-
Size
2.0MB
-
MD5
a6c1f985465f58baa96e2fb863368258
-
SHA1
48dbf29f9719644738fd849fb22e10e6e4f51d7c
-
SHA256
a4b02b376cc1b68b65ec04e802746b9befc7d4db84a749ebf7b7aa1371628275
-
SHA512
c9ac3680661a3af08aa468c37ab3fb80a7e8085561e6f845b18fa16154ce117661b862a1147135f533850b71ef676c7339f200029b321058ed84cea27df996ba
-
SSDEEP
49152:3AI+Fl/k/n8JIgBeMCoT+DheCsR15+Vgy7tNByI6Aop:3AI+Fl/kPhghCS+FyCCy7tNBj6Aop
Malware Config
Extracted
asyncrat
0.5.7B
Default
novachrono.dyndns-ip.com:55319
novachrono.dyndns-ip.com:51397
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
repair-win.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1052-121-0x00000000003E0000-0x00000000003F2000-memory.dmp family_asyncrat behavioral1/memory/796-160-0x00000000002E0000-0x00000000002F2000-memory.dmp family_asyncrat -
Executes dropped EXE 7 IoCs
pid Process 2052 data-com.exe 2944 com-win867.exe 2308 netshare-winw.exe 2332 repair-winv.exe 1052 repair-winv.exe 2840 repair-win.exe 796 repair-win.exe -
Loads dropped DLL 28 IoCs
pid Process 2468 A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2052 data-com.exe 2308 netshare-winw.exe 2944 com-win867.exe 2944 com-win867.exe 2332 repair-winv.exe 2332 repair-winv.exe 2332 repair-winv.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 1380 WerFault.exe 484 cmd.exe 2840 repair-win.exe 2840 repair-win.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2332 set thread context of 1052 2332 repair-winv.exe 34 PID 2840 set thread context of 796 2840 repair-win.exe 42 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\data-com.exe A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe File opened for modification C:\Program Files (x86)\Company\launcher\launcher.exe A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1380 2944 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netshare-winw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language repair-winv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language repair-win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language data-com.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language com-win867.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language repair-win.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language repair-winv.exe -
NSIS installer 6 IoCs
resource yara_rule behavioral1/files/0x0009000000012117-28.dat nsis_installer_1 behavioral1/files/0x0009000000012117-28.dat nsis_installer_2 behavioral1/files/0x0009000000016b86-41.dat nsis_installer_1 behavioral1/files/0x0009000000016b86-41.dat nsis_installer_2 behavioral1/files/0x0009000000016c89-63.dat nsis_installer_1 behavioral1/files/0x0009000000016c89-63.dat nsis_installer_2 -
Delays execution with timeout.exe 1 IoCs
pid Process 612 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2456 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2944 com-win867.exe 2944 com-win867.exe 2944 com-win867.exe 2944 com-win867.exe 2332 repair-winv.exe 2332 repair-winv.exe 2332 repair-winv.exe 2332 repair-winv.exe 1052 repair-winv.exe 1052 repair-winv.exe 1052 repair-winv.exe 2840 repair-win.exe 2840 repair-win.exe 2840 repair-win.exe 2840 repair-win.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2332 repair-winv.exe 2840 repair-win.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1052 repair-winv.exe Token: SeDebugPrivilege 796 repair-win.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2052 2468 A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe 28 PID 2468 wrote to memory of 2052 2468 A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe 28 PID 2468 wrote to memory of 2052 2468 A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe 28 PID 2468 wrote to memory of 2052 2468 A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe 28 PID 2052 wrote to memory of 2944 2052 data-com.exe 29 PID 2052 wrote to memory of 2944 2052 data-com.exe 29 PID 2052 wrote to memory of 2944 2052 data-com.exe 29 PID 2052 wrote to memory of 2944 2052 data-com.exe 29 PID 2052 wrote to memory of 2308 2052 data-com.exe 30 PID 2052 wrote to memory of 2308 2052 data-com.exe 30 PID 2052 wrote to memory of 2308 2052 data-com.exe 30 PID 2052 wrote to memory of 2308 2052 data-com.exe 30 PID 2052 wrote to memory of 2332 2052 data-com.exe 31 PID 2052 wrote to memory of 2332 2052 data-com.exe 31 PID 2052 wrote to memory of 2332 2052 data-com.exe 31 PID 2052 wrote to memory of 2332 2052 data-com.exe 31 PID 2944 wrote to memory of 1380 2944 com-win867.exe 33 PID 2944 wrote to memory of 1380 2944 com-win867.exe 33 PID 2944 wrote to memory of 1380 2944 com-win867.exe 33 PID 2944 wrote to memory of 1380 2944 com-win867.exe 33 PID 2332 wrote to memory of 1052 2332 repair-winv.exe 34 PID 2332 wrote to memory of 1052 2332 repair-winv.exe 34 PID 2332 wrote to memory of 1052 2332 repair-winv.exe 34 PID 2332 wrote to memory of 1052 2332 repair-winv.exe 34 PID 2332 wrote to memory of 1052 2332 repair-winv.exe 34 PID 1052 wrote to memory of 2752 1052 repair-winv.exe 35 PID 1052 wrote to memory of 2752 1052 repair-winv.exe 35 PID 1052 wrote to memory of 2752 1052 repair-winv.exe 35 PID 1052 wrote to memory of 2752 1052 repair-winv.exe 35 PID 1052 wrote to memory of 484 1052 repair-winv.exe 37 PID 1052 wrote to memory of 484 1052 repair-winv.exe 37 PID 1052 wrote to memory of 484 1052 repair-winv.exe 37 PID 1052 wrote to memory of 484 1052 repair-winv.exe 37 PID 2752 wrote to memory of 2456 2752 cmd.exe 39 PID 2752 wrote to memory of 2456 2752 cmd.exe 39 PID 2752 wrote to memory of 2456 2752 cmd.exe 39 PID 2752 wrote to memory of 2456 2752 cmd.exe 39 PID 484 wrote to memory of 612 484 cmd.exe 40 PID 484 wrote to memory of 612 484 cmd.exe 40 PID 484 wrote to memory of 612 484 cmd.exe 40 PID 484 wrote to memory of 612 484 cmd.exe 40 PID 484 wrote to memory of 2840 484 cmd.exe 41 PID 484 wrote to memory of 2840 484 cmd.exe 41 PID 484 wrote to memory of 2840 484 cmd.exe 41 PID 484 wrote to memory of 2840 484 cmd.exe 41 PID 2840 wrote to memory of 796 2840 repair-win.exe 42 PID 2840 wrote to memory of 796 2840 repair-win.exe 42 PID 2840 wrote to memory of 796 2840 repair-win.exe 42 PID 2840 wrote to memory of 796 2840 repair-win.exe 42 PID 2840 wrote to memory of 796 2840 repair-win.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe"C:\Users\Admin\AppData\Local\Temp\A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files (x86)\Common Files\data-com.exe"C:\Program Files (x86)\Common Files\data-com.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\com-win867.exe"C:\Users\Admin\AppData\Local\Temp\com-win867.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 5164⤵
- Loads dropped DLL
- Program crash
PID:1380
-
-
-
C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe"C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "repair-win" /tr '"C:\Users\Admin\AppData\Roaming\repair-win.exe"' & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "repair-win" /tr '"C:\Users\Admin\AppData\Roaming\repair-win.exe"'6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.bat""5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:612
-
-
C:\Users\Admin\AppData\Roaming\repair-win.exe"C:\Users\Admin\AppData\Roaming\repair-win.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Roaming\repair-win.exe"C:\Users\Admin\AppData\Roaming\repair-win.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
990B
MD5ca6477ef69993246149bd34b857651db
SHA101411f9b09d58c6ea7f4068ace6207db4fb1b46f
SHA25610c7923013668a793ba279dff60675fde5077234e5b2be84dd7c297d43540ad6
SHA51202e5c2b806f58774e3f5b7d0b71c2c3ced543170ab643d211a6839ddb82676a88a321bfcccc65700272b0b9595193d8c2573bf7f477b945d1a8e798e7f7226fe
-
Filesize
1KB
MD50b61e9b2d174d66a91074558158d061c
SHA193d625d555981387466aca8018075b1195496b9c
SHA25620d1cea77432e36ac12c16a2636344d92fab61c3f349444f3a7808ab3f57a1ac
SHA5126ad59fd9f375d5e2b0e92ecb60406523f9333fff8a837963fb685ed3bf40f888c2d4847d4be6cfda16e1bfc668eb21d2724d073504af1bbf82a18aca58e9577f
-
Filesize
6KB
MD5a7032131575edf08d718f4d3a1343e99
SHA14f6fef19c9b8f75f9e962fd3c78e92cd3b836446
SHA2568a4bd6e4675e40248040db34c43fbf4bf7f8d0a67404efb4bed3d7a47f2c6dbd
SHA512a6f47acff9d8b1bf48f9c8f3a64b75a8f3e5be071ac378eaa46252eaf27c84b075347ae052390ed892f17d820d7fda7a516298b787cda02718cd47bcf8c0a0a0
-
Filesize
118KB
MD531dd3087ad33376599520916bd5e01c6
SHA18f885821619d0b5721b5660a5c5170f20feb49c1
SHA2567d1fb3094f3330e47c6f2607ea48b4ca1e63e6fdc8d2d615ac2d682096af965e
SHA512819e1a187c26097f668fe178ad76a2200808bf0b001b56f7b6a7442c5145421302eb31a500a4a98989a4041efdc9d537015a98e6d079ab44e0f8dcecf12b4884
-
Filesize
154B
MD5a96b2b98280548d2ed91afaf46a929d7
SHA1258c273c58afa506230678605d44e17703327baf
SHA256b67bc13cbeed6962dad8e8b75d63b2020b729f4b407759983de893c8d9c962db
SHA512c0b0d04f961b102fee39e40ff443bae3ec0dd31c4b372f19c4ce70539d444bdbdbec2454080c03c87aa678af0685e98a91f0314c5ca783b868270560b8c526a5
-
Filesize
10KB
MD5e6ad792dd8ea01b5c3d1358782d0a7b3
SHA135a3f7e97ab74b8c7c7844be275eb93ebbc3be20
SHA2569db645f6dc6d6a242e9c4629b06929c5cadcf7842e16f245aba57d535a6d3af0
SHA51230162aefb98f580638c7cffc3a917b67f3a3375ea96706584351f016d0a1968393b33767e9b0f15d1730d5a9bbc559c455b454f481f383d7727487391d8cf89a
-
Filesize
1.6MB
MD5c4f5279ac008bd516fac948b9ed07ef4
SHA1dfd6b2cde45d61cb5f470d7cc9aa02ea14a88b0c
SHA256e62f25c348f1a803072a3fa6991c3c624982f1a0db33a835af27ec22bab577f6
SHA51254c5c1c397c3c9a2a3737447b7e2b1b048ffcaa8478453fb25bc9c4e9c9204a58f41318b80ff806c91cd77e09bac47152bc3ea56ce7faaa088f7f20d67632bd3
-
Filesize
454KB
MD5ece598774bd28cbe3caa0ee1f2212725
SHA148433d51044b0d1c9e802a6c95f9c994b5b0a142
SHA2567ed2531a506e24a014493c92de25ca92fe712aa71a2ce981b14f25e053d5d5b6
SHA51229aad65aa5827996bfd1ffb932803f2691450aeede912c0e6f60712af8b622b517b440bade503fbc076bb4245817fba1823bb54b1fadaddaab4c3057ca91b70b
-
Filesize
793KB
MD5937e8c3bed1eae721daf1b8aa0e2ae38
SHA1a53fd1565b9d92986db6383830cadee69dfe8723
SHA25669988bab12a838d28a2cca55bddb05da74ec8653ac887f8f0340a178325f2872
SHA512277edd5c91ca22661d08d9e456f0b93666c3e0906af2fe589a68b9cdf565d51666030907f8096837ac5bcc33072d5df27bd5f543a90d24cb08db0a1f8be66a70
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
502KB
MD53436f616a07a2d43b067b0c7a9ee0aab
SHA19acc3914853a04bfc795d8d97e7862ae0d873276
SHA256fc3a8e4291ca21ecc1f28995bf8834e46aeddfafaf959413b2b9cd2ab87f51e3
SHA512eb51df5c9855cc0dc310a2ea08b46e3b6b5aa190cc84e2ff6ccbc9b670352b099b35464fcad2b300086c74174fcd0105f6deb5fd6d9f96205a529f8d6b375c68