Analysis

  • max time kernel
    140s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    01-07-2020 17:26

General

  • Target

    0f9edaa5134778747af05306ca0620cc.exe

  • Size

    213KB

  • MD5

    0f9edaa5134778747af05306ca0620cc

  • SHA1

    32872c1265e8b5e2fd1062bc33ab715decf1bafb

  • SHA256

    ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627

  • SHA512

    9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

migracion.linkpc.net:3468

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    OZ5Vq4Ybn4BuUPvvVZZKEF20GdI2yi3y

  • anti_detection

    false

  • autorun

    true

  • bdos

    false

  • delay

    Nuevas

  • host

    migracion.linkpc.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    3468

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies security service 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • Async RAT payload 7 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 75 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f9edaa5134778747af05306ca0620cc.exe
    "C:\Users\Admin\AppData\Local\Temp\0f9edaa5134778747af05306ca0620cc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\0f9edaa5134778747af05306ca0620cc.exe
      "C:\Users\Admin\AppData\Local\Temp\0f9edaa5134778747af05306ca0620cc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Googlechromee" /tr '"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Googlechromee" /tr '"C:\Users\Admin\AppData\Roaming\Googlechromee.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1528
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9980.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1500
        • C:\Users\Admin\AppData\Roaming\Googlechromee.exe
          "C:\Users\Admin\AppData\Roaming\Googlechromee.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1808
          • C:\Users\Admin\AppData\Roaming\Googlechromee.exe
            "C:\Users\Admin\AppData\Roaming\Googlechromee.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mckjeh.exe"' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1212
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mckjeh.exe"'
                7⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:588
                • C:\Users\Admin\AppData\Local\Temp\mckjeh.exe
                  "C:\Users\Admin\AppData\Local\Temp\mckjeh.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1596
                  • C:\Users\Admin\AppData\Local\Temp\mckjeh.exe
                    "C:\Users\Admin\AppData\Local\Temp\mckjeh.exe"
                    9⤵
                    • Modifies security service
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Windows security modification
                    • Adds Run key to start application
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:1712
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "\Microsoft\Windows\NetTrace\PerfTrack\Files\OfficeTelemetry" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\mckjeh.exe" /f
                      10⤵
                      • Creates scheduled task(s)
                      PID:396
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /delete /tn "OfficeTelemetry" /f
                      10⤵
                        PID:1812
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" Get-MpPreference -verbose
                        10⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1572
                      • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe
                        "C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:1200

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    2
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    7
    T1112

    Disabling Security Tools

    4
    T1089

    Bypass User Account Control

    1
    T1088

    Discovery

    System Information Discovery

    1
    T1082

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa
      MD5

      5e3c7184a75d42dda1a83606a45001d8

      SHA1

      94ca15637721d88f30eb4b6220b805c5be0360ed

      SHA256

      8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

      SHA512

      fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533
      MD5

      75a8da7754349b38d64c87c938545b1b

      SHA1

      5c28c257d51f1c1587e29164cc03ea880c21b417

      SHA256

      bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

      SHA512

      798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba
      MD5

      02ff38ac870de39782aeee04d7b48231

      SHA1

      0390d39fa216c9b0ecdb38238304e518fb2b5095

      SHA256

      fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

      SHA512

      24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8
      MD5

      b6d38f250ccc9003dd70efd3b778117f

      SHA1

      d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

      SHA256

      4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

      SHA512

      67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360
      MD5

      df44874327d79bd75e4264cb8dc01811

      SHA1

      1396b06debed65ea93c24998d244edebd3c0209d

      SHA256

      55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

      SHA512

      95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e
      MD5

      be4d72095faf84233ac17b94744f7084

      SHA1

      cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

      SHA256

      b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

      SHA512

      43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      69f3c8bb876447f1c7c6f9cfce0c01f9

      SHA1

      2b276f3c2c41f70ad56827bf88006fd795ecb2bf

      SHA256

      6e7c711a50c1aa98b180fa526a2ff524c8fecccc6f0d4e9eff1fdad8241c9883

      SHA512

      a98db6665c7c9c9cd6a86d63f9905b4c39884c2bf83a5beaf48ad59f1fb5bd7e0830eee162486a784c853e2859f6617d35c0625f0ec699faf72333853054ed94

    • C:\Users\Admin\AppData\Local\Temp\mckjeh.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • C:\Users\Admin\AppData\Local\Temp\mckjeh.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • C:\Users\Admin\AppData\Local\Temp\mckjeh.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • C:\Users\Admin\AppData\Local\Temp\tmp9980.tmp.bat
      MD5

      d91c03d83619aad0581e0d8747a1cb20

      SHA1

      dbd95d5dc0bcf0c7ad7989c666ab1879ca4702f8

      SHA256

      2228a74ab4fa2a603a012e67613583fa07419597d7de49ee920a189b17a098bf

      SHA512

      fddb81d065164e57ec28ba75382f3c607f514dec2603d3ef98ded0630b900b13187162bb5e85a3d227667e11b44ae02a9a6035bf833a91e5de8c76a587bc87ff

    • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • C:\Users\Admin\AppData\Roaming\Googlechromee.exe
      MD5

      0f9edaa5134778747af05306ca0620cc

      SHA1

      32872c1265e8b5e2fd1062bc33ab715decf1bafb

      SHA256

      ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627

      SHA512

      9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4

    • C:\Users\Admin\AppData\Roaming\Googlechromee.exe
      MD5

      0f9edaa5134778747af05306ca0620cc

      SHA1

      32872c1265e8b5e2fd1062bc33ab715decf1bafb

      SHA256

      ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627

      SHA512

      9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4

    • C:\Users\Admin\AppData\Roaming\Googlechromee.exe
      MD5

      0f9edaa5134778747af05306ca0620cc

      SHA1

      32872c1265e8b5e2fd1062bc33ab715decf1bafb

      SHA256

      ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627

      SHA512

      9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      MD5

      42a43d04e5054827acfd0a33f45940b2

      SHA1

      23933122828b4e235a50e7b1dcad8c661e3ab26a

      SHA256

      fe4cf0acd73ebd2a89cb98c44e638e293626de77c2aeae32ca93bb37eebbc679

      SHA512

      930b70d20c04133211e5a94eef73c4e8e9acc2cd3dfe917a81cb18709bb9fa2ae380e3d430401966434ef577c34ebe4b0ca35933c30d3b3b9b6a5fd1b54345f7

    • \??\PIPE\lsarpc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • \Users\Admin\AppData\Local\Temp\mckjeh.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • \Users\Admin\AppData\Local\Temp\mckjeh.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • \Users\Admin\AppData\Roaming\DateVLog\DHender.exe
      MD5

      df7deff36cf58e8165b1a88b7a06e540

      SHA1

      372371478cac2cc7a83aa0edccfdb7c3e8ead2a5

      SHA256

      55a2bc076493db224b691d52a03f94686ec61bb22fbd865649068129e3d2cdd8

      SHA512

      6689996aacf0041840df21557c3d2c8d5c4415ce6d0b1dbced060ceafc7c8c67458c298d3b3d50dd93831bf47fe8452f08754a2d5501d5fd70f907e3cd0214c8

    • \Users\Admin\AppData\Roaming\Googlechromee.exe
      MD5

      0f9edaa5134778747af05306ca0620cc

      SHA1

      32872c1265e8b5e2fd1062bc33ab715decf1bafb

      SHA256

      ff86462f1b1ab86a5283785ac242e2bcf6fcf46a39e7d2a712eceba8c0c47627

      SHA512

      9e8a5d5aca21fa30b0d8982a16adfb9ecaa7d8f39ea6f3fa1a80271fa9344e1ee956bc9547c1feb8d0e5772f5225054c7f21fbdb48756ba33d0958d96ea0f6f4

    • memory/396-41-0x0000000000000000-mapping.dmp
    • memory/588-25-0x0000000000000000-mapping.dmp
    • memory/588-26-0x0000000000000000-mapping.dmp
    • memory/752-6-0x0000000000000000-mapping.dmp
    • memory/1124-1-0x0000000000000000-0x0000000000000000-disk.dmp
    • memory/1200-55-0x0000000000000000-mapping.dmp
    • memory/1212-24-0x0000000000000000-mapping.dmp
    • memory/1448-2-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

    • memory/1448-4-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

    • memory/1448-5-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

    • memory/1448-3-0x000000000040C75E-mapping.dmp
    • memory/1500-9-0x0000000000000000-mapping.dmp
    • memory/1528-10-0x0000000000000000-mapping.dmp
    • memory/1572-43-0x0000000000000000-mapping.dmp
    • memory/1596-31-0x0000000000000000-mapping.dmp
    • memory/1656-7-0x0000000000000000-mapping.dmp
    • memory/1712-40-0x0000000000400000-0x0000000000454000-memory.dmp
      Filesize

      336KB

    • memory/1712-39-0x0000000000400000-0x0000000000454000-memory.dmp
      Filesize

      336KB

    • memory/1712-36-0x0000000000400000-0x0000000000454000-memory.dmp
      Filesize

      336KB

    • memory/1712-37-0x000000000044FF42-mapping.dmp
    • memory/1808-13-0x0000000000000000-mapping.dmp
    • memory/1808-14-0x0000000000000000-mapping.dmp
    • memory/1812-42-0x0000000000000000-mapping.dmp
    • memory/1948-22-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

    • memory/1948-19-0x000000000040C75E-mapping.dmp
    • memory/1948-21-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB