Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09-07-2020 18:41

General

  • Target

    f635d6dbb86f7d946250514c9ccb7db0.exe

  • Size

    256KB

  • MD5

    f635d6dbb86f7d946250514c9ccb7db0

  • SHA1

    f11402b0dba9a9c81399c2f557b11deac2620c55

  • SHA256

    25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

  • SHA512

    e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    EfA8oEwdphb1PRVOxTe3AN4wESj6UjIj

  • anti_detection

    false

  • autorun

    true

  • bdos

    false

  • delay

    CORONA

  • host

    null

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    https://pastebin.com/raw/KVXdCZYr

  • port

    null

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies security service 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • Async RAT payload 7 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 75 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe
    "C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe
      "C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromegoogle" /tr '"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "chromegoogle" /tr '"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C6D.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1788
        • C:\Users\Admin\AppData\Roaming\chromegoogle.exe
          "C:\Users\Admin\AppData\Roaming\chromegoogle.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Roaming\chromegoogle.exe
            "C:\Users\Admin\AppData\Roaming\chromegoogle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1812
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"'
                7⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1556
                • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe
                  "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1056
                  • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe
                    "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"
                    9⤵
                    • Modifies security service
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Windows security modification
                    • Adds Run key to start application
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:1772
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "\Microsoft\Windows\NetTrace\PerfTrack\Files\OfficeTelemetry" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe" /f
                      10⤵
                      • Creates scheduled task(s)
                      PID:1128
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /delete /tn "OfficeTelemetry" /f
                      10⤵
                        PID:1880
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" Get-MpPreference -verbose
                        10⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1992
                      • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe
                        "C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:1504

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/876-4-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/876-5-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/876-2-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/1772-39-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1772-35-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1772-38-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1976-22-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/1976-21-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB