Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09-07-2020 18:41

General

  • Target

    f635d6dbb86f7d946250514c9ccb7db0.exe

  • Size

    256KB

  • MD5

    f635d6dbb86f7d946250514c9ccb7db0

  • SHA1

    f11402b0dba9a9c81399c2f557b11deac2620c55

  • SHA256

    25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

  • SHA512

    e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    EfA8oEwdphb1PRVOxTe3AN4wESj6UjIj

  • anti_detection

    false

  • autorun

    true

  • bdos

    false

  • delay

    CORONA

  • host

    null

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    https://pastebin.com/raw/KVXdCZYr

  • port

    null

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Contains code to disable Windows Defender 4 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies security service 2 TTPs 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • Async RAT payload 7 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 75 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe
    "C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe
      "C:\Users\Admin\AppData\Local\Temp\f635d6dbb86f7d946250514c9ccb7db0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromegoogle" /tr '"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "chromegoogle" /tr '"C:\Users\Admin\AppData\Roaming\chromegoogle.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C6D.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1788
        • C:\Users\Admin\AppData\Roaming\chromegoogle.exe
          "C:\Users\Admin\AppData\Roaming\chromegoogle.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Roaming\chromegoogle.exe
            "C:\Users\Admin\AppData\Roaming\chromegoogle.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1812
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"'
                7⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1556
                • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe
                  "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1056
                  • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe
                    "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe"
                    9⤵
                    • Modifies security service
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Windows security modification
                    • Adds Run key to start application
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:1772
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /create /tn "\Microsoft\Windows\NetTrace\PerfTrack\Files\OfficeTelemetry" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\kgdxez.exe" /f
                      10⤵
                      • Creates scheduled task(s)
                      PID:1128
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks" /delete /tn "OfficeTelemetry" /f
                      10⤵
                        PID:1880
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" Get-MpPreference -verbose
                        10⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1992
                      • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe
                        "C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:1504

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

      MD5

      5e3c7184a75d42dda1a83606a45001d8

      SHA1

      94ca15637721d88f30eb4b6220b805c5be0360ed

      SHA256

      8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

      SHA512

      fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

      MD5

      75a8da7754349b38d64c87c938545b1b

      SHA1

      5c28c257d51f1c1587e29164cc03ea880c21b417

      SHA256

      bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

      SHA512

      798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

      MD5

      02ff38ac870de39782aeee04d7b48231

      SHA1

      0390d39fa216c9b0ecdb38238304e518fb2b5095

      SHA256

      fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

      SHA512

      24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

      MD5

      b6d38f250ccc9003dd70efd3b778117f

      SHA1

      d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

      SHA256

      4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

      SHA512

      67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

      MD5

      df44874327d79bd75e4264cb8dc01811

      SHA1

      1396b06debed65ea93c24998d244edebd3c0209d

      SHA256

      55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

      SHA512

      95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

      MD5

      be4d72095faf84233ac17b94744f7084

      SHA1

      cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

      SHA256

      b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

      SHA512

      43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

      MD5

      699494f93e77c1b0f5fb0f7af452eace

      SHA1

      2134c72a9ca6796cc528560778b99a8032fc6ef9

      SHA256

      58b6e47553a9833cb7dbd86fb8bae0fe4a6270f7b77e2fc9c222353f255f07c2

      SHA512

      d74ed30bdb3e780e33e3b8c0c24a687c4fad805600ea0f7f08932c05d88119307dbf00b446fe18b4d3f25e193589793a8e22bf5bf205a478a14f696919e6a88e

    • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • C:\Users\Admin\AppData\Local\Temp\kgdxez.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • C:\Users\Admin\AppData\Local\Temp\tmp9C6D.tmp.bat

      MD5

      e8a8f510c2f547825e6a8dba5f7dbf0b

      SHA1

      1cd9dc028a9c685627fb83805a5260ec189198f1

      SHA256

      e153b4d8bf5375656394c9f1af81598407ea9ef5872e32d6058419c0189f04ac

      SHA512

      0187995fdcc40afb0d06ea307147c80e86f51a3a8fcd5f36e9f2b593496c490527013ad15853320a3f2c74655ac8377766055d3c2fc85a5fc430aeecab1d4fc6

    • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • C:\Users\Admin\AppData\Roaming\DateVLog\DHender.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      MD5

      647a1610b4e4db932702490cf74c42b4

      SHA1

      155ad4d0da61d6315a67b755a9fbbc46539cfa31

      SHA256

      a9d5aa6596720f81d00d05cfe058563ed9eb69115daa1185a7f553f5a8d27cf7

      SHA512

      c2cd652e73878cfc89c564f3e4a076d649d71f96cc0770ad6c17b635b3d5f861e2e6cf05233f20e577ce9e0e9fa1bfaef59f4170b2e2732b76a1acb8476775bf

    • C:\Users\Admin\AppData\Roaming\chromegoogle.exe

      MD5

      f635d6dbb86f7d946250514c9ccb7db0

      SHA1

      f11402b0dba9a9c81399c2f557b11deac2620c55

      SHA256

      25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

      SHA512

      e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c

    • C:\Users\Admin\AppData\Roaming\chromegoogle.exe

      MD5

      f635d6dbb86f7d946250514c9ccb7db0

      SHA1

      f11402b0dba9a9c81399c2f557b11deac2620c55

      SHA256

      25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

      SHA512

      e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c

    • C:\Users\Admin\AppData\Roaming\chromegoogle.exe

      MD5

      f635d6dbb86f7d946250514c9ccb7db0

      SHA1

      f11402b0dba9a9c81399c2f557b11deac2620c55

      SHA256

      25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

      SHA512

      e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c

    • \Users\Admin\AppData\Local\Temp\kgdxez.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • \Users\Admin\AppData\Local\Temp\kgdxez.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • \Users\Admin\AppData\Roaming\DateVLog\DHender.exe

      MD5

      92081dbfd27f636ae5d8482872b13c65

      SHA1

      f6cf286d57c0e0a380981ec680e5772c9203a968

      SHA256

      ccf1f995c7c1607b2561b3bdb9db41648822722914a5e58ea5c1cc35aba604a4

      SHA512

      e7657802c1ba20407e8f1f7a4a5dc7726f6bb864077f9638fbebd6c70b8f2c6e18b2c9968228ec8fbb103aa10acd62ca66da87ae4217a2a67cab4b09509506c9

    • \Users\Admin\AppData\Roaming\chromegoogle.exe

      MD5

      f635d6dbb86f7d946250514c9ccb7db0

      SHA1

      f11402b0dba9a9c81399c2f557b11deac2620c55

      SHA256

      25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

      SHA512

      e02ba39e68acd88724acda61ac1feb501a0d070022c22863e7dd2fa2dc160a15d56e302a5ad1ad200d70091098d764c542cdf88d88d917d5f988ae36d80d9d9c

    • memory/608-1-0x0000000000000000-0x0000000000000000-disk.dmp

    • memory/876-4-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/876-5-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/876-3-0x000000000040C78E-mapping.dmp

    • memory/876-2-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/1040-6-0x0000000000000000-mapping.dmp

    • memory/1056-30-0x0000000000000000-mapping.dmp

    • memory/1128-40-0x0000000000000000-mapping.dmp

    • memory/1504-54-0x0000000000000000-mapping.dmp

    • memory/1532-7-0x0000000000000000-mapping.dmp

    • memory/1556-24-0x0000000000000000-mapping.dmp

    • memory/1556-25-0x0000000000000000-mapping.dmp

    • memory/1760-9-0x0000000000000000-mapping.dmp

    • memory/1768-14-0x0000000000000000-mapping.dmp

    • memory/1768-13-0x0000000000000000-mapping.dmp

    • memory/1772-39-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1772-36-0x000000000044FF42-mapping.dmp

    • memory/1772-35-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1772-38-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

    • memory/1788-10-0x0000000000000000-mapping.dmp

    • memory/1812-23-0x0000000000000000-mapping.dmp

    • memory/1880-41-0x0000000000000000-mapping.dmp

    • memory/1976-19-0x000000000040C78E-mapping.dmp

    • memory/1976-22-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/1976-21-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/1992-42-0x0000000000000000-mapping.dmp