Analysis
-
max time kernel
52s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-01-2021 10:49
Static task
static1
Behavioral task
behavioral1
Sample
sample details.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
sample details.exe
-
Size
513KB
-
MD5
1f438fdbc78b1b8e8944de8140a58729
-
SHA1
f3ddaeb5ad51025c3251b77ee006247cecca205e
-
SHA256
12d3ad6a4467daebd29194d962f95aae46cdcd52263e08f243586a8fbb060c5f
-
SHA512
d1c588134765dba5c87eabab3de2d157647836ed2b419fe9e7883c7477671266c5a490e8e2e3ea2aeef25c0d030a4b57cbdb132c016ccd2bbfdc7064f46a0126
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
C2
null:null
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
b8dOcyzjp8n8ZZClllDq0eJu2HC4JkWF
-
anti_detection
true
-
autorun
false
-
bdos
true
-
delay
Default
-
host
null
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
https://pastebin.com/raw/xBiaYesc
-
port
null
-
version
0.5.7B
aes.plain
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1384-28-0x0000000000400000-0x000000000046C000-memory.dmp asyncrat behavioral1/memory/1384-29-0x000000000040D0DE-mapping.dmp asyncrat behavioral1/memory/1384-30-0x0000000000400000-0x000000000046C000-memory.dmp asyncrat behavioral1/memory/1384-31-0x0000000000400000-0x000000000046C000-memory.dmp asyncrat -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee% Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee% Powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
sample details.exedescription pid process target process PID 544 set thread context of 1384 544 sample details.exe sample details.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Powershell.exepid process 1480 Powershell.exe 1480 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Powershell.exesample details.exedescription pid process Token: SeDebugPrivilege 1480 Powershell.exe Token: SeDebugPrivilege 1384 sample details.exe Token: SeDebugPrivilege 1384 sample details.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
sample details.exedescription pid process target process PID 544 wrote to memory of 1480 544 sample details.exe Powershell.exe PID 544 wrote to memory of 1480 544 sample details.exe Powershell.exe PID 544 wrote to memory of 1480 544 sample details.exe Powershell.exe PID 544 wrote to memory of 1480 544 sample details.exe Powershell.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe PID 544 wrote to memory of 1384 544 sample details.exe sample details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample details.exe"C:\Users\Admin\AppData\Local\Temp\sample details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\sample details.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sample details.exe"C:\Users\Admin\AppData\Local\Temp\sample details.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-27-0x00000000004E0000-0x00000000004EC000-memory.dmpFilesize
48KB
-
memory/544-3-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/544-2-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/1384-32-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/1384-31-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1384-30-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1384-29-0x000000000040D0DE-mapping.dmp
-
memory/1384-28-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1480-7-0x0000000001D40000-0x0000000001D41000-memory.dmpFilesize
4KB
-
memory/1480-18-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1480-19-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/1480-26-0x0000000006290000-0x0000000006291000-memory.dmpFilesize
4KB
-
memory/1480-13-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/1480-10-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1480-9-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/1480-8-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/1480-6-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/1480-5-0x0000000000000000-mapping.dmp