Analysis
-
max time kernel
61s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 13:55
Static task
static1
Behavioral task
behavioral1
Sample
dll-cleaned.exe
Resource
win7v20201028
General
-
Target
dll-cleaned.exe
-
Size
130KB
-
MD5
691502fd02493f30d58d7802e1f2db41
-
SHA1
e23da718103e8653f3923e40c819ffa8b0896ce8
-
SHA256
0388cc1f9283d7588c11c2a29f3b8558f588811449f32ebff5e5ebf931ffeb82
-
SHA512
4c799b7538fbed61f2d2b59964ee50896619d24421c483805209ef5e53b2604d760cd49a80424c53c7d5c89dd630ab26a7ab509df1fe0699ab42353c966c71e7
Malware Config
Extracted
asyncrat
0.5.7B
23112020.ddns.net:1231
AsyncMutex_6SI8OkPnk
-
aes_key
tSTqwE1Vnue4SH2KuKjIVUBSuPclsXSq
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
23112020.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
1231
-
version
0.5.7B
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/580-6-0x00000000017B0000-0x00000000017BC000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2892 svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3916 timeout.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
dll-cleaned.exepid process 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe 580 dll-cleaned.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dll-cleaned.exesvchost.exedescription pid process Token: SeDebugPrivilege 580 dll-cleaned.exe Token: SeDebugPrivilege 2892 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
dll-cleaned.execmd.execmd.exedescription pid process target process PID 580 wrote to memory of 2264 580 dll-cleaned.exe cmd.exe PID 580 wrote to memory of 2264 580 dll-cleaned.exe cmd.exe PID 580 wrote to memory of 2264 580 dll-cleaned.exe cmd.exe PID 580 wrote to memory of 1508 580 dll-cleaned.exe cmd.exe PID 580 wrote to memory of 1508 580 dll-cleaned.exe cmd.exe PID 580 wrote to memory of 1508 580 dll-cleaned.exe cmd.exe PID 2264 wrote to memory of 3108 2264 cmd.exe schtasks.exe PID 2264 wrote to memory of 3108 2264 cmd.exe schtasks.exe PID 2264 wrote to memory of 3108 2264 cmd.exe schtasks.exe PID 1508 wrote to memory of 3916 1508 cmd.exe timeout.exe PID 1508 wrote to memory of 3916 1508 cmd.exe timeout.exe PID 1508 wrote to memory of 3916 1508 cmd.exe timeout.exe PID 1508 wrote to memory of 2892 1508 cmd.exe svchost.exe PID 1508 wrote to memory of 2892 1508 cmd.exe svchost.exe PID 1508 wrote to memory of 2892 1508 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dll-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\dll-cleaned.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp46B3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp46B3.tmp.batMD5
4583c5c65cf6f055b28702b93ea76102
SHA127506cafaab9b58c33cdb2b56b8e8512d8dd23e4
SHA2563736a70d4062e410cc529dfb7651095186b23c04a4701e8feac7bcf735fc8711
SHA512e71a67417a2ae3711d0f3ccdbd0f85642cf2ef7cc085d280cd923983de8f02eab6ff1e0330291b268319db8a0ba1095a8368b3d527520c5e4e955e18d1cf68c1
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
691502fd02493f30d58d7802e1f2db41
SHA1e23da718103e8653f3923e40c819ffa8b0896ce8
SHA2560388cc1f9283d7588c11c2a29f3b8558f588811449f32ebff5e5ebf931ffeb82
SHA5124c799b7538fbed61f2d2b59964ee50896619d24421c483805209ef5e53b2604d760cd49a80424c53c7d5c89dd630ab26a7ab509df1fe0699ab42353c966c71e7
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
691502fd02493f30d58d7802e1f2db41
SHA1e23da718103e8653f3923e40c819ffa8b0896ce8
SHA2560388cc1f9283d7588c11c2a29f3b8558f588811449f32ebff5e5ebf931ffeb82
SHA5124c799b7538fbed61f2d2b59964ee50896619d24421c483805209ef5e53b2604d760cd49a80424c53c7d5c89dd630ab26a7ab509df1fe0699ab42353c966c71e7
-
memory/580-6-0x00000000017B0000-0x00000000017BC000-memory.dmpFilesize
48KB
-
memory/580-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/580-5-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/580-3-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/1508-8-0x0000000000000000-mapping.dmp
-
memory/2264-7-0x0000000000000000-mapping.dmp
-
memory/2892-12-0x0000000000000000-mapping.dmp
-
memory/2892-15-0x0000000073DF0000-0x00000000744DE000-memory.dmpFilesize
6.9MB
-
memory/2892-20-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/2892-21-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/3108-10-0x0000000000000000-mapping.dmp
-
memory/3916-11-0x0000000000000000-mapping.dmp