Overview

overview

10

Static

static

10

CHERRY.exe

windows7_x64

10

CHERRY.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-02-2021 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CHERRY.exe

  • Size

    48KB

  • MD5

    820bd630f443e32a6ead06212ff6e95e

  • SHA1

    9278a11d7bc5bc3b07d564a29f6d520bf10dc744

  • SHA256

    2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

  • SHA512

    cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

Score
10/10
asyncratratspyware

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

jamesalex13-32442.portmap.host:32442

Mutex

AsyncMutex_2VI8tgPik

Attributes
  • aes_key

    LH6rs7V8nICHHwjuleXZSNJw5t2MZnAG

  • anti_detection

    true

  • autorun

    true

  • bdos

    true

  • delay

    Default

  • host

    jamesalex13-32442.portmap.host

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_2VI8tgPik

  • pastebin_config

    null

  • port

    32442

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CHERRY.exe
    "C:\Users\Admin\AppData\Local\Temp\CHERRY.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "HWMonitor" /tr '"C:\Users\Admin\AppData\Roaming\HWMonitor.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "HWMonitor" /tr '"C:\Users\Admin\AppData\Roaming\HWMonitor.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1392
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D1C.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1268
      • C:\Users\Admin\AppData\Roaming\HWMonitor.exe
        "C:\Users\Admin\AppData\Roaming\HWMonitor.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4D1C.tmp.bat
    MD5

    54e2e38fd8bef992d03a7c90a4dc95cf

    SHA1

    914d2b07de3382090cd756c556c9dca9d4d97f48

    SHA256

    5ab6f1d132f5bbe835874966fb9805dcf1ce197c9a63ffa654c67d066a68aebf

    SHA512

    5e12abeb83f4edc690ae7d1fc4c1a2085edd9820a22f2bbfb7c1dae8c293365a51115d6379317d2eaf542aeb0631e7a68fdd7234b90efec0eed7bcd633c3a90c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\HWMonitor.exe
    MD5

    820bd630f443e32a6ead06212ff6e95e

    SHA1

    9278a11d7bc5bc3b07d564a29f6d520bf10dc744

    SHA256

    2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

    SHA512

    cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\HWMonitor.exe
    MD5

    820bd630f443e32a6ead06212ff6e95e

    SHA1

    9278a11d7bc5bc3b07d564a29f6d520bf10dc744

    SHA256

    2c79e9095dabbab194fc34801c8e08cc1adc9576e71642d9e9b5f986964ad26d

    SHA512

    cf2ff4dd6de9fbe4c159d72942d2b427c245d84dc60b268d0a8705c86922a7cb33ab53ba7aa4c0011f4b63c356b1dbfe194ef205392e9c9053bd7b1d6aea2f9a

    Download Submit
  • memory/1208-9-0x0000000000000000-mapping.dmp
    Download
  • memory/1268-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1392-11-0x0000000000000000-mapping.dmp
    Download
  • memory/2776-19-0x0000000003040000-0x0000000003041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-29-0x0000000006E00000-0x0000000006E79000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2776-34-0x0000000007930000-0x0000000007931000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-33-0x00000000078D0000-0x0000000007929000-memory.dmp
    Filesize

    356KB

    Download
  • memory/2776-13-0x0000000000000000-mapping.dmp
    Download
  • memory/2776-32-0x0000000007370000-0x00000000073FD000-memory.dmp
    Filesize

    564KB

    Download
  • memory/2776-31-0x0000000006EE0000-0x0000000006EE4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2776-16-0x0000000073B90000-0x000000007427E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2776-30-0x0000000008130000-0x0000000008131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-22-0x00000000067C0000-0x00000000067C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-23-0x0000000006FC0000-0x0000000006FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-24-0x0000000006F40000-0x0000000006F60000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2776-25-0x0000000006FA0000-0x0000000006FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-26-0x0000000007120000-0x0000000007121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2776-27-0x0000000007100000-0x000000000711B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2776-28-0x00000000077F0000-0x00000000077F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-2-0x0000000073C40000-0x000000007432E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3928-3-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-5-0x0000000004980000-0x0000000004981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-6-0x0000000004890000-0x0000000004891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3928-7-0x0000000004E30000-0x0000000004E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4072-8-0x0000000000000000-mapping.dmp
    Download