Overview

overview

10

Static

static

1

1CEE64EFC8...C9.exe

windows7_x64

10

1CEE64EFC8...C9.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-04-2021 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1CEE64EFC81D4853D76E04A737F114C9.exe

  • Size

    685KB

  • MD5

    1cee64efc81d4853d76e04a737f114c9

  • SHA1

    df7da998dd6a70631c6d8d1bd007f0820155d61c

  • SHA256

    bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75

  • SHA512

    eec88ead0f188bb84fd7a22fc8a1d392dec18e5d6715574f50de76466e5877e64c186c0a68892fbb385d68d76468c3c905e8ef26f4f937a224144ff424dd8f5b

Score
10/10
asyncratplaguebotbotnetpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7G | Custom Edition

C2

179.43.140.208:7707

179.43.140.208:8808

179.43.140.208:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:6606
Mutex

AsyncRAT_Mutex_vdYIIf87BI

Attributes
  • aes_key

    Mrwz4gGTldVjtABCZMeijWElvNsBLIbU

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Trino

  • host

    179.43.140.208,127.0.0.1

  • hwid

    30

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncRAT_Mutex_vdYIIf87BI

  • pastebin_config

    null

  • port

    7707,8808,6606

  • version

    0.5.7G | Custom Edition

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • PlagueBot

    PlagueBot is an open source Bot written in Pascal.

    botnetplaguebot
  • Async RAT payload 3 IoCs
    rat
  • PlagueBot Executable 9 IoCs
  • Executes dropped EXE 6 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 16 IoCs
    installer
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe
    "C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe
      "C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\arvfcq.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\arvfcq.exe"'
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Users\Admin\AppData\Local\Temp\arvfcq.exe
            "C:\Users\Admin\AppData\Local\Temp\arvfcq.exe"
            5⤵
            • Executes dropped EXE
            • Drops startup file
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1360
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
              6⤵
              • Creates scheduled task(s)
              PID:1596
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Query /FO "LIST" /TN "WinManager"
              6⤵
                PID:752
              • C:\Users\Admin\Saved Games\Plague\winmgr.exe
                "C:\Users\Admin\Saved Games\Plague\winmgr.exe" /wait
                6⤵
                • Executes dropped EXE
                • Drops startup file
                • Suspicious use of WriteProcessMemory
                PID:944
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /Delete /F /TN "WinManager"
                  7⤵
                    PID:920
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /C timeout 5 & del /F /Q "C:\Users\Admin\Saved Games\Plague\*.*" & rmdir "C:\Users\Admin\Saved Games\Plague"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1648
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 5
                      8⤵
                      • Delays execution with timeout.exe
                      PID:988
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\axirid.exe"' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1576
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\axirid.exe"'
              4⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Users\Admin\AppData\Local\Temp\axirid.exe
                "C:\Users\Admin\AppData\Local\Temp\axirid.exe"
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:1836
                • C:\Users\Admin\AppData\Local\Temp\axirid.exe
                  "C:\Users\Admin\AppData\Local\Temp\axirid.exe"
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1796
                  • C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe
                    "C:\Users\Admin\AppData\Roaming\WinCFG\Libs\sihost64.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:824
                  • C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe
                    "C:\Users\Admin\AppData\Roaming\ServicesTeamWD.exe"
                    7⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1044

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/824-115-0x000000001AA80000-0x000000001AA82000-memory.dmp

        Filesize

        8KB

        Download

      • memory/824-104-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/824-113-0x00000000010A0000-0x00000000010A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-22-0x0000000004710000-0x0000000004711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-40-0x0000000006200000-0x0000000006201000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-24-0x0000000005240000-0x0000000005241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-23-0x0000000004712000-0x0000000004713000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-32-0x00000000056B0000-0x00000000056B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-21-0x0000000005050000-0x0000000005051000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-20-0x00000000047A0000-0x00000000047A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-19-0x00000000024A0000-0x00000000024A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-18-0x0000000073AF0000-0x00000000741DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1660-33-0x0000000005710000-0x0000000005711000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-27-0x0000000005660000-0x0000000005661000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1660-49-0x000000007EF30000-0x000000007EF31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-13-0x00000000045D4000-0x00000000045D5000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-12-0x00000000045D3000-0x00000000045D4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-10-0x00000000045D1000-0x00000000045D2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-11-0x00000000045D2000-0x00000000045D3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-8-0x00000000044D0000-0x000000000453A000-memory.dmp

        Filesize

        424KB

        Download

      • memory/1696-6-0x0000000073AF0000-0x00000000741DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1696-7-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1696-14-0x0000000005100000-0x0000000005107000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1796-94-0x0000000004A70000-0x0000000004C63000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1796-98-0x0000000004833000-0x0000000004834000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-97-0x0000000004832000-0x0000000004833000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-96-0x0000000004831000-0x0000000004832000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-99-0x0000000004834000-0x0000000004835000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1796-93-0x0000000073AF0000-0x00000000741DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1796-92-0x0000000000400000-0x0000000000609000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1836-87-0x00000000003D0000-0x00000000003D3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/2008-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2012-80-0x0000000005750000-0x0000000005751000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-72-0x0000000005300000-0x0000000005301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-71-0x0000000005220000-0x0000000005221000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-70-0x0000000004832000-0x0000000004833000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-69-0x0000000004830000-0x0000000004831000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-68-0x0000000004870000-0x0000000004871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-67-0x0000000002400000-0x0000000002401000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-66-0x0000000073AF0000-0x00000000741DE000-memory.dmp

        Filesize

        6.9MB

        Download