Analysis
-
max time kernel
86s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-04-2021 20:11
Static task
static1
Behavioral task
behavioral1
Sample
1CEE64EFC81D4853D76E04A737F114C9.exe
Resource
win7v20201028
General
-
Target
1CEE64EFC81D4853D76E04A737F114C9.exe
-
Size
685KB
-
MD5
1cee64efc81d4853d76e04a737f114c9
-
SHA1
df7da998dd6a70631c6d8d1bd007f0820155d61c
-
SHA256
bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
-
SHA512
eec88ead0f188bb84fd7a22fc8a1d392dec18e5d6715574f50de76466e5877e64c186c0a68892fbb385d68d76468c3c905e8ef26f4f937a224144ff424dd8f5b
Malware Config
Extracted
asyncrat
0.5.7G | Custom Edition
179.43.140.208:7707
179.43.140.208:8808
179.43.140.208:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:6606
AsyncRAT_Mutex_vdYIIf87BI
-
aes_key
Mrwz4gGTldVjtABCZMeijWElvNsBLIbU
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Trino
-
host
179.43.140.208,127.0.0.1
-
hwid
30
- install_file
-
install_folder
%AppData%
-
mutex
AsyncRAT_Mutex_vdYIIf87BI
-
pastebin_config
null
-
port
7707,8808,6606
-
version
0.5.7G | Custom Edition
Signatures
-
Async RAT payload 3 IoCs
resource yara_rule behavioral2/memory/60-4-0x0000000000400000-0x0000000000480000-memory.dmp asyncrat behavioral2/memory/60-6-0x00000000023C0000-0x000000000242A000-memory.dmp asyncrat behavioral2/memory/60-16-0x0000000006330000-0x0000000006337000-memory.dmp asyncrat -
Loads dropped DLL 1 IoCs
pid Process 540 1CEE64EFC81D4853D76E04A737F114C9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 540 set thread context of 60 540 1CEE64EFC81D4853D76E04A737F114C9.exe 78 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 540 1CEE64EFC81D4853D76E04A737F114C9.exe 60 1CEE64EFC81D4853D76E04A737F114C9.exe 60 1CEE64EFC81D4853D76E04A737F114C9.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 540 1CEE64EFC81D4853D76E04A737F114C9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 60 1CEE64EFC81D4853D76E04A737F114C9.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 540 wrote to memory of 60 540 1CEE64EFC81D4853D76E04A737F114C9.exe 78 PID 540 wrote to memory of 60 540 1CEE64EFC81D4853D76E04A737F114C9.exe 78 PID 540 wrote to memory of 60 540 1CEE64EFC81D4853D76E04A737F114C9.exe 78 PID 540 wrote to memory of 60 540 1CEE64EFC81D4853D76E04A737F114C9.exe 78 PID 60 wrote to memory of 2192 60 1CEE64EFC81D4853D76E04A737F114C9.exe 80 PID 60 wrote to memory of 2192 60 1CEE64EFC81D4853D76E04A737F114C9.exe 80 PID 60 wrote to memory of 2192 60 1CEE64EFC81D4853D76E04A737F114C9.exe 80 PID 2192 wrote to memory of 3784 2192 cmd.exe 82 PID 2192 wrote to memory of 3784 2192 cmd.exe 82 PID 2192 wrote to memory of 3784 2192 cmd.exe 82 PID 60 wrote to memory of 412 60 1CEE64EFC81D4853D76E04A737F114C9.exe 83 PID 60 wrote to memory of 412 60 1CEE64EFC81D4853D76E04A737F114C9.exe 83 PID 60 wrote to memory of 412 60 1CEE64EFC81D4853D76E04A737F114C9.exe 83 PID 412 wrote to memory of 688 412 cmd.exe 85 PID 412 wrote to memory of 688 412 cmd.exe 85 PID 412 wrote to memory of 688 412 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dywvrm.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dywvrm.exe"'4⤵PID:3784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubqejt.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubqejt.exe"'4⤵PID:688
-
-
-