Overview

overview

10

Static

static

641073a7b3...9d.exe

windows7_x64

10

641073a7b3...9d.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    30-04-2021 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe

  • Size

    813KB

  • MD5

    c4bb2285a9f20e982707e4c9ee4f7e35

  • SHA1

    0021818c5bbc147738f323a98e42131411471db8

  • SHA256

    641073a7b38fa3b3e938af4810596eaf53a89e565919dc505bf055f091d0b509

  • SHA512

    a1c4a206dc99e1ef40cbec21fd1acf43323e13be94483367156c8abeda7fa0ee0f9269c27271015c4bd9b465e99122cf6611d96a08891b0b9ff0dca1f212c9d7

Score
10/10
asyncratpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Nirsoft 5 IoCs
  • Executes dropped EXE 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe
    "C:\Users\Admin\AppData\Local\Temp\641073a7b38fa3b3e938af4810596eaf53a89e565919d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2680
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3676
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3968
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zFeavpdoruh.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\aposffffsggfgffot.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zFeavpdoruh.vbs
    MD5

    bb24789241b434a22f037cf3e4aa7cbc

    SHA1

    a4efe7dafbf116f128fe872fa597417aa6185f7c

    SHA256

    4207f06ee8dff21134d6982fc4a476c52c6081b889723ecb3166f402a8f085f1

    SHA512

    a67ab50873b571fdeee2fc8428ba303ef09f5ad25eafa2db815b33a12b273ca21e1cf7773ce8e15a9fde63ff31f481dae7adb60646eb3b6cb16eed2450db5251

    Download Submit
  • memory/1444-129-0x0000000000000000-mapping.dmp
    Download
  • memory/2220-149-0x0000000005690000-0x0000000005691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2220-134-0x000000000042533E-mapping.dmp
    Download
  • memory/2220-133-0x0000000000400000-0x000000000042A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2448-131-0x0000000000000000-mapping.dmp
    Download
  • memory/2680-122-0x0000000000000000-mapping.dmp
    Download
  • memory/3128-151-0x0000000004E70000-0x0000000004E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-142-0x0000000004D70000-0x0000000004D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-198-0x0000000004E73000-0x0000000004E74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-161-0x0000000009610000-0x0000000009643000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3128-152-0x0000000004E72000-0x0000000004E73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-197-0x000000007EC80000-0x000000007EC81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-174-0x0000000009BA0000-0x0000000009BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-173-0x0000000009A50000-0x0000000009A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3128-153-0x00000000088A0000-0x00000000088A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-143-0x0000000007840000-0x0000000007841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-144-0x00000000077D0000-0x00000000077D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-145-0x0000000007EE0000-0x0000000007EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-146-0x00000000081A0000-0x00000000081A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-147-0x0000000008290000-0x0000000008291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-148-0x0000000008010000-0x0000000008011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-150-0x00000000085E0000-0x00000000085E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3128-168-0x00000000095F0000-0x00000000095F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3676-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3968-127-0x0000000000000000-mapping.dmp
    Download
  • memory/4084-116-0x0000000005950000-0x0000000005951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-121-0x0000000005930000-0x000000000594E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4084-120-0x0000000007DE0000-0x0000000007E6A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/4084-117-0x00000000054F0000-0x00000000054F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-114-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-119-0x00000000054D0000-0x00000000054D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4084-118-0x0000000001460000-0x0000000001461000-memory.dmp
    Filesize

    4KB

    Download