Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-07-2021 08:11
Static task
static1
Behavioral task
behavioral1
Sample
AC2A2C9E743A2F8E39BB36D37F45D829.exe
Resource
win7v20210410
General
-
Target
AC2A2C9E743A2F8E39BB36D37F45D829.exe
-
Size
107KB
-
MD5
ac2a2c9e743a2f8e39bb36d37f45d829
-
SHA1
b021985e80954624f0273bef8396bb193107118c
-
SHA256
33e822406d5cea835a7a9bba3f0d82d9c4aef806c1dfeb8d332e5ee51e496780
-
SHA512
5d0870797a54948ef787f732dd9fffeb21c63a11ff4dd677526716fa44219bedcfccc4d78f50050fbf42c36123616e9730964a9c3f17f93d8452359b50a1d3bf
Malware Config
Extracted
asyncrat
0.5.7B
vlhoangkimpk.net:6606
vlhoangkimpk.net:7707
vlhoangkimpk.net:8808
AsyncMutex_6SI8OkPnk
-
aes_key
2nGMTIdBgqeoX9uhURxc6auPzZ95baS0
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
vlhoangkimpk.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Blue Bot DDoS Blog Request
-
suricata: ET MALWARE Blue Bot DDoS Logger Request
-
suricata: ET MALWARE Blue Bot DDoS Proxy Request
-
suricata: ET MALWARE Blue Bot DDoS Target Request
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\ism.exe asyncrat C:\Windows\SysWOW64\ism.exe asyncrat C:\Users\Admin\AppData\Roaming\ism.exe asyncrat C:\Users\Admin\AppData\Roaming\ism.exe asyncrat -
Executes dropped EXE 3 IoCs
Processes:
sihost.exeism.exeism.exepid process 3540 sihost.exe 1492 ism.exe 2012 ism.exe -
Drops file in System32 directory 3 IoCs
Processes:
AC2A2C9E743A2F8E39BB36D37F45D829.exedescription ioc process File created C:\Windows\SysWOW64\sihost.exe AC2A2C9E743A2F8E39BB36D37F45D829.exe File created C:\Windows\SysWOW64\ism.exe AC2A2C9E743A2F8E39BB36D37F45D829.exe File created C:\Windows\SysWOW64\svchost.exe AC2A2C9E743A2F8E39BB36D37F45D829.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2128 timeout.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
ism.exepid process 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe 1492 ism.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ism.exeism.exedescription pid process Token: SeDebugPrivilege 1492 ism.exe Token: SeDebugPrivilege 2012 ism.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
AC2A2C9E743A2F8E39BB36D37F45D829.exeism.execmd.execmd.exedescription pid process target process PID 996 wrote to memory of 3540 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe sihost.exe PID 996 wrote to memory of 3540 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe sihost.exe PID 996 wrote to memory of 1492 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe ism.exe PID 996 wrote to memory of 1492 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe ism.exe PID 996 wrote to memory of 1492 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe ism.exe PID 996 wrote to memory of 640 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe svchost.exe PID 996 wrote to memory of 640 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe svchost.exe PID 996 wrote to memory of 640 996 AC2A2C9E743A2F8E39BB36D37F45D829.exe svchost.exe PID 1492 wrote to memory of 3176 1492 ism.exe cmd.exe PID 1492 wrote to memory of 3176 1492 ism.exe cmd.exe PID 1492 wrote to memory of 3176 1492 ism.exe cmd.exe PID 1492 wrote to memory of 1332 1492 ism.exe cmd.exe PID 1492 wrote to memory of 1332 1492 ism.exe cmd.exe PID 1492 wrote to memory of 1332 1492 ism.exe cmd.exe PID 1332 wrote to memory of 2128 1332 cmd.exe timeout.exe PID 1332 wrote to memory of 2128 1332 cmd.exe timeout.exe PID 1332 wrote to memory of 2128 1332 cmd.exe timeout.exe PID 3176 wrote to memory of 3716 3176 cmd.exe schtasks.exe PID 3176 wrote to memory of 3716 3176 cmd.exe schtasks.exe PID 3176 wrote to memory of 3716 3176 cmd.exe schtasks.exe PID 1332 wrote to memory of 2012 1332 cmd.exe ism.exe PID 1332 wrote to memory of 2012 1332 cmd.exe ism.exe PID 1332 wrote to memory of 2012 1332 cmd.exe ism.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AC2A2C9E743A2F8E39BB36D37F45D829.exe"C:\Users\Admin\AppData\Local\Temp\AC2A2C9E743A2F8E39BB36D37F45D829.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sihost.exe"C:\Windows\system32\sihost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ism.exe"C:\Windows\system32\ism.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ism" /tr '"C:\Users\Admin\AppData\Roaming\ism.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ism" /tr '"C:\Users\Admin\AppData\Roaming\ism.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D6E.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ism.exe"C:\Users\Admin\AppData\Roaming\ism.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ism.exe.logMD5
29ac3d31c772ba5e216f15cd6d85cd29
SHA145d682f8f9f8658e4b1c717782811f24b08be250
SHA25682cb10a670e760c3159ae57f943dbd2b478727a9e82b307edd559e54ffad0f9d
SHA51287403b70e4ba9a19f96eaef900cffe6769c3aa35d047cac26175f27ffbed8e625a8f8a12d191a6e63f75ef4b8b1bee2078f4659325a12d534d61427d58ceb8a3
-
C:\Users\Admin\AppData\Local\Temp\tmp9D6E.tmp.batMD5
531e8826b27a163ed997052a775f8865
SHA1c1131f3019f4a888aa35897a19057cbc52c295a7
SHA2569f69d93da2a6301ee780e76493248d398be1a948974e1573b8cb85185c86e660
SHA512ebb731b879aabca03b2b338e40d5e0022cdfa75a0a64bc36b4bd04225d6398a6c0579ad6a5d34daba3908734280859a3d067ce113d57f4f1f05d5c18c1b3143f
-
C:\Users\Admin\AppData\Roaming\ism.exeMD5
f587d501970f32f655bdeaaa34278ac9
SHA1093bba8e6b4135b7dfcbe4643ebf923ca408552b
SHA2568586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc
SHA5122e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175
-
C:\Users\Admin\AppData\Roaming\ism.exeMD5
f587d501970f32f655bdeaaa34278ac9
SHA1093bba8e6b4135b7dfcbe4643ebf923ca408552b
SHA2568586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc
SHA5122e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175
-
C:\Windows\SysWOW64\ism.exeMD5
f587d501970f32f655bdeaaa34278ac9
SHA1093bba8e6b4135b7dfcbe4643ebf923ca408552b
SHA2568586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc
SHA5122e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175
-
C:\Windows\SysWOW64\ism.exeMD5
f587d501970f32f655bdeaaa34278ac9
SHA1093bba8e6b4135b7dfcbe4643ebf923ca408552b
SHA2568586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc
SHA5122e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175
-
C:\Windows\SysWOW64\sihost.exeMD5
5d591359f3e3d22d8cfabb85a83d7aa6
SHA1b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a
SHA2565bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579
SHA51221f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e
-
C:\Windows\SysWOW64\sihost.exeMD5
5d591359f3e3d22d8cfabb85a83d7aa6
SHA1b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a
SHA2565bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579
SHA51221f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e
-
memory/640-119-0x0000000000000000-mapping.dmp
-
memory/1332-128-0x0000000000000000-mapping.dmp
-
memory/1492-117-0x0000000000000000-mapping.dmp
-
memory/1492-126-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/1492-124-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/1492-121-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/2012-132-0x0000000000000000-mapping.dmp
-
memory/2012-138-0x0000000005510000-0x0000000005511000-memory.dmpFilesize
4KB
-
memory/2012-140-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/2012-141-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/2128-130-0x0000000000000000-mapping.dmp
-
memory/3176-127-0x0000000000000000-mapping.dmp
-
memory/3540-114-0x0000000000000000-mapping.dmp
-
memory/3540-125-0x0000000002A92000-0x0000000002A94000-memory.dmpFilesize
8KB
-
memory/3540-123-0x0000000002A90000-0x0000000002A92000-memory.dmpFilesize
8KB
-
memory/3716-131-0x0000000000000000-mapping.dmp