Analysis

  • max time kernel
    148s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-09-2021 07:03

General

  • Target

    02179909185ee25814dd4ea226540021.exe

  • Size

    585KB

  • MD5

    02179909185ee25814dd4ea226540021

  • SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

  • SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

  • SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WIRE$$$$$$$$

C2

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    true

  • install_file

    iconfx.exe

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe
    "C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe
      "C:\Users\Admin\AppData\Local\Temp\02179909185ee25814dd4ea226540021.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1048
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5B1.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1164
        • C:\Users\Admin\AppData\Roaming\iconfx.exe
          "C:\Users\Admin\AppData\Roaming\iconfx.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:340
          • C:\Users\Admin\AppData\Roaming\iconfx.exe
            "C:\Users\Admin\AppData\Roaming\iconfx.exe"
            5⤵
            • Executes dropped EXE
            PID:1252
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 652
            5⤵
            • Loads dropped DLL
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 640
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA5B1.tmp.bat
    MD5

    dd7704c0c8e9db5773798b04f3b7f03b

    SHA1

    618e0ec5ace70ac4b2b964b6cfcd0dbb093b5239

    SHA256

    3813aad92cfc150874b5f02d950bac0c2c7793ceec7b3009501f52d29581d1b2

    SHA512

    159d37bfb2471671b3e1acd443d219f90a01b7c2ebd3926f2a60dffd26cfced8ee29da220704307d1d22158e4e174085938f96b2c76ae80672a489a265898220

  • C:\Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • C:\Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • C:\Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • \Users\Admin\AppData\Roaming\iconfx.exe
    MD5

    02179909185ee25814dd4ea226540021

    SHA1

    d54bd08e2c4b7aa3971eff0ee15ac064889c1f5b

    SHA256

    aebf016b75a0461729b84255f307d279a60675a8769affdb69f9ad68ba9b86b3

    SHA512

    6933dcc2d81d62d12756436df4f8bde39fe1ccb868b73a323153dbb360059cb82111d5ff134c43269879cf8dbb9b69a17732fccbfa927295e87a82831dea9105

  • memory/340-81-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/340-82-0x0000000004800000-0x0000000004801000-memory.dmp
    Filesize

    4KB

  • memory/340-79-0x0000000000000000-mapping.dmp
  • memory/536-71-0x0000000000000000-mapping.dmp
  • memory/684-70-0x0000000004810000-0x0000000004811000-memory.dmp
    Filesize

    4KB

  • memory/684-69-0x00000000757C1000-0x00000000757C3000-memory.dmp
    Filesize

    8KB

  • memory/684-64-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

  • memory/684-63-0x000000000040C6FE-mapping.dmp
  • memory/684-62-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

  • memory/1048-73-0x0000000000000000-mapping.dmp
  • memory/1164-75-0x0000000000000000-mapping.dmp
  • memory/1252-85-0x000000000040C6FE-mapping.dmp
  • memory/1472-59-0x0000000000C00000-0x0000000000C01000-memory.dmp
    Filesize

    4KB

  • memory/1472-66-0x00000000003D0000-0x00000000003D3000-memory.dmp
    Filesize

    12KB

  • memory/1472-61-0x0000000000290000-0x00000000002A1000-memory.dmp
    Filesize

    68KB

  • memory/1472-60-0x0000000004E90000-0x0000000004E91000-memory.dmp
    Filesize

    4KB

  • memory/1596-68-0x00000000005E0000-0x00000000005E1000-memory.dmp
    Filesize

    4KB

  • memory/1596-67-0x0000000000000000-mapping.dmp
  • memory/1956-88-0x0000000000000000-mapping.dmp
  • memory/1956-94-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

  • memory/2032-72-0x0000000000000000-mapping.dmp