Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    26-09-2021 21:42

General

  • Target

    3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe

  • Size

    48KB

  • MD5

    852b69a95f1ae83d9142fced3450977b

  • SHA1

    a48b15998be1e979530994675da17566d1769769

  • SHA256

    3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

  • SHA512

    23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
    "C:\Users\Admin\AppData\Local\Temp\3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Gruop" /tr '"C:\Users\Admin\AppData\Roaming\Gruop.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Gruop" /tr '"C:\Users\Admin\AppData\Roaming\Gruop.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC419.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:884
      • C:\Users\Admin\AppData\Roaming\Gruop.exe
        "C:\Users\Admin\AppData\Roaming\Gruop.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC419.tmp.bat

    MD5

    94e73be66903345c3466defe6a4592c2

    SHA1

    530edb3f35608b7f0ea0254386e09ec9a4dfdbaf

    SHA256

    78ede8346480126568857dea2b0a87d5d9356b26fe5c431cd6c976ace2398cc1

    SHA512

    c17bb6c9eb830f416d9ec45611aa6f2e4b6b8744e98485f5e222f884f72048bd4ecfe5fed09d422a8e57e0b5c3317dfc8dfdce971ed0c7913cb0885cf3095d41

  • C:\Users\Admin\AppData\Roaming\Gruop.exe

    MD5

    852b69a95f1ae83d9142fced3450977b

    SHA1

    a48b15998be1e979530994675da17566d1769769

    SHA256

    3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

    SHA512

    23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

  • C:\Users\Admin\AppData\Roaming\Gruop.exe

    MD5

    852b69a95f1ae83d9142fced3450977b

    SHA1

    a48b15998be1e979530994675da17566d1769769

    SHA256

    3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

    SHA512

    23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

  • \Users\Admin\AppData\Roaming\Gruop.exe

    MD5

    852b69a95f1ae83d9142fced3450977b

    SHA1

    a48b15998be1e979530994675da17566d1769769

    SHA256

    3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

    SHA512

    23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

  • memory/884-61-0x0000000000000000-mapping.dmp

  • memory/1244-60-0x0000000000000000-mapping.dmp

  • memory/1464-57-0x0000000000000000-mapping.dmp

  • memory/1620-58-0x0000000000000000-mapping.dmp

  • memory/1660-64-0x0000000000000000-mapping.dmp

  • memory/1660-66-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

    Filesize

    4KB

  • memory/1660-69-0x0000000000910000-0x0000000000911000-memory.dmp

    Filesize

    4KB

  • memory/2004-53-0x0000000001220000-0x0000000001221000-memory.dmp

    Filesize

    4KB

  • memory/2004-56-0x00000000010B0000-0x00000000010B1000-memory.dmp

    Filesize

    4KB

  • memory/2004-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

    Filesize

    8KB