Overview

overview

10

Static

static

10

aba9ea59aa...6c.exe

windows7_x64

10

aba9ea59aa...6c.exe

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aba9ea59aab84849cf371965c19ef46c.exe

  • Size

    88KB

  • MD5

    aba9ea59aab84849cf371965c19ef46c

  • SHA1

    366050aca450a5d1ea67ea5b6b1902a60c721c01

  • SHA256

    99988371c15bd38fc947d898dc6eeb0d425c98f7bd471d040c24c8c667bd2b0b

  • SHA512

    f38d27e4a58492a59043cf8ee3df3eb317581f3fb98b59d6d1b32163acc83a403425a554e1974e60c857b3489cf1d49a0e6de8734a9a159fea4d6fe571302248

Score
10/10
asyncratratspywarestealersuricata

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe
    "C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dgngyc.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dgngyc.exe"'
        3⤵
          PID:3976

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1780-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2176-124-0x00000000092E0000-0x00000000092E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-123-0x00000000091A0000-0x0000000009219000-memory.dmp
      Filesize

      484KB

      Download
    • memory/2176-119-0x00000000057A0000-0x0000000005C9E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2176-120-0x0000000008750000-0x0000000008751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-125-0x0000000009370000-0x0000000009371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-122-0x0000000009220000-0x0000000009221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-118-0x0000000005860000-0x0000000005861000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-115-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-121-0x00000000087F0000-0x00000000087F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-126-0x0000000009730000-0x0000000009734000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2176-127-0x0000000009740000-0x00000000097CD000-memory.dmp
      Filesize

      564KB

      Download
    • memory/2176-128-0x0000000009960000-0x00000000099B9000-memory.dmp
      Filesize

      356KB

      Download
    • memory/2176-129-0x00000000099C0000-0x00000000099C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2176-130-0x0000000009810000-0x000000000982B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/2176-117-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3976-132-0x0000000000000000-mapping.dmp
      Download