Analysis
-
max time kernel
66s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 05:56
Behavioral task
behavioral1
Sample
aba9ea59aab84849cf371965c19ef46c.exe
Resource
win7-en-20210920
General
-
Target
aba9ea59aab84849cf371965c19ef46c.exe
-
Size
88KB
-
MD5
aba9ea59aab84849cf371965c19ef46c
-
SHA1
366050aca450a5d1ea67ea5b6b1902a60c721c01
-
SHA256
99988371c15bd38fc947d898dc6eeb0d425c98f7bd471d040c24c8c667bd2b0b
-
SHA512
f38d27e4a58492a59043cf8ee3df3eb317581f3fb98b59d6d1b32163acc83a403425a554e1974e60c857b3489cf1d49a0e6de8734a9a159fea4d6fe571302248
Malware Config
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2176-130-0x0000000009810000-0x000000000982B000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
aba9ea59aab84849cf371965c19ef46c.exepid process 2176 aba9ea59aab84849cf371965c19ef46c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aba9ea59aab84849cf371965c19ef46c.exedescription pid process Token: SeDebugPrivilege 2176 aba9ea59aab84849cf371965c19ef46c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aba9ea59aab84849cf371965c19ef46c.execmd.exedescription pid process target process PID 2176 wrote to memory of 1780 2176 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 2176 wrote to memory of 1780 2176 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 2176 wrote to memory of 1780 2176 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 1780 wrote to memory of 3976 1780 cmd.exe powershell.exe PID 1780 wrote to memory of 3976 1780 cmd.exe powershell.exe PID 1780 wrote to memory of 3976 1780 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe"C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dgngyc.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dgngyc.exe"'3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1780-131-0x0000000000000000-mapping.dmp
-
memory/2176-124-0x00000000092E0000-0x00000000092E1000-memory.dmpFilesize
4KB
-
memory/2176-123-0x00000000091A0000-0x0000000009219000-memory.dmpFilesize
484KB
-
memory/2176-119-0x00000000057A0000-0x0000000005C9E000-memory.dmpFilesize
5.0MB
-
memory/2176-120-0x0000000008750000-0x0000000008751000-memory.dmpFilesize
4KB
-
memory/2176-125-0x0000000009370000-0x0000000009371000-memory.dmpFilesize
4KB
-
memory/2176-122-0x0000000009220000-0x0000000009221000-memory.dmpFilesize
4KB
-
memory/2176-118-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/2176-115-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/2176-121-0x00000000087F0000-0x00000000087F1000-memory.dmpFilesize
4KB
-
memory/2176-126-0x0000000009730000-0x0000000009734000-memory.dmpFilesize
16KB
-
memory/2176-127-0x0000000009740000-0x00000000097CD000-memory.dmpFilesize
564KB
-
memory/2176-128-0x0000000009960000-0x00000000099B9000-memory.dmpFilesize
356KB
-
memory/2176-129-0x00000000099C0000-0x00000000099C1000-memory.dmpFilesize
4KB
-
memory/2176-130-0x0000000009810000-0x000000000982B000-memory.dmpFilesize
108KB
-
memory/2176-117-0x0000000005CA0000-0x0000000005CA1000-memory.dmpFilesize
4KB
-
memory/3976-132-0x0000000000000000-mapping.dmp