Overview

overview

10

Static

static

RFQ 202122...10.exe

windows7_x64

10

RFQ 202122...10.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    23-10-2021 04:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ 20212210_091001-0010020010.exe

  • Size

    715KB

  • MD5

    b04e8b626ce57af3135058c7375409d2

  • SHA1

    494acdaf1d6dec1c52660a865f859a4178b06660

  • SHA256

    b3b271156a06d73e592fae8212649f18d252d2afc06383a02a6adea960e05064

  • SHA512

    ff70a3167c738dcf2040fb117ef5f753848d5e4f33cbc9b3e88f4812863c05207763ea032418ace37241e433fe8dadcfd8704c9e3865fd0e9717b2df7460bec6

Score
10/10
asyncratdefaultevasionratsuricatatrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

cigdem5.duckdns.org:6606

cigdem5.duckdns.org:7707

cigdem5.duckdns.org:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ 20212210_091001-0010020010.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ 20212210_091001-0010020010.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 20212210_091001-0010020010.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2680-127-0x00000000061E0000-0x00000000061EB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2680-117-0x0000000002D80000-0x0000000002D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2680-118-0x00000000054F0000-0x00000000054F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2680-119-0x0000000002D90000-0x0000000002D93000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2680-123-0x0000000006100000-0x0000000006157000-memory.dmp
    Filesize

    348KB

    Download
  • memory/2680-124-0x0000000006660000-0x0000000006661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2680-125-0x0000000006260000-0x0000000006261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2680-115-0x0000000000B80000-0x0000000000B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-132-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-138-0x0000000007B30000-0x0000000007B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-128-0x0000000003120000-0x0000000003121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-130-0x0000000004A00000-0x0000000004A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-131-0x00000000074E0000-0x00000000074E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-133-0x0000000006EA2000-0x0000000006EA3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3932-134-0x0000000007470000-0x0000000007471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-135-0x0000000007B80000-0x0000000007B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-136-0x0000000007CF0000-0x0000000007CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-137-0x0000000007D70000-0x0000000007D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-129-0x0000000003120000-0x0000000003121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-139-0x0000000008590000-0x0000000008591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-140-0x00000000085E0000-0x00000000085E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-142-0x0000000003120000-0x0000000003121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-149-0x00000000094B0000-0x00000000094E3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3932-156-0x00000000087B0000-0x00000000087B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-161-0x00000000095E0000-0x00000000095E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-162-0x000000007FA00000-0x000000007FA01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-163-0x0000000006EA3000-0x0000000006EA4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3932-164-0x00000000097F0000-0x00000000097F1000-memory.dmp
    Filesize

    4KB

    Download