Overview

overview

10

Static

static

Confirmati...34.exe

windows7_x64

10

Confirmati...34.exe

windows10_x64

10

Analysis

  • max time kernel
    88s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    15-11-2021 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

  • Size

    316KB

  • MD5

    1b07fe1263ba5f1b86b09c9b27c1f4de

  • SHA1

    9d18786ec6506ff4f85e6c7a055828898fd59a27

  • SHA256

    daf842129f0a574f2f5cf1147d40ab8e4596b88b9ef228a4516cef5326f8f1ad

  • SHA512

    730875f1e6914ed2b2dbb585d75db63416c3acaaa02217ecbc4d73b2cd64b0865271492c1a04a483b1d521cd799949efa3a5e17c827b03a0c9ab58624d14e29f

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh01.ddns.net:2245

fresh01.ddns.net:2256

fresh01.ddns.net:2257
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
    "C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohNwECOYU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohNwECOYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp14BC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1068
    • C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp14BC.tmp
    MD5

    16bcfb2292b8abf9ebc3ff9cb1e83b98

    SHA1

    bd1f4aee6729bc4e9f38249932493053a5ab8c1c

    SHA256

    b2001a6a3c6c27d1b157618e1678f274bc19d4d71dcf3c81b7ffa988b72ea01a

    SHA512

    b12f8a70e9e0ea73b5e9c49023a8c494013f96cfdc2b3ec93f51f0307669eee23576aa2a1eacc2aeb06451f2e4c59cdf9de174f440d59460f400ee34b49309bf

    Download Submit
  • memory/1068-128-0x0000000000000000-mapping.dmp
    Download
  • memory/1712-145-0x00000000082D0000-0x00000000082D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-236-0x000000007F410000-0x000000007F411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-237-0x0000000004903000-0x0000000004904000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-138-0x0000000007230000-0x0000000007231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-167-0x00000000095A0000-0x00000000095A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-166-0x00000000093E0000-0x00000000093E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-139-0x0000000007960000-0x0000000007961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-161-0x0000000009050000-0x0000000009051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-129-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-130-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-154-0x00000000092B0000-0x00000000092E3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1712-132-0x00000000047C0000-0x00000000047C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-133-0x0000000007330000-0x0000000007331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-147-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-146-0x00000000083A0000-0x00000000083A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-144-0x0000000007A60000-0x0000000007A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-127-0x0000000000000000-mapping.dmp
    Download
  • memory/1712-142-0x0000000004902000-0x0000000004903000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-141-0x00000000079D0000-0x00000000079D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-140-0x0000000004900000-0x0000000004901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-143-0x0000000007C20000-0x0000000007C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-238-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-134-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1728-135-0x000000000040C74E-mapping.dmp
    Download
  • memory/3780-122-0x0000000004AA0000-0x0000000004F9E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3780-118-0x00000000001C0000-0x00000000001C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-120-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-121-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-126-0x00000000080C0000-0x00000000080E9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3780-125-0x0000000007FF0000-0x0000000007FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-124-0x0000000004BB0000-0x0000000004BB7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3780-123-0x00000000025F0000-0x00000000025F1000-memory.dmp
    Filesize

    4KB

    Download