Overview

overview

10

Static

static

4f689ad254...4e.exe

windows7_x64

10

4f689ad254...4e.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22-01-2022 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f689ad2542e385c696d18df256e474e.exe

  • Size

    834KB

  • MD5

    4f689ad2542e385c696d18df256e474e

  • SHA1

    719a2ff49e7f8d5ac4a7b0f7dc2256f8ed45a541

  • SHA256

    e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae

  • SHA512

    ae60db8a63c035b2ff322f705b05ce358cac980b4bae750f4a29b8bdee52d89a7bf8c84024add4aa4c65ef0cc71e5b03081b69095599648b430bfb8f1299fb35

Score
10/10
asyncratdefaultevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.230.72.132:6606

5.230.72.132:7707

5.230.72.132:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Async RAT payload 4 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f689ad2542e385c696d18df256e474e.exe
    "C:\Users\Admin\AppData\Local\Temp\4f689ad2542e385c696d18df256e474e.exe"
    1⤵
    • Checks BIOS information in registry
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\BFEAAAFFBCDBFAFDEFADAACAAD\svchost.exe" -Force
      2⤵
        PID:1500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\BFEAAAFFBCDBFAFDEFADAACAAD\svchost.exe" -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4f689ad2542e385c696d18df256e474e.exe" -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
        2⤵
          PID:1592
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:956

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Disabling Security Tools

      2
      T1089

      Modify Registry

      3
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/956-73-0x00000000008C0000-0x00000000008C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/956-60-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/956-61-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/956-62-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/956-64-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/956-63-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/956-65-0x0000000000400000-0x0000000000414000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1068-54-0x0000000004840000-0x00000000048E6000-memory.dmp
        Filesize

        664KB

        Download
      • memory/1068-55-0x0000000000220000-0x0000000000256000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1068-56-0x0000000000C90000-0x0000000000C91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1068-53-0x0000000001360000-0x0000000001436000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1800-57-0x0000000075341000-0x0000000075343000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1800-67-0x0000000002530000-0x0000000002531000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1800-68-0x0000000002531000-0x0000000002532000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1800-70-0x0000000002532000-0x0000000002534000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1868-69-0x0000000002461000-0x0000000002462000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1868-71-0x0000000002462000-0x0000000002464000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1868-66-0x0000000002460000-0x0000000002461000-memory.dmp
        Filesize

        4KB

        Download