Overview

overview

10

Static

static

4f689ad254...4e.exe

windows7_x64

10

4f689ad254...4e.exe

windows10_x64

10

Analysis

  • max time kernel
    78s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    22-01-2022 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f689ad2542e385c696d18df256e474e.exe

  • Size

    834KB

  • MD5

    4f689ad2542e385c696d18df256e474e

  • SHA1

    719a2ff49e7f8d5ac4a7b0f7dc2256f8ed45a541

  • SHA256

    e7e4f472ffb41d0c2678ceac5a5c236242d46a6c781cf8431b661a3493a05eae

  • SHA512

    ae60db8a63c035b2ff322f705b05ce358cac980b4bae750f4a29b8bdee52d89a7bf8c84024add4aa4c65ef0cc71e5b03081b69095599648b430bfb8f1299fb35

Score
10/10
asyncratdefaultevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.230.72.132:6606

5.230.72.132:7707

5.230.72.132:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f689ad2542e385c696d18df256e474e.exe
    "C:\Users\Admin\AppData\Local\Temp\4f689ad2542e385c696d18df256e474e.exe"
    1⤵
    • Checks BIOS information in registry
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\BFEAAAFFBCDBFAFDEFADAACAAD\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\BFEAAAFFBCDBFAFDEFADAACAAD\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4f689ad2542e385c696d18df256e474e.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
      2⤵
        PID:3108
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
        2⤵
          PID:1220
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2236
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
          2⤵
            PID:3492

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Disabling Security Tools

        2
        T1089

        Modify Registry

        3
        T1112

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          1c19c16e21c97ed42d5beabc93391fc5

          SHA1

          8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

          SHA256

          1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

          SHA512

          7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          495e8785b187bad3f9bd60520514cef0

          SHA1

          36e0c4b35972e8e676e3b176a04a443a15e0477d

          SHA256

          0e7464c5304466dd15a2f27ebe5c33ff20448b2d57cac6d441d1ceafff3deb7d

          SHA512

          a2c3a1faaae17f2c358e7735dcfee96d24a9dea38305bd1f98b2c0f30ccce7864c7662a846894e2e09dfccfe0aead8d244bcbc2c5b09b13c9f2c2e7e2831029b

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          baf455ffbcf72d757735ff0f9fb6f587

          SHA1

          8440b30cbe5a9154392bdaa6f80a266a4c4f89a5

          SHA256

          d81f5b16e99e9b05e9c68cd0b0dc6032db6a8d6404bd2726af4b0f11e3e33a90

          SHA512

          709bddd122b438cec0074bc8037d41ca00f622b8d77cae02694097d322b38e03f0af39773f88633b9d0cafbe38b7df32807279e7d108aa5aa5fc1b49a6ea4dd9

          Download Submit
        • memory/1164-132-0x00000000011D0000-0x00000000011D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-186-0x0000000009260000-0x0000000009305000-memory.dmp
          Filesize

          660KB

          Download
        • memory/1164-184-0x000000007EC00000-0x000000007EC01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-172-0x0000000009130000-0x0000000009163000-memory.dmp
          Filesize

          204KB

          Download
        • memory/1164-217-0x00000000011D3000-0x00000000011D4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1164-142-0x0000000007C40000-0x0000000007C5C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/1164-140-0x0000000007050000-0x00000000070B6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1164-135-0x00000000011D2000-0x00000000011D3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1936-141-0x00000000073C0000-0x0000000007710000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1936-133-0x00000000012E0000-0x00000000012E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1936-134-0x00000000012E2000-0x00000000012E3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1936-209-0x00000000012E3000-0x00000000012E4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1936-188-0x000000007EDA0000-0x000000007EDA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1936-173-0x0000000008C10000-0x0000000008C2E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1936-765-0x0000000006960000-0x000000000697A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2236-205-0x0000000009E60000-0x0000000009E61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2236-144-0x0000000000400000-0x0000000000414000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2584-122-0x00000000051A0000-0x00000000051D6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/2584-120-0x0000000005140000-0x000000000563E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2584-119-0x0000000004FF0000-0x000000000500E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2584-118-0x00000000051E0000-0x0000000005272000-memory.dmp
          Filesize

          584KB

          Download
        • memory/2584-138-0x0000000007450000-0x000000000745A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2584-117-0x0000000005640000-0x0000000005B3E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2584-121-0x00000000052A0000-0x0000000005346000-memory.dmp
          Filesize

          664KB

          Download
        • memory/2584-116-0x00000000050C0000-0x0000000005136000-memory.dmp
          Filesize

          472KB

          Download
        • memory/2584-114-0x00000000006D0000-0x00000000007A6000-memory.dmp
          Filesize

          856KB

          Download
        • memory/2584-115-0x0000000005020000-0x00000000050BC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2584-123-0x0000000006CE0000-0x0000000006D46000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2684-130-0x00000000010A0000-0x00000000010D6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/2684-190-0x0000000008F30000-0x0000000008FC4000-memory.dmp
          Filesize

          592KB

          Download
        • memory/2684-189-0x000000007F4B0000-0x000000007F4B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2684-213-0x0000000001243000-0x0000000001244000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2684-143-0x0000000007A80000-0x0000000007ACB000-memory.dmp
          Filesize

          300KB

          Download
        • memory/2684-139-0x0000000006CA0000-0x0000000006CC2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2684-784-0x0000000007E70000-0x0000000007E78000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2684-137-0x00000000070D0000-0x00000000076F8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/2684-136-0x0000000001242000-0x0000000001243000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2684-131-0x0000000001240000-0x0000000001241000-memory.dmp
          Filesize

          4KB

          Download