Overview

overview

10

Static

static

IMG_212022...11.exe

windows7_x64

10

IMG_212022...11.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22-01-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_212022100120011.exe

  • Size

    69KB

  • MD5

    cecfdefc8f201d03066386a9a6b011f0

  • SHA1

    fd451496139859f387cfef71404d50d042297ca0

  • SHA256

    5b476b935cae4bf02299f7dee135b0bb091fd7716b2973d7172e04f4f2985d72

  • SHA512

    aed76f8f33573fc1b62fd9e194e797fbccb7209e526ef6dc980882c6b889db6b6742e88d8fad0e0e29bc4620b7ae857be02cab380439cb231748c1fbc3d2fd8b

Score
10/10
asyncratpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        3⤵
        • Runs ping.exe
        PID:996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        3⤵
        • Runs ping.exe
        PID:708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\PING.EXE
        ping twitter.com
        3⤵
        • Runs ping.exe
        PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        3⤵
        • Runs ping.exe
        PID:1180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        3⤵
        • Runs ping.exe
        PID:1012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\PING.EXE
        ping twitter.com
        3⤵
        • Runs ping.exe
        PID:284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping google.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\PING.EXE
        ping google.com
        3⤵
        • Runs ping.exe
        PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping facebook.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\PING.EXE
        ping facebook.com
        3⤵
        • Runs ping.exe
        PID:1216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping twitter.com
      2⤵
        PID:1596
        • C:\Windows\SysWOW64\PING.EXE
          ping twitter.com
          3⤵
          • Runs ping.exe
          PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping google.com
        2⤵
          PID:668
          • C:\Windows\SysWOW64\PING.EXE
            ping google.com
            3⤵
            • Runs ping.exe
            PID:544
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping facebook.com
          2⤵
            PID:1668
            • C:\Windows\SysWOW64\PING.EXE
              ping facebook.com
              3⤵
              • Runs ping.exe
              PID:240
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping twitter.com
            2⤵
              PID:1220
              • C:\Windows\SysWOW64\PING.EXE
                ping twitter.com
                3⤵
                • Runs ping.exe
                PID:1180
            • C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
              C:\Users\Admin\AppData\Local\Temp\IMG_212022100120011.exe
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:908

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            82d5f2ada7bc39b802c8723a7436f458

            SHA1

            157136a2cde4f5d9e054971ab4008b1e4dcf66fc

            SHA256

            f2a8b34b37370879a13a6ce38275b88334c5f81d39fcefd1d97e8fa8dfc9bcb7

            SHA512

            073f675d452806d399f8618fc8bd20c2f3a7a02f31b73ad5cd39cd73491968954268e82028f4ad59dd75e9b6c4fb6a2cf24231fb7afed50ea4bd6ed6011658b6

            Download Submit
          • memory/908-63-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/908-65-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/908-69-0x00000000004D0000-0x00000000004DA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/908-67-0x0000000004B10000-0x0000000004B11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/908-64-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/908-60-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/908-61-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/908-62-0x0000000000400000-0x000000000041A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/1648-54-0x0000000000D40000-0x0000000000D56000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1648-59-0x0000000004D80000-0x0000000004DCC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1648-56-0x0000000005640000-0x0000000005641000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1648-58-0x0000000000CF0000-0x0000000000D24000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1648-55-0x0000000076451000-0x0000000076453000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1648-57-0x0000000000B40000-0x0000000000B8C000-memory.dmp
            Filesize

            304KB

            Download