Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 19:38
General
-
Target
5E4BBF19A6E055CC6C2C98EF38288F3465C30E25542B7.exe
-
Size
486KB
-
MD5
32cc876191795965e3d5f80cfa90ab3d
-
SHA1
91eb8879cc44f8361454eb89756fc902e73c3cb1
-
SHA256
5e4bbf19a6e055cc6c2c98ef38288f3465c30e25542b735fbfca921fdb8b95f9
-
SHA512
e5f369587c4980bd7aa8590921743f8894777883fec485b2cb726c905d21cf9f4639a2498f2d57520c4eb771b032f4c6882b3679a1af1ce5fd0dacd6c42edb82
Malware Config
Extracted
asyncrat
v0.2
dhciaicjzis.xyz:1703
aisviua77s.xyz:1703
sakivivjasiv8cozo3.cn:1703
asidivuvuas8rnvns73.xyz:1703
dsijfiudsfiashvu7ds43.xyz:1703
afgj6j3umd5uk
-
anti_vm
false
-
bsod
false
-
delay
0
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 3 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5E4BBF19A6E055CC6C2C98EF38288F3465C30E25542B7.exe"C:\Users\Admin\AppData\Local\Temp\5E4BBF19A6E055CC6C2C98EF38288F3465C30E25542B7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\filehistory.exec:\windows\system32\filehistory.exe2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\netsh.exe"netsh.exe" firewall add allowedprogram c:\windows\system32\filehistory.exe SystemUpdate ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2476-115-0x0000015DD0070000-0x0000015DD00EE000-memory.dmpFilesize
504KB
-
memory/2772-116-0x0000000140000000-0x0000000140062000-memory.dmpFilesize
392KB
-
memory/2772-117-0x000001F7E6EA0000-0x000001F7E6EC2000-memory.dmpFilesize
136KB
-
memory/2772-118-0x000001F7E9160000-0x000001F7E9162000-memory.dmpFilesize
8KB
-
memory/2772-119-0x000001F7E9090000-0x000001F7E9106000-memory.dmpFilesize
472KB
-
memory/2772-120-0x000001F7E6E70000-0x000001F7E6E85000-memory.dmpFilesize
84KB
-
memory/2772-121-0x000001F7E8800000-0x000001F7E8821000-memory.dmpFilesize
132KB
-
memory/2772-122-0x000001F7E8830000-0x000001F7E885A000-memory.dmpFilesize
168KB
-
memory/2772-123-0x000001F7E8AD0000-0x000001F7E8B1A000-memory.dmpFilesize
296KB
-
memory/2772-124-0x000001F7E8860000-0x000001F7E8870000-memory.dmpFilesize
64KB
-
memory/2772-125-0x000001F7E9110000-0x000001F7E912E000-memory.dmpFilesize
120KB
-
memory/2772-126-0x000001F7EA350000-0x000001F7EA3BA000-memory.dmpFilesize
424KB
-
memory/2772-127-0x000001F7E8870000-0x000001F7E887A000-memory.dmpFilesize
40KB
-
memory/2772-128-0x000001F7EA3C0000-0x000001F7EA420000-memory.dmpFilesize
384KB
-
memory/2772-129-0x000001F7EA420000-0x000001F7EA4B0000-memory.dmpFilesize
576KB
-
memory/2772-130-0x000001F7EA5C0000-0x000001F7EB0DE000-memory.dmpFilesize
11.1MB
-
memory/2772-131-0x000001F7E88B0000-0x000001F7E88BA000-memory.dmpFilesize
40KB