Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 15:19
General
-
Target
f8111a92842e5e377c21f38d3f355911.exe
-
Size
303KB
-
MD5
f8111a92842e5e377c21f38d3f355911
-
SHA1
6a5d2c528430b1ff8813fc01c522b5a4b6cf4494
-
SHA256
20126f0e6a271df71f9ab0838c03bb6554b106773f66fb9c28eb7bf4e685399d
-
SHA512
aed02a61ffc1567d12ac05a8d5b32c7c8635059dd2713e2b8cd5e0a434c46618ae9f7cc528e09c862e8d5228471e6a67533c19545d05683fd642cdb237d8ec15
Malware Config
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe"C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DmmczBXpJ.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DmmczBXpJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp902F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe"C:\Users\Admin\AppData\Local\Temp\f8111a92842e5e377c21f38d3f355911.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp902F.tmpMD5
dc7a858aee39b45f0aaa75608bd189b2
SHA14e3877603b049c499dc7afa060362e463db358e3
SHA25665ad62f95487f17f5f69945907a7635781b8db31c20947532f3f4e727cd7a78f
SHA512c5fba4762227dc982f58dfe9a394523435b6f4bd7cbfcb315b945146761d9e2b8e89311b4854b4363b48536a7e350f6235be018a88b98cbca78aa3950c11665a
-
memory/676-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/676-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/676-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/676-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/676-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/676-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/676-69-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/948-56-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/948-57-0x00000000003E0000-0x00000000003F6000-memory.dmpFilesize
88KB
-
memory/948-58-0x00000000009C0000-0x00000000009F8000-memory.dmpFilesize
224KB
-
memory/948-55-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/948-54-0x0000000000BA0000-0x0000000000BF2000-memory.dmpFilesize
328KB
-
memory/1096-67-0x0000000002530000-0x000000000317A000-memory.dmpFilesize
12.3MB