Overview

overview

10

Static

static

Attachments.exe

windows7_x64

10

Attachments.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attachments.exe

  • Size

    18KB

  • MD5

    634a457966e4aebe14c44c204a4fed86

  • SHA1

    f62dfe7c3a0db8ab50d4c858020a57503b479944

  • SHA256

    39f7b43c182fb69287831fd54fc6cc7733a22430f876416cb3a5a60c1da1faa1

  • SHA512

    c0da6e668e74877aab80e6acda09b683aed9145303aa6191cf52589de16d4961f9016f79acd39f932e60e06c700bbb9d5b3943f223c8316eb1a98cb6a4853ecb

Score
10/10
asyncratpersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Attachments.exe
    "C:\Users\Admin\AppData\Local\Temp\Attachments.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    32b1478ea2ffc457d558d4eaac07bf5a

    SHA1

    7e1756522eb8a10e27bf86970f9096a05aee732d

    SHA256

    c440f9175efa17bd3777b5b47eb658d8cdd0f31ca9cd78b7dacd1ec64d0a4998

    SHA512

    8a6a071741fd17a2146906babccc907a4909bc8f99cab0a833f8fa25d54ef0aca39f7cad9c2888e08006f0c2776c767273e5e656ef686a5a7f6f76442ddfab30

    Download Submit
  • memory/960-64-0x00000000046F0000-0x0000000004724000-memory.dmp
    Filesize

    208KB

    Download
  • memory/960-55-0x0000000075D11000-0x0000000075D13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/960-65-0x0000000004940000-0x000000000498C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/960-54-0x0000000000E90000-0x0000000000E9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/960-62-0x0000000004880000-0x0000000004881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-63-0x0000000004820000-0x0000000004862000-memory.dmp
    Filesize

    264KB

    Download
  • memory/1500-61-0x0000000001D82000-0x0000000001D84000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1500-60-0x0000000001D81000-0x0000000001D82000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1500-59-0x0000000001D80000-0x0000000001D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-66-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1932-67-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1932-68-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1932-69-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1932-70-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1932-71-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1932-73-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-75-0x0000000000440000-0x000000000044A000-memory.dmp
    Filesize

    40KB

    Download