Analysis
-
max time kernel
118s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 17:25
General
-
Target
Anfrage Schweiz.rtf
-
Size
3KB
-
MD5
4c7380ca7d98489df3ca858c2e39127f
-
SHA1
cfcf194ed9a7c4ef48201b062186bf6b7e793b2c
-
SHA256
2200158c41a2516e208d5b1c730dd422537334e9712d0c350810d11b26b6fc65
-
SHA512
0b093dbe35462e05b36a8cbb444024a48c8e562974de3b6e19a1da40a5fcb76f193e125464cd725d2a32c8050d1cc6cba38f42ba710ab907971381e2b65bcaa9
Malware Config
Extracted
asyncrat
0.5.7B
1
212.193.30.54:8754
gyQ12!.,=FDpsdf2_@
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Anfrage Schweiz.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\typ.exe"C:\Users\Admin\AppData\Roaming\typ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAzAA==3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 234⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 235⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\typ.exeMD5
5cdfcd6d591946dec15cec637f7826e6
SHA17959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b
-
C:\Users\Admin\AppData\Roaming\typ.exeMD5
5cdfcd6d591946dec15cec637f7826e6
SHA17959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b
-
\Users\Admin\AppData\Roaming\typ.exeMD5
5cdfcd6d591946dec15cec637f7826e6
SHA17959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b
-
\Users\Admin\AppData\Roaming\typ.exeMD5
5cdfcd6d591946dec15cec637f7826e6
SHA17959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b
-
\Users\Admin\AppData\Roaming\typ.exeMD5
5cdfcd6d591946dec15cec637f7826e6
SHA17959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b
-
\Users\Admin\AppData\Roaming\typ.exeMD5
5cdfcd6d591946dec15cec637f7826e6
SHA17959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b
-
memory/1132-74-0x0000000068BB2000-0x0000000068BB4000-memory.dmpFilesize
8KB
-
memory/1132-77-0x0000000004710000-0x0000000004753000-memory.dmpFilesize
268KB
-
memory/1132-75-0x0000000002611000-0x0000000002612000-memory.dmpFilesize
4KB
-
memory/1132-76-0x0000000002612000-0x0000000002614000-memory.dmpFilesize
8KB
-
memory/1132-72-0x0000000068BB1000-0x0000000068BB2000-memory.dmpFilesize
4KB
-
memory/1132-73-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/1568-78-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmpFilesize
8KB
-
memory/1636-60-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1636-92-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1636-56-0x0000000072E71000-0x0000000072E74000-memory.dmpFilesize
12KB
-
memory/1636-55-0x000000002F711000-0x000000002F712000-memory.dmpFilesize
4KB
-
memory/1636-57-0x00000000708F1000-0x00000000708F3000-memory.dmpFilesize
8KB
-
memory/1636-58-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1636-59-0x00000000718DD000-0x00000000718E8000-memory.dmpFilesize
44KB
-
memory/1808-69-0x00000000013B0000-0x0000000001404000-memory.dmpFilesize
336KB
-
memory/1808-79-0x00000000012D0000-0x0000000001310000-memory.dmpFilesize
256KB
-
memory/1808-80-0x00000000009B0000-0x00000000009E0000-memory.dmpFilesize
192KB
-
memory/1808-81-0x0000000004810000-0x000000000485C000-memory.dmpFilesize
304KB
-
memory/1808-82-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/1808-68-0x000000006BA0E000-0x000000006BA0F000-memory.dmpFilesize
4KB
-
memory/1968-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1968-84-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1968-86-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1968-87-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1968-89-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1968-90-0x000000006AF2E000-0x000000006AF2F000-memory.dmpFilesize
4KB
-
memory/1968-91-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/1968-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB