Overview

overview

10

Static

static

cc1b697144...12.exe

windows7_x64

10

cc1b697144...12.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    18-02-2022 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc1b6971441d2ec84c14247d4f014912.exe

  • Size

    32KB

  • MD5

    cc1b6971441d2ec84c14247d4f014912

  • SHA1

    a786dcb3bffe527a6954d3c242138d34707e21d3

  • SHA256

    af1c3dd3dc0c3a7e1b4d829f79077e41e17ce8f95cbdcfef7cc7bc0e5b18c7d8

  • SHA512

    a91cf7ebd024a5431ee8e2202740809fb6dace5d4965be107b6f83bbed34f21bde21d45a79e08401791cd204db8d9c23b00d791f8bc5714a6e33022f8aada77b

Score
10/10
asyncrat1persistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

212.193.30.54:8755

Mutex

gyQ12!.,=FD7trew

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 52 IoCs
  • Runs ping.exe 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc1b6971441d2ec84c14247d4f014912.exe
    "C:\Users\Admin\AppData\Local\Temp\cc1b6971441d2ec84c14247d4f014912.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:2188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:3052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:3100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:3472
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:880
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping yahoo.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Windows\SysWOW64\PING.EXE
        ping yahoo.com
        3⤵
        • Runs ping.exe
        PID:3384
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
        PID:2900
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        2⤵
          PID:3576
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:1992
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:832
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1660

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3092-130-0x000000007491E000-0x000000007491F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3092-131-0x0000000000CE0000-0x0000000000CEE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3092-132-0x00000000017E0000-0x00000000017E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3092-133-0x000000000CE20000-0x000000000D3C4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3092-134-0x0000000005EA0000-0x0000000005F32000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3576-135-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3576-136-0x000000007491E000-0x000000007491F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3576-137-0x0000000005670000-0x0000000005671000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3576-138-0x0000000005B60000-0x0000000005BFC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3576-139-0x0000000005C70000-0x0000000005CD6000-memory.dmp
        Filesize

        408KB

        Download