General
Target

3c39836dedf6779a0207819c72238fa5.exe

Filesize

671KB

Completed

22-02-2022 09:00

Task

behavioral2

Score
10/10
MD5

3c39836dedf6779a0207819c72238fa5

SHA1

07433edf63057fff1e96ddbf5249aa2c50f69dbd

SHA256

34694c57b7447b59d6bc6a2dba635fa320a4d4b1e550a36840fe1f2208b76d87

SHA256

f8a6810abf551f01aae3a8d7c2e6a3421aac3f0312301a5e12a28bfe9490ae064f5c8dd846113cf755a3d9b8f22b80f92b27ec6e4590b04a1629662f472a7086

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

212.193.30.54:8755

Attributes
anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null
aes.plain
Signatures 8

Filter: none

Defense Evasion
Persistence
  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3864-140-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
  • Adds Run key to start application
    3c39836dedf6779a0207819c72238fa5.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dslfiip = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cltjej\\Dslfiip.exe\""3c39836dedf6779a0207819c72238fa5.exe
  • Suspicious use of SetThreadContext
    3c39836dedf6779a0207819c72238fa5.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1220 set thread context of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
  • Drops file in Windows directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SoftwareDistribution\ReportingEvents.logsvchost.exe
    File opened for modificationC:\Windows\WindowsUpdate.logsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\Logs\edb.chksvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\Logs\edb.logsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\DataStore.edbsvchost.exe
    File opened for modificationC:\Windows\SoftwareDistribution\DataStore\DataStore.jfmsvchost.exe
  • Suspicious behavior: EnumeratesProcesses
    3c39836dedf6779a0207819c72238fa5.exe

    Reported IOCs

    pidprocess
    12203c39836dedf6779a0207819c72238fa5.exe
    12203c39836dedf6779a0207819c72238fa5.exe
  • Suspicious use of AdjustPrivilegeToken
    svchost.exe3c39836dedf6779a0207819c72238fa5.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege4196svchost.exe
    Token: SeCreatePagefilePrivilege4196svchost.exe
    Token: SeShutdownPrivilege4196svchost.exe
    Token: SeCreatePagefilePrivilege4196svchost.exe
    Token: SeShutdownPrivilege4196svchost.exe
    Token: SeCreatePagefilePrivilege4196svchost.exe
    Token: SeDebugPrivilege12203c39836dedf6779a0207819c72238fa5.exe
  • Suspicious use of WriteProcessMemory
    3c39836dedf6779a0207819c72238fa5.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
    PID 1220 wrote to memory of 386412203c39836dedf6779a0207819c72238fa5.exeMSBuild.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\3c39836dedf6779a0207819c72238fa5.exe
    "C:\Users\Admin\AppData\Local\Temp\3c39836dedf6779a0207819c72238fa5.exe"
    Adds Run key to start application
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      PID:3864
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    Drops file in Windows directory
    Suspicious use of AdjustPrivilegeToken
    PID:4196
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1220-136-0x0000000005860000-0x00000000058B0000-memory.dmp

                      • memory/1220-131-0x0000000005DC0000-0x0000000006364000-memory.dmp

                      • memory/1220-132-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

                      • memory/1220-139-0x00000000056B0000-0x00000000056B1000-memory.dmp

                      • memory/1220-138-0x00000000057F0000-0x00000000057FA000-memory.dmp

                      • memory/1220-137-0x0000000005950000-0x00000000059E2000-memory.dmp

                      • memory/1220-130-0x0000000000CE0000-0x0000000000D8E000-memory.dmp

                      • memory/3864-140-0x0000000000400000-0x0000000000412000-memory.dmp

                      • memory/3864-141-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

                      • memory/3864-142-0x0000000002750000-0x0000000002751000-memory.dmp

                      • memory/4196-135-0x0000014E09020000-0x0000014E09024000-memory.dmp

                      • memory/4196-134-0x0000014E06920000-0x0000014E06930000-memory.dmp

                      • memory/4196-133-0x0000014E063A0000-0x0000014E063B0000-memory.dmp