Overview

overview

10

Static

static

Inquiry 24...22.rtf

windows7_x64

10

Inquiry 24...22.rtf

windows10-2004_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-02-2022 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry 24 FEB 2022.rtf

  • Size

    10KB

  • MD5

    657289d8ae04dadd13f446b97e7f23ae

  • SHA1

    b75268f3acabd538a37c004830c6c5a9bd07af57

  • SHA256

    f865adf4b5445985e0814ce70cc9b32701f1640de72f0facd385e1a5c549bae2

  • SHA512

    9cb856069fcda83e8dabf9ffddc15bc4f967791f7d01e4ba5ebc68da7cffc33af721714a50671d1ca7222018e2541efab40724df5f96969819a961642211dd68

Score
10/10
asyncrat1persistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

212.193.30.54:8755

Mutex

gyQ12!.,=FD7trew

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inquiry 24 FEB 2022.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1752
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Users\Admin\AppData\Roaming\tpk.exe
        "C:\Users\Admin\AppData\Roaming\tpk.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c timeout 20
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:868
          • C:\Windows\SysWOW64\timeout.exe
            timeout 20
            4⤵
            • Delays execution with timeout.exe
            PID:2004
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          3⤵
            PID:1156

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\tpk.exe
        MD5

        1dfb8f4b408ad8a763e4655e90c07093

        SHA1

        be332a245adcd81707dd3de6b60653e2f68a0256

        SHA256

        a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979

        SHA512

        a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df

        Download Submit
      • C:\Users\Admin\AppData\Roaming\tpk.exe
        MD5

        1dfb8f4b408ad8a763e4655e90c07093

        SHA1

        be332a245adcd81707dd3de6b60653e2f68a0256

        SHA256

        a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979

        SHA512

        a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df

        Download Submit
      • \Users\Admin\AppData\Roaming\tpk.exe
        MD5

        1dfb8f4b408ad8a763e4655e90c07093

        SHA1

        be332a245adcd81707dd3de6b60653e2f68a0256

        SHA256

        a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979

        SHA512

        a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df

        Download Submit
      • \Users\Admin\AppData\Roaming\tpk.exe
        MD5

        1dfb8f4b408ad8a763e4655e90c07093

        SHA1

        be332a245adcd81707dd3de6b60653e2f68a0256

        SHA256

        a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979

        SHA512

        a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df

        Download Submit
      • \Users\Admin\AppData\Roaming\tpk.exe
        MD5

        1dfb8f4b408ad8a763e4655e90c07093

        SHA1

        be332a245adcd81707dd3de6b60653e2f68a0256

        SHA256

        a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979

        SHA512

        a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df

        Download Submit
      • \Users\Admin\AppData\Roaming\tpk.exe
        MD5

        1dfb8f4b408ad8a763e4655e90c07093

        SHA1

        be332a245adcd81707dd3de6b60653e2f68a0256

        SHA256

        a7999bf95618f2e2c37c5d0e805f8ff4fa44d2254e0ee0175df630f386a0c979

        SHA512

        a7af9a29cc5942ca67473f0f25f919bd22b6510b8f9738121dbac2f248dcfdbadc086097c120e00bba3df1fd08f7881d54fa3ec0a3775a0ab01219aa5991f9df

        Download Submit
      • memory/1156-75-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1156-76-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1156-83-0x0000000000E20000-0x0000000000E21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1156-81-0x000000006B30E000-0x000000006B30F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1156-80-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1156-79-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1156-78-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1156-77-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1184-56-0x00000000726C1000-0x00000000726C4000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1184-55-0x000000002F531000-0x000000002F532000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1184-60-0x000000007112D000-0x0000000071138000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1184-57-0x0000000070141000-0x0000000070143000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1184-58-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1184-59-0x0000000075831000-0x0000000075833000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1312-72-0x00000000049A0000-0x0000000004A3E000-memory.dmp
        Filesize

        632KB

        Download
      • memory/1312-73-0x00000000055D0000-0x00000000055D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1312-74-0x0000000004720000-0x000000000476C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1312-69-0x0000000000150000-0x00000000001FE000-memory.dmp
        Filesize

        696KB

        Download
      • memory/1312-68-0x000000006B30E000-0x000000006B30F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1752-71-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp
        Filesize

        8KB

        Download