Overview

overview

10

Static

static

813277c84f...c4.exe

windows7_x64

10

813277c84f...c4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    30/03/2022, 02:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe

  • Size

    218KB

  • MD5

    b84e980a2ddc7fe338f990caeb01a132

  • SHA1

    e84a77f956e9cc4d9bee3063ca7ad2d2bd0f859a

  • SHA256

    813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4

  • SHA512

    7d80551fff887bee3d6af0e3990bb916a0eb58ed1f6a5c1b2f3b8723429a0d06b8019078e9f3948a3d3ab7bef5accfc440958c896da6eb28ddf4b174a4570274

Score
10/10
asyncrat5rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

5

C2

mytestserver.myftp.org:6606

mytestserver.myftp.org:7000
Mutex

tapildrwhajwng

Attributes
  • delay

    0

  • install

    false

  • install_file

    COMSurrogate.exe

  • install_folder

    %AppData%

aes.plain
1
cwcoRyn4cPzOf2LDpItUKaYX5EvmUSgi

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe
    "C:\Users\Admin\AppData\Local\Temp\813277c84fe11b699a6924cd692024d7efd86fff596841e950523ad10d529dc4.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Windows Registry Updater\Windows Registry Updater.exe:Zone.Identifier
      2⤵
        PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ren "%appdata%\Windows Registry Updater\Windows Registry Updater.exe.jpg" Windows Registry Updater.exe
        2⤵
          PID:1716
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:904

      Network

      • flag-us
        DNS
        mytestserver.myftp.org
        tmp.exe
        Remote address:
        8.8.8.8:53
        Request
        mytestserver.myftp.org
        IN A
        Response
      No results found
      • 8.8.8.8:53
        mytestserver.myftp.org
        dns
        tmp.exe
        68 B
         128 B
         1
        1

        DNS Request

        mytestserver.myftp.org

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        Filesize

        146KB

        MD5

        b62d18051855ba3768ed2228a9daa267

        SHA1

        1d7b42775a0eac738f7bc94ec110de8ff7d081ba

        SHA256

        60dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94

        SHA512

        00c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        Filesize

        146KB

        MD5

        b62d18051855ba3768ed2228a9daa267

        SHA1

        1d7b42775a0eac738f7bc94ec110de8ff7d081ba

        SHA256

        60dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94

        SHA512

        00c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52

        Download Submit

      • \Users\Admin\AppData\Local\Temp\tmp.exe
        Filesize

        146KB

        MD5

        b62d18051855ba3768ed2228a9daa267

        SHA1

        1d7b42775a0eac738f7bc94ec110de8ff7d081ba

        SHA256

        60dc56fe6f65414b3f1f6831a4ba86990328bcc4097155d85632a2a2ff25eb94

        SHA512

        00c427c21e5294875e62a1aaaf5dfb4fd55846ce070a3b87ae0fa0defa07256b6649536b4f80c32b4e8e495bb18e91741a9f1aad27b7fbd7f0856c1a0bcc1a52

        Download Submit

      • memory/904-62-0x0000000000290000-0x00000000002BC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/904-63-0x000000001A770000-0x000000001A772000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1304-54-0x0000000000C90000-0x0000000000CC4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1304-55-0x0000000000270000-0x00000000002A0000-memory.dmp

        Filesize

        192KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.