Overview

overview

10

Static

static

e7ff69f528...de.exe

windows7_x64

10

e7ff69f528...de.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde.exe

  • Size

    393KB

  • MD5

    3ad13a4fb7342fcc6d2239cb9856e7bd

  • SHA1

    6e5a1c02ddc737b013de69dc557e89587f5f0ac0

  • SHA256

    e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde

  • SHA512

    4f6384402629f487b7985f6ac9de446a2af60d27239bbdf9c95d8c2e185d5369003be6b1e3ae3beb9c0c71a0be86fb77689724ccabaa77ad132731bc614e6cd6

Score
10/10
asyncratsystemrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SYSTEM

C2

limer.ignorelist.com:1738

limer.ignorelist.com:17696
Mutex

NVIDIA_CONTAINER_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    NVIDIA Container.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde.exe
    "C:\Users\Admin\AppData\Local\Temp\e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\AppData\Local\Temp\e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde.exe
      "C:\Users\Admin\AppData\Local\Temp\e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NVIDIA Container" /tr '"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "NVIDIA Container" /tr '"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:5060
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:116
        • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
          "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1180
          • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
            "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NVIDIA Container.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
    Filesize

    393KB

    MD5

    3ad13a4fb7342fcc6d2239cb9856e7bd

    SHA1

    6e5a1c02ddc737b013de69dc557e89587f5f0ac0

    SHA256

    e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde

    SHA512

    4f6384402629f487b7985f6ac9de446a2af60d27239bbdf9c95d8c2e185d5369003be6b1e3ae3beb9c0c71a0be86fb77689724ccabaa77ad132731bc614e6cd6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
    Filesize

    393KB

    MD5

    3ad13a4fb7342fcc6d2239cb9856e7bd

    SHA1

    6e5a1c02ddc737b013de69dc557e89587f5f0ac0

    SHA256

    e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde

    SHA512

    4f6384402629f487b7985f6ac9de446a2af60d27239bbdf9c95d8c2e185d5369003be6b1e3ae3beb9c0c71a0be86fb77689724ccabaa77ad132731bc614e6cd6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
    Filesize

    393KB

    MD5

    3ad13a4fb7342fcc6d2239cb9856e7bd

    SHA1

    6e5a1c02ddc737b013de69dc557e89587f5f0ac0

    SHA256

    e7ff69f5281f9dcf2343ef13a50112adf7880246e4aaa92d953f669160b92bde

    SHA512

    4f6384402629f487b7985f6ac9de446a2af60d27239bbdf9c95d8c2e185d5369003be6b1e3ae3beb9c0c71a0be86fb77689724ccabaa77ad132731bc614e6cd6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.bat
    Filesize

    163B

    MD5

    5511b9f76cc3a8eb2b819b801948957c

    SHA1

    041ffd84e4f7efc81cf56d9556592e120a21df2f

    SHA256

    874badb87b66e718ec0fd658d6463d83d36936174c851f9bbb5cf778c2abe322

    SHA512

    27ba4dc8ea3fd51639fa6dffcb737608c5d923e2c673e706813daed5bca19b78dc78503fffacda294c691bc17f83dacd1358e13b3449caf941201506f016fb09

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/116-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1180-144-0x0000000000000000-mapping.dmp
    Download
  • memory/1356-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1888-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-138-0x00000000051A0000-0x0000000005206000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2004-136-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2004-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2608-130-0x0000000000C70000-0x0000000000CD8000-memory.dmp
    Filesize

    416KB

    Download
  • memory/2608-134-0x0000000006210000-0x00000000062AC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2608-133-0x0000000005AB0000-0x0000000005ABA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2608-132-0x00000000056B0000-0x0000000005742000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2608-131-0x0000000005BC0000-0x0000000006164000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2752-148-0x0000000000000000-mapping.dmp
    Download
  • memory/5060-141-0x0000000000000000-mapping.dmp
    Download