Overview

overview

10

Static

static

mshta.exe

windows7_x64

10

mshta.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-05-2022 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mshta.exe

  • Size

    304KB

  • MD5

    b28ddf547716c0cdee99d4e5f261704d

  • SHA1

    cef47d43a0809616fbdb980b7864b4cef8ed2943

  • SHA256

    89aacd427f262a4a5b09af5c8abdeabc7f39a1d618a01a5a79074ebb62bb065e

  • SHA512

    c78e8c4b9d871e3df72f7ecdad2a179225df6887adc9db63746bbbc6fd7ae1d3cfdd5dcbde039790bbc84193a9f5eb8516df716d614a88181b8253c5c188c24b

Score
10/10
asyncratmshtarat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

mshta

Mutex

mshta

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/tefSYKAL

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mshta.exe
    "C:\Users\Admin\AppData\Local\Temp\mshta.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe
      "C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:788
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:968
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mshta.exe" "C:\Users\Admin\AppData\Roaming\Mshta\Mshta.exe"
      2⤵
        PID:1640
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {99E8C538-B806-4591-8FC7-D0166B2E68C7} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
      1⤵
        PID:988

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe
        Filesize

        47KB

        MD5

        39fd56f4e5a67ccf23e627f371ca9a9f

        SHA1

        eb41ac2c14d71d48c3d64d3f2da62667cd97b799

        SHA256

        15f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc

        SHA512

        6976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ElWebsite.exe
        Filesize

        47KB

        MD5

        39fd56f4e5a67ccf23e627f371ca9a9f

        SHA1

        eb41ac2c14d71d48c3d64d3f2da62667cd97b799

        SHA256

        15f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc

        SHA512

        6976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065

        Download Submit
      • \Users\Admin\AppData\Local\Temp\ElWebsite.exe
        Filesize

        47KB

        MD5

        39fd56f4e5a67ccf23e627f371ca9a9f

        SHA1

        eb41ac2c14d71d48c3d64d3f2da62667cd97b799

        SHA256

        15f62fd2ee2855349d213e5832cd50cf8e8a3f6d860630575fe7d8b18e8c66cc

        SHA512

        6976a095b48b2834a06101a577d8288805bf0445a73c10dc04174c870ff00cb0ba0df5ebc20fb817b5ea77ee7b100aa9941df321411c31726321bcb520033065

        Download Submit
      • memory/788-57-0x0000000000000000-mapping.dmp
        Download
      • memory/788-63-0x0000000000AB0000-0x0000000000AC2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/968-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1640-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1860-54-0x0000000000E40000-0x0000000000E92000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1860-55-0x0000000075E41000-0x0000000075E43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1940-60-0x0000000000000000-mapping.dmp
        Download