Overview

overview

10

Static

static

顧客訂å...20.exe

windows7_x64

10

顧客訂å...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    顧客訂單_081720.exe

  • Size

    399KB

  • MD5

    fca5062e93aad2523c6bb28f1147629d

  • SHA1

    9269d7bdd9332107c524ad9280dfb8cef0bcc6a2

  • SHA256

    9be04012b4927a7e93498068acaaac6e157192df66509a20079fa39084735247

  • SHA512

    9195d99b6d8c547920a13f7a483fa71706145f09f1aa7ea3c552e5d48ed9a824314ccaefa30b0a869bbc7a6c82483be350a8ca759ac3eeabe9026432c104ab45

Score
10/10
asyncratgod's mercyrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

GOD'S MERCY

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/reQxa5Ah

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\顧客訂單_081720.exe
    "C:\Users\Admin\AppData\Local\Temp\顧客訂單_081720.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SzJeVYqHm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F52.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:216
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:116

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7F52.tmp
      Filesize

      1KB

      MD5

      5e5c2a7e2a267be24b685d5b83d9089a

      SHA1

      48181b606f60015b866058c695a5e116b2d3df67

      SHA256

      f2b4a503ffcd43ea7dc9cc35e1fac15d0cfa27135f71dec50b8ce2a453331b25

      SHA512

      516d5bcb32310546609886ef38f723e6a2668b994e67b8dae2ffe556dab6fe6bba82e91feabc119543ec262d9d3fe71148937766d5e1566713911ecc5cf9a5f9

      Download Submit
    • memory/116-139-0x0000000000000000-mapping.dmp
      Download
    • memory/116-140-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/216-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4028-130-0x00000000009E0000-0x0000000000A4C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/4028-131-0x0000000005310000-0x00000000053AC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4028-132-0x00000000059D0000-0x0000000005F74000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4028-133-0x0000000005420000-0x00000000054B2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4028-134-0x0000000002E40000-0x0000000002E4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4028-135-0x00000000053B0000-0x0000000005406000-memory.dmp
      Filesize

      344KB

      Download
    • memory/4840-136-0x0000000000000000-mapping.dmp
      Download