Analysis
-
max time kernel
144s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:53
General
-
Target
Doc#66202009475352576530141.pdf.exe
-
Size
414KB
-
MD5
b54eea6b86a4ea7a743e1db549ea54f9
-
SHA1
2291b8a0e39ca979d0373f98fd2ba8e86105da65
-
SHA256
9ff9a09c4e1ff0b737d630660b25335cded1fbe365628b5d6e59211e7d8ff53c
-
SHA512
d5a477a98e5d8939fbcd97d05585fcc6a8f6f8d5e9eb95bf1d220d2ff7fb89d34c8aa83b2708d54ce1b861feab79b39d7ad6ce25557a4e5c50df5173cac33e64
Malware Config
Extracted
asyncrat
0.5.7B
TOGETHER
chizzy25@/@!7^UPCAZ
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/HKYwiN9V
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc#66202009475352576530141.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Doc#66202009475352576530141.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfqSIphGzk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC16C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC16C.tmpFilesize
1KB
MD513a13b3e549b69a7aa653b09ebf678ba
SHA12ac6363c4b4ee182b9369081ccd64b40aa573e25
SHA256cb186d00f7f2941d41edc00377658b683fba9b38cb57af842fc82917165249a8
SHA512908628cb06be01bbeefe23dcd9659cf73eb826ddb9abdcacd292d883ba8bfbebe604a2f04e8d69a096b777dc99e3c37c444e48ee5afaaa5df7e26848c7e4595b
-
memory/948-59-0x0000000000000000-mapping.dmp
-
memory/1744-57-0x00000000003F0000-0x000000000041C000-memory.dmpFilesize
176KB
-
memory/1744-54-0x0000000001340000-0x00000000013AE000-memory.dmpFilesize
440KB
-
memory/1744-58-0x00000000004C0000-0x00000000004D2000-memory.dmpFilesize
72KB
-
memory/1744-56-0x00000000001E0000-0x00000000001F2000-memory.dmpFilesize
72KB
-
memory/1744-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/2036-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-64-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-67-0x000000000040C76E-mapping.dmp
-
memory/2036-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2036-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB