Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:54

General

  • Target

    ab8633debd051d65dde309e985c402d59ec5615a030c17714389c6f3e9ab3899.exe

  • Size

    535KB

  • MD5

    a08f53208b0832720dc057d5b2d17e97

  • SHA1

    fe2ef8a2d445b410fa67a681285a3eab290ad295

  • SHA256

    ab8633debd051d65dde309e985c402d59ec5615a030c17714389c6f3e9ab3899

  • SHA512

    b349117988ebb5f4f6963697cb00c1a02f18f5b5d288ba84d8429e7cb63ca145ee157d0b6c40728da2dda59611c240884c76e01252aff368fca30ceb5455f6c2

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SLAVES MONDAY

C2

194.5.98.81:3434

Mutex

AsyncMutex_6363f86fs6fw6f

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab8633debd051d65dde309e985c402d59ec5615a030c17714389c6f3e9ab3899.exe
    "C:\Users\Admin\AppData\Local\Temp\ab8633debd051d65dde309e985c402d59ec5615a030c17714389c6f3e9ab3899.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5AD.tmp\5AE.tmp\5AF.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Windows\system32\reg.exe
          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
          4⤵
            PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\op.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4696
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exe
          MONDAY.sfx.exe -dC:\Users\Admin\AppData\Local\Temp
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4324
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe"
            4⤵
            • Executes dropped EXE
            PID:2840

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5AD.tmp\5AE.tmp\5AF.bat
      Filesize

      130B

      MD5

      78cf128c2c0b024aa9075d038f32c0f9

      SHA1

      ea941836117cb9f6d87a010806bbd5df58bd938a

      SHA256

      bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e

      SHA512

      d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exe
      Filesize

      315KB

      MD5

      d5b59344064b40fcea8ed8c5efc50004

      SHA1

      92a3247139f13067cc66f30e82127026daffad8e

      SHA256

      df0b09c6556056c0933c426ebe15c261c04a1a7eec741218dd64f6aad96f4dad

      SHA512

      6fd8784103d49cfbfe50e4933b39a932ac5d4a1aefd646204017e42013a0d5b8f35941149b0d696bfc28f0a31237a776bcce8519ee6ca3db4fd9da73502bcb2d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\MONDAY.sfx.exe
      Filesize

      315KB

      MD5

      d5b59344064b40fcea8ed8c5efc50004

      SHA1

      92a3247139f13067cc66f30e82127026daffad8e

      SHA256

      df0b09c6556056c0933c426ebe15c261c04a1a7eec741218dd64f6aad96f4dad

      SHA512

      6fd8784103d49cfbfe50e4933b39a932ac5d4a1aefd646204017e42013a0d5b8f35941149b0d696bfc28f0a31237a776bcce8519ee6ca3db4fd9da73502bcb2d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe
      Filesize

      88KB

      MD5

      0dc86efbfedebf49fdaffde6e88c3374

      SHA1

      f25ca6d1f0f482524f7d75cd98bef6dc23a9f877

      SHA256

      34340061108ed1dbbab5a54578e43d9bcace45b94b708633d77262adf24b96cf

      SHA512

      1279de999c88d435872e773dba01f727f1f60c559159716e9e47cc24554a32e88289730125b7ccd8d11091403ef3cbcc08406dace05cce272964b391867748e0

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe
      Filesize

      88KB

      MD5

      0dc86efbfedebf49fdaffde6e88c3374

      SHA1

      f25ca6d1f0f482524f7d75cd98bef6dc23a9f877

      SHA256

      34340061108ed1dbbab5a54578e43d9bcace45b94b708633d77262adf24b96cf

      SHA512

      1279de999c88d435872e773dba01f727f1f60c559159716e9e47cc24554a32e88289730125b7ccd8d11091403ef3cbcc08406dace05cce272964b391867748e0

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\op.bat
      Filesize

      23B

      MD5

      2feb1ba17faab82e3151b6b12c292ac4

      SHA1

      b91a0db39c285e0899498ed9344606fff0c387b4

      SHA256

      5fd21ddedc4fb53979a101479ed8f3216bb89c30515047242c12d09ce18a78ed

      SHA512

      74d0fcb452f9017916ccb86a0b6ef7418bfbb34b4a54c8e9e8f756d8c7f56c7015dcd65032860ee79f3f3027998c531c3c39aa591cc80567e3727d296bc7adda

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe
      Filesize

      45KB

      MD5

      9913d6e9c9484a53d8892b0f911b7958

      SHA1

      7f0743302ebef2442bde107aa7ee318e67a3ae1f

      SHA256

      28f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229

      SHA512

      6c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\MONDAY.exe
      Filesize

      45KB

      MD5

      9913d6e9c9484a53d8892b0f911b7958

      SHA1

      7f0743302ebef2442bde107aa7ee318e67a3ae1f

      SHA256

      28f697555b087d5065726a473137ac93b5a3bcc8e61b4ef4baa732fa6f7ec229

      SHA512

      6c1915fdc5fa991c8ad93ab2f6593edf848cac5397967bfe1610267a2f480c2af5969e3cdf8cf02c41e23a4d60d3702ec246127dc28fb94408dfee1628eaae85

    • memory/1344-135-0x0000000000000000-mapping.dmp
    • memory/2840-144-0x0000000000FE0000-0x0000000000FF2000-memory.dmp
      Filesize

      72KB

    • memory/2840-141-0x0000000000000000-mapping.dmp
    • memory/3484-133-0x0000000000000000-mapping.dmp
    • memory/4324-138-0x0000000000000000-mapping.dmp
    • memory/4696-136-0x0000000000000000-mapping.dmp
    • memory/4724-130-0x0000000000000000-mapping.dmp