Overview

overview

10

Static

static

New Purcha...er.exe

windows7_x64

10

New Purcha...er.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Purchase Order.exe

  • Size

    287KB

  • MD5

    072c089d4dbca02a4ae028d984f4cc03

  • SHA1

    3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

  • SHA256

    4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

  • SHA512

    3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

freshg.ddns.net:2256

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    logs.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 9 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp453B.tmp.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:108
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2024
        • C:\Users\Admin\AppData\Roaming\logs.exe
          "C:\Users\Admin\AppData\Roaming\logs.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Users\Admin\AppData\Roaming\logs.exe
            "C:\Users\Admin\AppData\Roaming\logs.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
            "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp453B.tmp.bat
    Filesize

    148B

    MD5

    188c7442bd2ebd07bf49cdcf27843bb1

    SHA1

    ce079285611588d049d61b025ec7d93769ef459b

    SHA256

    a7fcc05c29c3dadf0242c91d1b0331070655352d265191e7e1287e9e0e72fccc

    SHA512

    33064212209cbef63e81d27ac91dbf6367e087a2fdd83ab13d0faa4264d07d6d4a2490c6b0150e59d4f0eb065259314b15126174daeee41f5cb4bf38dc243136

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    6e48a0f4903e654e810a94552ec61540

    SHA1

    8e5527c535cebe5f228b76d45458ba5c213e0656

    SHA256

    77e7bb8f7a1bf5f1e66fd7296058d07ba4ca776a51904843d62369d3468af1d8

    SHA512

    0863e6cf097e3040bd154e05e2c3a940683fbdd109f3599940027336f776af9ae559239de41fc3a2fc8b5cf239daaa9cea2dbd6f4d9199200e22e5b69e646658

    Download Submit
  • C:\Users\Admin\AppData\Roaming\logs.exe
    Filesize

    287KB

    MD5

    072c089d4dbca02a4ae028d984f4cc03

    SHA1

    3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

    SHA256

    4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

    SHA512

    3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

    Download Submit
  • C:\Users\Admin\AppData\Roaming\logs.exe
    Filesize

    287KB

    MD5

    072c089d4dbca02a4ae028d984f4cc03

    SHA1

    3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

    SHA256

    4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

    SHA512

    3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

    Download Submit
  • C:\Users\Admin\AppData\Roaming\logs.exe
    Filesize

    287KB

    MD5

    072c089d4dbca02a4ae028d984f4cc03

    SHA1

    3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

    SHA256

    4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

    SHA512

    3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

    Download Submit
  • \Users\Admin\AppData\Roaming\logs.exe
    Filesize

    287KB

    MD5

    072c089d4dbca02a4ae028d984f4cc03

    SHA1

    3bd3b2dd8b8876c64bf528ee503c5ff2a893f897

    SHA256

    4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

    SHA512

    3f2988a4f256e1b4cb07af531798d7d3bd445f27a81aecf15f200cc8aa1c2fdaff591e9865965468d651a7d578808550dfba95d959d74eb7a1abd3c667af67ac

    Download Submit
  • memory/108-73-0x0000000000000000-mapping.dmp
    Download
  • memory/268-72-0x0000000000000000-mapping.dmp
    Download
  • memory/632-55-0x0000000075391000-0x0000000075393000-memory.dmp
    Filesize

    8KB

    Download
  • memory/632-56-0x00000000004E0000-0x0000000000518000-memory.dmp
    Filesize

    224KB

    Download
  • memory/632-54-0x0000000001300000-0x000000000134C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1000-89-0x000000000040C72E-mapping.dmp
    Download
  • memory/1000-95-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1000-93-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1268-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1268-70-0x0000000072490000-0x0000000072A3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1484-81-0x00000000001B0000-0x00000000001FC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1484-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1652-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1844-92-0x0000000000000000-mapping.dmp
    Download
  • memory/1844-98-0x0000000073820000-0x0000000073DCB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1952-61-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1952-62-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1952-57-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1952-58-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1952-67-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1952-65-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1952-63-0x000000000040C72E-mapping.dmp
    Download
  • memory/1952-60-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2024-76-0x0000000000000000-mapping.dmp
    Download