Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 06:48
Static task
static1
Behavioral task
behavioral1
Sample
fddaeygXLjAsync.js
Resource
win7-20220414-en
General
-
Target
fddaeygXLjAsync.js
-
Size
119KB
-
MD5
542b756dd96091a329ef2d11d08a6b3e
-
SHA1
bebe6cb01c61932081119bcd8c4c35d4c75eabe8
-
SHA256
7c8b340626b6330e1a94c98a97b4de4778e996e1f65c4d7cf81f7c1605f66e7d
-
SHA512
ebf79ee53d2c4edeb16bf842e11b91c45717a778de4334305d7276b7dd30718dfef2841a365e5ef8c86d911be7247187b40e2529568d080e3879d33d7342b0e6
Malware Config
Extracted
asyncrat
0.5.7B
Default
104.168.33.53:6606
104.168.33.53:7707
104.168.33.53:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Async.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Async.exe asyncrat behavioral1/memory/2000-61-0x0000000000A30000-0x0000000000A42000-memory.dmp asyncrat -
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 4 1208 wscript.exe 8 1208 wscript.exe 9 1208 wscript.exe 11 1208 wscript.exe 13 1208 wscript.exe 14 1208 wscript.exe 16 1208 wscript.exe 17 1208 wscript.exe 18 1208 wscript.exe 20 1208 wscript.exe 21 1208 wscript.exe 22 1208 wscript.exe 24 1208 wscript.exe 25 1208 wscript.exe 26 1208 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Async.exepid process 2000 Async.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NUwYwPFpEJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NUwYwPFpEJ.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NUwYwPFpEJ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Async.exedescription pid process Token: SeDebugPrivilege 2000 Async.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1600 wrote to memory of 1208 1600 wscript.exe wscript.exe PID 1600 wrote to memory of 1208 1600 wscript.exe wscript.exe PID 1600 wrote to memory of 1208 1600 wscript.exe wscript.exe PID 1600 wrote to memory of 2000 1600 wscript.exe Async.exe PID 1600 wrote to memory of 2000 1600 wscript.exe Async.exe PID 1600 wrote to memory of 2000 1600 wscript.exe Async.exe PID 1600 wrote to memory of 2000 1600 wscript.exe Async.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fddaeygXLjAsync.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NUwYwPFpEJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Async.exe"C:\Users\Admin\AppData\Local\Temp\Async.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Async.exeFilesize
45KB
MD565586e22a9a03098c2e3fcc25f552e0f
SHA14b643df63515c9ddabcc5ab6b3067b3f77a40ec1
SHA256a7a86f886a367edb3bb30013d45582babf374a941ef6483f0da25521ecef42d1
SHA512b06fbd875202104f06c11584ff39fe5f623616a41166de5195446ddb39023bef42d456a2a9bb44fe4f862c163b322734a5f836dec6e0800c636e230dbddc125a
-
C:\Users\Admin\AppData\Local\Temp\Async.exeFilesize
45KB
MD565586e22a9a03098c2e3fcc25f552e0f
SHA14b643df63515c9ddabcc5ab6b3067b3f77a40ec1
SHA256a7a86f886a367edb3bb30013d45582babf374a941ef6483f0da25521ecef42d1
SHA512b06fbd875202104f06c11584ff39fe5f623616a41166de5195446ddb39023bef42d456a2a9bb44fe4f862c163b322734a5f836dec6e0800c636e230dbddc125a
-
C:\Users\Admin\AppData\Roaming\NUwYwPFpEJ.jsFilesize
15KB
MD5f968c7106fa42c287710c1582e45b546
SHA1f16aaafe731a57b6dc43380d4999609b89e7822c
SHA256fc71ed12fa0720f87b95ffa02fd0af75ed35edbf43030f91925be94ac20eae62
SHA512d606121022b748d4da6a50d56114f46857968829de295a3f4d46aa6fba08dbafec0549ba1c798dba1e45e1f9bdafa59165095e729490556408b4ecca49236432
-
memory/1208-55-0x0000000000000000-mapping.dmp
-
memory/1600-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/2000-57-0x0000000000000000-mapping.dmp
-
memory/2000-61-0x0000000000A30000-0x0000000000A42000-memory.dmpFilesize
72KB
-
memory/2000-62-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB