Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 06:48
Static task
static1
Behavioral task
behavioral1
Sample
fddaeygXLjAsync.js
Resource
win7-20220414-en
General
-
Target
fddaeygXLjAsync.js
-
Size
119KB
-
MD5
542b756dd96091a329ef2d11d08a6b3e
-
SHA1
bebe6cb01c61932081119bcd8c4c35d4c75eabe8
-
SHA256
7c8b340626b6330e1a94c98a97b4de4778e996e1f65c4d7cf81f7c1605f66e7d
-
SHA512
ebf79ee53d2c4edeb16bf842e11b91c45717a778de4334305d7276b7dd30718dfef2841a365e5ef8c86d911be7247187b40e2529568d080e3879d33d7342b0e6
Malware Config
Extracted
asyncrat
0.5.7B
Default
104.168.33.53:6606
104.168.33.53:7707
104.168.33.53:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Async.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Async.exe asyncrat behavioral2/memory/4268-135-0x0000000000C00000-0x0000000000C12000-memory.dmp asyncrat -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 6 4660 wscript.exe 10 4660 wscript.exe 11 4660 wscript.exe 14 4660 wscript.exe 23 4660 wscript.exe 26 4660 wscript.exe 29 4660 wscript.exe 31 4660 wscript.exe 34 4660 wscript.exe 39 4660 wscript.exe 43 4660 wscript.exe 44 4660 wscript.exe 46 4660 wscript.exe 47 4660 wscript.exe 50 4660 wscript.exe 58 4660 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Async.exepid process 4268 Async.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NUwYwPFpEJ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NUwYwPFpEJ.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NUwYwPFpEJ.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Async.exedescription pid process Token: SeDebugPrivilege 4268 Async.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 3620 wrote to memory of 4660 3620 wscript.exe wscript.exe PID 3620 wrote to memory of 4660 3620 wscript.exe wscript.exe PID 3620 wrote to memory of 4268 3620 wscript.exe Async.exe PID 3620 wrote to memory of 4268 3620 wscript.exe Async.exe PID 3620 wrote to memory of 4268 3620 wscript.exe Async.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fddaeygXLjAsync.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NUwYwPFpEJ.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Async.exe"C:\Users\Admin\AppData\Local\Temp\Async.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Async.exeFilesize
45KB
MD565586e22a9a03098c2e3fcc25f552e0f
SHA14b643df63515c9ddabcc5ab6b3067b3f77a40ec1
SHA256a7a86f886a367edb3bb30013d45582babf374a941ef6483f0da25521ecef42d1
SHA512b06fbd875202104f06c11584ff39fe5f623616a41166de5195446ddb39023bef42d456a2a9bb44fe4f862c163b322734a5f836dec6e0800c636e230dbddc125a
-
C:\Users\Admin\AppData\Local\Temp\Async.exeFilesize
45KB
MD565586e22a9a03098c2e3fcc25f552e0f
SHA14b643df63515c9ddabcc5ab6b3067b3f77a40ec1
SHA256a7a86f886a367edb3bb30013d45582babf374a941ef6483f0da25521ecef42d1
SHA512b06fbd875202104f06c11584ff39fe5f623616a41166de5195446ddb39023bef42d456a2a9bb44fe4f862c163b322734a5f836dec6e0800c636e230dbddc125a
-
C:\Users\Admin\AppData\Roaming\NUwYwPFpEJ.jsFilesize
15KB
MD5f968c7106fa42c287710c1582e45b546
SHA1f16aaafe731a57b6dc43380d4999609b89e7822c
SHA256fc71ed12fa0720f87b95ffa02fd0af75ed35edbf43030f91925be94ac20eae62
SHA512d606121022b748d4da6a50d56114f46857968829de295a3f4d46aa6fba08dbafec0549ba1c798dba1e45e1f9bdafa59165095e729490556408b4ecca49236432
-
memory/4268-132-0x0000000000000000-mapping.dmp
-
memory/4268-135-0x0000000000C00000-0x0000000000C12000-memory.dmpFilesize
72KB
-
memory/4268-136-0x0000000005F10000-0x0000000005FAC000-memory.dmpFilesize
624KB
-
memory/4268-137-0x0000000006560000-0x0000000006B04000-memory.dmpFilesize
5.6MB
-
memory/4268-138-0x0000000006020000-0x0000000006086000-memory.dmpFilesize
408KB
-
memory/4660-130-0x0000000000000000-mapping.dmp