Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
gZHoNqzhnkAsyncnew.js
Resource
win7-20220414-en
General
-
Target
gZHoNqzhnkAsyncnew.js
-
Size
119KB
-
MD5
2d39df9576b5fb59ddecd387e7bc82e6
-
SHA1
c80b2f2e610a61cf0ce7c71b8b52b7835b79581b
-
SHA256
4cddaf9878b629c5ecbdf268464cae85d5f1b49597714d48f0206a831f1d086e
-
SHA512
1fea7a53d13169aebd4d2430d89f363b0f234cf356a10637e7268f35f678387b4a9f9c3ab7adc84efcf640d973257e0e34baba34e9931f32fb5d935be1c28b37
Malware Config
Extracted
asyncrat
0.5.7B
Default
104.168.33.53:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Asyncnew.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Asyncnew.exe asyncrat behavioral1/memory/1436-61-0x0000000000FE0000-0x0000000000FF2000-memory.dmp asyncrat -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 4 1524 wscript.exe 8 1524 wscript.exe 9 1524 wscript.exe 12 1524 wscript.exe 13 1524 wscript.exe 14 1524 wscript.exe 16 1524 wscript.exe 17 1524 wscript.exe 18 1524 wscript.exe 20 1524 wscript.exe 21 1524 wscript.exe 22 1524 wscript.exe 24 1524 wscript.exe 25 1524 wscript.exe 26 1524 wscript.exe 28 1524 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Asyncnew.exepid process 1436 Asyncnew.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BObASjrxDj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BObASjrxDj.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BObASjrxDj.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Asyncnew.exedescription pid process Token: SeDebugPrivilege 1436 Asyncnew.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1000 wrote to memory of 1524 1000 wscript.exe wscript.exe PID 1000 wrote to memory of 1524 1000 wscript.exe wscript.exe PID 1000 wrote to memory of 1524 1000 wscript.exe wscript.exe PID 1000 wrote to memory of 1436 1000 wscript.exe Asyncnew.exe PID 1000 wrote to memory of 1436 1000 wscript.exe Asyncnew.exe PID 1000 wrote to memory of 1436 1000 wscript.exe Asyncnew.exe PID 1000 wrote to memory of 1436 1000 wscript.exe Asyncnew.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\gZHoNqzhnkAsyncnew.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BObASjrxDj.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Asyncnew.exe"C:\Users\Admin\AppData\Local\Temp\Asyncnew.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Asyncnew.exeFilesize
45KB
MD54133ed1d989155424a1e5805b365ce1e
SHA153dd535ad89b6049b2a3e57e69117f0e217c7527
SHA2563923d390ce9e9f25b701c36cd2ad09d1a6fd9aac839ef39864bc6bc2189bf72a
SHA512b0478b68d243d86c9400c30182a06dc0cbdb71dd0fb0914c7d216efe4e2109fdac9704b8f11f087b274b21449c72be9e0b7755bcb5b89fe04125a9682ba93bed
-
C:\Users\Admin\AppData\Local\Temp\Asyncnew.exeFilesize
45KB
MD54133ed1d989155424a1e5805b365ce1e
SHA153dd535ad89b6049b2a3e57e69117f0e217c7527
SHA2563923d390ce9e9f25b701c36cd2ad09d1a6fd9aac839ef39864bc6bc2189bf72a
SHA512b0478b68d243d86c9400c30182a06dc0cbdb71dd0fb0914c7d216efe4e2109fdac9704b8f11f087b274b21449c72be9e0b7755bcb5b89fe04125a9682ba93bed
-
C:\Users\Admin\AppData\Roaming\BObASjrxDj.jsFilesize
15KB
MD5b0bcba92509beba19a88ee124c8ae35c
SHA12121d8023e9f0bf447a63d665fcb85422e4dd726
SHA2561c4bce0d3e1a6417457a4908fca49d630ffacd68339b0f537c06c8ca1dd9479a
SHA512f6918b56a223a617696a14dab0276a408720580e04f3e6f588b190afae835cb82703b0241f3a288788430ce9246d8d005cb17db29d9996aa7fd4fc71a5f21787
-
memory/1000-54-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmpFilesize
8KB
-
memory/1436-57-0x0000000000000000-mapping.dmp
-
memory/1436-61-0x0000000000FE0000-0x0000000000FF2000-memory.dmpFilesize
72KB
-
memory/1436-62-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1524-55-0x0000000000000000-mapping.dmp