Overview

overview

10

Static

static

44c06ff948...6b.exe

windows7_x64

10

44c06ff948...6b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    6s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-06-2022 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe

  • Size

    1008KB

  • MD5

    e545f0dcbd848ce0e1594b9efe51b572

  • SHA1

    7518a03d5a85c4a919dfb89a85af5f9e5fdf7713

  • SHA256

    44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b

  • SHA512

    8cd58be448e211723a13027ff6fea7a1b28cc7b603627c973022277c36642639aaf3e8b0d865a292b09b6c071375d580e94ccaa29b8f545aca22e0a3568ee333

Score
10/10
asyncratevasionrattrojan

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe
    "C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe"
    1⤵
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44c06ff9482b8356d33690f94f56cf6ea29e2ff0f167c11a49594d542412f16b.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4292
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      2⤵
        PID:4660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 2220
        2⤵
        • Program crash
        PID:4204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 4024
      1⤵
        PID:4172

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Disabling Security Tools

      2
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4024-130-0x0000000000AC0000-0x0000000000BC0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/4024-131-0x00000000053B0000-0x000000000544C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4024-132-0x0000000005B00000-0x00000000060A4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4024-133-0x0000000005600000-0x0000000005692000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4024-134-0x00000000055E0000-0x00000000055EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4292-148-0x0000000006DA0000-0x0000000006DBA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4292-144-0x0000000004930000-0x0000000004962000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4292-137-0x0000000004DD0000-0x00000000053F8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4292-138-0x0000000004C20000-0x0000000004C42000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4292-139-0x0000000005470000-0x00000000054D6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4292-140-0x0000000005590000-0x00000000055F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4292-141-0x0000000005BB0000-0x0000000005BCE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4292-153-0x00000000071F0000-0x00000000071F8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4292-152-0x0000000007200000-0x000000000721A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4292-136-0x00000000045E0000-0x0000000004616000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4292-145-0x000000006F860000-0x000000006F8AC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4292-146-0x0000000004910000-0x000000000492E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4292-147-0x0000000007550000-0x0000000007BCA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4292-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4292-149-0x0000000006F40000-0x0000000006F4A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4292-150-0x0000000007140000-0x00000000071D6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4292-151-0x0000000007110000-0x000000000711E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4660-143-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4660-142-0x0000000000000000-mapping.dmp
        Download