Analysis
-
max time kernel
72s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 22:32
Static task
static1
Behavioral task
behavioral1
Sample
A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Resource
win10v2004-20220414-en
General
-
Target
A4A60422374845BF0ABD892DD48D352978D697C883196.exe
-
Size
701KB
-
MD5
1bd98c5b4581aeff9b65ce5653f49cdf
-
SHA1
3091d81da54ed79391b456e8e94e6b939be2a316
-
SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
-
SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
Malware Config
Extracted
asyncrat
0.5.6D
Default
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ncwfisdaribhhybik
-
delay
10
-
install
true
-
install_file
syastem.exe
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-55-0x0000000000380000-0x0000000000392000-memory.dmp asyncrat behavioral1/memory/1296-67-0x0000000000250000-0x0000000000262000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
syastem.exepid process 1296 syastem.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1132 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1908 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
A4A60422374845BF0ABD892DD48D352978D697C883196.exepid process 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
A4A60422374845BF0ABD892DD48D352978D697C883196.exesyastem.exedescription pid process Token: SeDebugPrivilege 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe Token: SeDebugPrivilege 1296 syastem.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
A4A60422374845BF0ABD892DD48D352978D697C883196.execmd.execmd.exedescription pid process target process PID 1660 wrote to memory of 1708 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1708 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1708 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1708 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1132 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1132 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1132 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1660 wrote to memory of 1132 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1708 wrote to memory of 844 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 844 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 844 1708 cmd.exe schtasks.exe PID 1708 wrote to memory of 844 1708 cmd.exe schtasks.exe PID 1132 wrote to memory of 1908 1132 cmd.exe timeout.exe PID 1132 wrote to memory of 1908 1132 cmd.exe timeout.exe PID 1132 wrote to memory of 1908 1132 cmd.exe timeout.exe PID 1132 wrote to memory of 1908 1132 cmd.exe timeout.exe PID 1132 wrote to memory of 1296 1132 cmd.exe syastem.exe PID 1132 wrote to memory of 1296 1132 cmd.exe syastem.exe PID 1132 wrote to memory of 1296 1132 cmd.exe syastem.exe PID 1132 wrote to memory of 1296 1132 cmd.exe syastem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87A7.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\syastem.exe"C:\Users\Admin\AppData\Roaming\syastem.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp87A7.tmp.batFilesize
151B
MD54d98b1f470d85af9081b0a121382821e
SHA1b3706e80a96d12c2ab4daea321f9efb9ba191c00
SHA2569b11a3402b33f3b1c4f148cf15dbcce0d77a2ea055c437719612455eef918d9a
SHA5123c791e570317ad8ce6e5e1be4baec99f4c329b53db8759b7664f97f8c9069603a599c1fd1d8c5d6867b70b4f0a28d62fe4d5fc920a204c519534cedccdb84ebd
-
C:\Users\Admin\AppData\Roaming\syastem.exeFilesize
701KB
MD51bd98c5b4581aeff9b65ce5653f49cdf
SHA13091d81da54ed79391b456e8e94e6b939be2a316
SHA256a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
-
C:\Users\Admin\AppData\Roaming\syastem.exeFilesize
701KB
MD51bd98c5b4581aeff9b65ce5653f49cdf
SHA13091d81da54ed79391b456e8e94e6b939be2a316
SHA256a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
-
\Users\Admin\AppData\Roaming\syastem.exeFilesize
701KB
MD51bd98c5b4581aeff9b65ce5653f49cdf
SHA13091d81da54ed79391b456e8e94e6b939be2a316
SHA256a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
-
memory/844-59-0x0000000000000000-mapping.dmp
-
memory/1132-58-0x0000000000000000-mapping.dmp
-
memory/1296-66-0x0000000000EC0000-0x0000000000F74000-memory.dmpFilesize
720KB
-
memory/1296-64-0x0000000000000000-mapping.dmp
-
memory/1296-67-0x0000000000250000-0x0000000000262000-memory.dmpFilesize
72KB
-
memory/1660-56-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1660-55-0x0000000000380000-0x0000000000392000-memory.dmpFilesize
72KB
-
memory/1660-54-0x0000000001080000-0x0000000001134000-memory.dmpFilesize
720KB
-
memory/1708-57-0x0000000000000000-mapping.dmp
-
memory/1908-61-0x0000000000000000-mapping.dmp