Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 22:32
Static task
static1
Behavioral task
behavioral1
Sample
A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Resource
win10v2004-20220414-en
General
-
Target
A4A60422374845BF0ABD892DD48D352978D697C883196.exe
-
Size
701KB
-
MD5
1bd98c5b4581aeff9b65ce5653f49cdf
-
SHA1
3091d81da54ed79391b456e8e94e6b939be2a316
-
SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
-
SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
Malware Config
Extracted
asyncrat
0.5.6D
Default
milla.publicvm.com:6606
milla.publicvm.com:7707
milla.publicvm.com:8808
ncwfisdaribhhybik
-
delay
10
-
install
true
-
install_file
syastem.exe
-
install_folder
%AppData%
Signatures
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1948-55-0x0000000000300000-0x0000000000312000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
syastem.exepid process 652 syastem.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1692 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1368 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
A4A60422374845BF0ABD892DD48D352978D697C883196.exepid process 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
A4A60422374845BF0ABD892DD48D352978D697C883196.exesyastem.exedescription pid process Token: SeDebugPrivilege 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe Token: SeDebugPrivilege 652 syastem.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
A4A60422374845BF0ABD892DD48D352978D697C883196.execmd.execmd.exedescription pid process target process PID 1948 wrote to memory of 1328 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1328 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1328 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1328 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1692 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1692 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1692 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1948 wrote to memory of 1692 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe cmd.exe PID 1328 wrote to memory of 2036 1328 cmd.exe schtasks.exe PID 1328 wrote to memory of 2036 1328 cmd.exe schtasks.exe PID 1328 wrote to memory of 2036 1328 cmd.exe schtasks.exe PID 1328 wrote to memory of 2036 1328 cmd.exe schtasks.exe PID 1692 wrote to memory of 1368 1692 cmd.exe timeout.exe PID 1692 wrote to memory of 1368 1692 cmd.exe timeout.exe PID 1692 wrote to memory of 1368 1692 cmd.exe timeout.exe PID 1692 wrote to memory of 1368 1692 cmd.exe timeout.exe PID 1692 wrote to memory of 652 1692 cmd.exe syastem.exe PID 1692 wrote to memory of 652 1692 cmd.exe syastem.exe PID 1692 wrote to memory of 652 1692 cmd.exe syastem.exe PID 1692 wrote to memory of 652 1692 cmd.exe syastem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E4E.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\syastem.exe"C:\Users\Admin\AppData\Roaming\syastem.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6E4E.tmp.batFilesize
151B
MD53d0e3950cb76e9f357204aa3c568426d
SHA172d9bc3585cc7af27a6a4badba0d029e84f6749e
SHA256bcd9abd209dbf47f99b72179a6e2dd7ef8a3cf120b8319ffddb9bd8635385a8a
SHA512e92bc29fda6ff7774d2cc63d4321d38948b59349ed7a7adf823b156009c7018157531e1243290fc93a38b8b5b6f88beb6ea7af3354e62a1a3baf2d0e4a2df4d1
-
C:\Users\Admin\AppData\Roaming\syastem.exeFilesize
701KB
MD51bd98c5b4581aeff9b65ce5653f49cdf
SHA13091d81da54ed79391b456e8e94e6b939be2a316
SHA256a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
-
C:\Users\Admin\AppData\Roaming\syastem.exeFilesize
701KB
MD51bd98c5b4581aeff9b65ce5653f49cdf
SHA13091d81da54ed79391b456e8e94e6b939be2a316
SHA256a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
-
\Users\Admin\AppData\Roaming\syastem.exeFilesize
701KB
MD51bd98c5b4581aeff9b65ce5653f49cdf
SHA13091d81da54ed79391b456e8e94e6b939be2a316
SHA256a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc
-
memory/652-64-0x0000000000000000-mapping.dmp
-
memory/652-66-0x0000000000110000-0x00000000001C4000-memory.dmpFilesize
720KB
-
memory/1328-57-0x0000000000000000-mapping.dmp
-
memory/1368-61-0x0000000000000000-mapping.dmp
-
memory/1692-58-0x0000000000000000-mapping.dmp
-
memory/1948-56-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1948-55-0x0000000000300000-0x0000000000312000-memory.dmpFilesize
72KB
-
memory/1948-54-0x0000000001060000-0x0000000001114000-memory.dmpFilesize
720KB
-
memory/2036-59-0x0000000000000000-mapping.dmp