Overview

overview

10

Static

static

273f2c55c1...8a.exe

windows7_x64

10

273f2c55c1...8a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-07-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    273f2c55c1982fc3ec6450639609f38a.exe

  • Size

    486KB

  • MD5

    273f2c55c1982fc3ec6450639609f38a

  • SHA1

    02db2875babca34c81f4979134cba8422c7ef262

  • SHA256

    93df1c272022c2a5bc8bcb8247ffc932837ea4de9f6044da8953a3a1078ab018

  • SHA512

    a65de5f5bf0f47c399108f6b59405327be7a1037a2b6597a5eef4b13c3483347885a86a6662770bd34a8aea61445ac29cab93e330739453922dcbacf7b743e38

Score
10/10
asyncratdefaultratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

vivald21.hopto.org:9954

63.141.237.188:9954
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\273f2c55c1982fc3ec6450639609f38a.exe
    "C:\Users\Admin\AppData\Local\Temp\273f2c55c1982fc3ec6450639609f38a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mqJGmcQXQtGbX.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1744
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mqJGmcQXQtGbX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB2B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4832
    • C:\Users\Admin\AppData\Local\Temp\273f2c55c1982fc3ec6450639609f38a.exe
      "C:\Users\Admin\AppData\Local\Temp\273f2c55c1982fc3ec6450639609f38a.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\273f2c55c1982fc3ec6450639609f38a.exe.log
    Filesize

    1KB

    MD5

    e08f822522c617a40840c62e4b0fb45e

    SHA1

    ae516dca4da5234be6676d3f234c19ec55725be7

    SHA256

    bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

    SHA512

    894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpEB2B.tmp
    Filesize

    1KB

    MD5

    393efdea5a2c553ae26b10f4331dad59

    SHA1

    0437bd9fccd96e1e2f58abf6cdbe73579e06b306

    SHA256

    88a9094e1f991ad09a7ac8971fe5d5940a8fbd6cd1bc764305ed7db00d3b6edb

    SHA512

    09b801269ab6f47137d242f2fdd9dda7324a2c32c7d2de69c0b3ed0794c09a9501c62d0ea890580ee1c91ad963127090d3eb0613e9250c720bb12dad8cbe3dbd

    Download Submit
  • memory/404-142-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/404-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-145-0x00000000056F0000-0x0000000005756000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1744-156-0x0000000007DB0000-0x0000000007DB8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1744-155-0x0000000007DD0000-0x0000000007DEA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1744-138-0x0000000002DE0000-0x0000000002E16000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1744-154-0x0000000007CC0000-0x0000000007CCE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1744-140-0x00000000058B0000-0x0000000005ED8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1744-153-0x0000000007D10000-0x0000000007DA6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1744-152-0x0000000007B00000-0x0000000007B0A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1744-151-0x0000000007A90000-0x0000000007AAA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1744-144-0x0000000005650000-0x0000000005672000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1744-150-0x00000000080E0000-0x000000000875A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1744-146-0x0000000006780000-0x000000000679E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1744-147-0x0000000006D70000-0x0000000006DA2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1744-148-0x0000000071540000-0x000000007158C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1744-149-0x0000000006D20000-0x0000000006D3E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4704-135-0x0000000000A20000-0x0000000000A86000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4704-131-0x0000000005070000-0x0000000005614000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4704-132-0x0000000004B60000-0x0000000004BF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4704-133-0x0000000004AE0000-0x0000000004AEA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4704-134-0x0000000008A10000-0x0000000008AAC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4704-130-0x00000000000C0000-0x0000000000140000-memory.dmp
    Filesize

    512KB

    Download
  • memory/4832-137-0x0000000000000000-mapping.dmp
    Download