Overview

overview

10

Static

static

759eb01f86...d7.exe

windows7_x64

10

759eb01f86...d7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    759eb01f8687aa4ab519ce0b8ada22d7.exe

  • Size

    560KB

  • MD5

    759eb01f8687aa4ab519ce0b8ada22d7

  • SHA1

    80086dd4bd562df870ed9556248a0a46177e63d7

  • SHA256

    0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808

  • SHA512

    2ac4cc01afba0ba62db65763f5f3fe9ecfd2e83dbe5a28082d2d61cce92ef37f08e5c0b6f2d7769ff6309f805a3385cf1b4f968ff22e8632b76af3098ee00dc0

Score
10/10
asyncratratsuricata

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
    "C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
    • C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
      C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
      2⤵
        PID:4604
      • C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
        C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6BD9.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:912
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1132

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\759eb01f8687aa4ab519ce0b8ada22d7.exe.log
      Filesize

      897B

      MD5

      cf251dc9d6217669420cb56ddcc8c522

      SHA1

      3fcbcdbe8b9eda10ce3e86729851ba4b0e20c6e6

      SHA256

      0197375e8413bc8b68ae7b0acad3c0314ebf3317f673ea9d187363305e622221

      SHA512

      c89c7609d4a647fc1f6b951f376ba5fc43f610dfedd0cab2368d7bfba732ab4defcaef11f218bcda9d76488b1946b74416e021f84c54627b22bdec0e0b5e5ec8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp6BD9.tmp.bat
      Filesize

      184B

      MD5

      1383b9c41f52e9b12b6f59658a0f3de0

      SHA1

      00d12c66c7c2eab20d0e81f0438baa27a44419a1

      SHA256

      d2065d412c8b3a2f6cd1ff2d6ee8cb7500a1240971b6ab814131a4f1aae71ec8

      SHA512

      2edc57eaa39afea956af215a8fe4727754f01d96015895f3fd1125d8305523ff33104cc891bae1a6717b3b3f66927097849c75abe3656014a4f105e4697bcdcc

      Download Submit
    • memory/912-149-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-151-0x0000000000000000-mapping.dmp
      Download
    • memory/4284-140-0x0000000005A50000-0x0000000005AE2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4284-130-0x0000000000F80000-0x0000000001012000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4284-141-0x0000000006FC0000-0x0000000007564000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4488-133-0x0000000005430000-0x0000000005A58000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4488-136-0x0000000005C70000-0x0000000005CD6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4488-137-0x00000000062A0000-0x00000000062BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4488-138-0x00000000078F0000-0x0000000007F6A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4488-139-0x0000000006790000-0x00000000067AA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4488-131-0x0000000000000000-mapping.dmp
      Download
    • memory/4488-135-0x0000000005AD0000-0x0000000005B36000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4488-132-0x0000000002CB0000-0x0000000002CE6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4488-134-0x00000000053F0000-0x0000000005412000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4564-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4564-147-0x0000000007280000-0x00000000072F6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4564-148-0x0000000007260000-0x000000000727E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4564-146-0x0000000005D70000-0x0000000005E0C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4564-144-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4604-142-0x0000000000000000-mapping.dmp
      Download