Overview

overview

10

Static

static

SecuriteIn...66.exe

windows7_x64

10

SecuriteIn...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.4166.exe

  • Size

    52KB

  • MD5

    1f90ecea05ef9adfaa814d95a750f4ef

  • SHA1

    71bfea6663dbfc06e228113e44723e91bf46f619

  • SHA256

    4f3642f36e5ba22aec031ad20349200b39114fdb470b78247f1c1a5626146a87

  • SHA512

    644696c4973d8ca08c8d054238688aa2a76ea97abe434608e77d82def125d714f21d59b8d35faceb80fdca52b6a0a580f7c1303c2c67fa65088df70c4d5d05cb

Score
10/10
asyncratpersistenceratsuricata

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4166.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4166.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:5060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4756

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      f126124474b20c5c8a5633f3b10a89d3

      SHA1

      322c89057baa805c2b4e490328963aab954fd225

      SHA256

      e3a23c630dc96d2f25fd7223a013f02be260c5ce97e96a740301afe2e90fafcd

      SHA512

      5eee2c4a861daa5740fddc773a0680c44c01e7842f53943d5ea9a40d49ed0dd85b767b18b684995169ba193a28ac12e653cd102e2df93728d16a25d85bd258e7

      Download Submit
    • memory/2256-148-0x0000000007B90000-0x0000000007C26000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2256-149-0x0000000007B30000-0x0000000007B3E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2256-151-0x0000000007C30000-0x0000000007C38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2256-150-0x0000000007C50000-0x0000000007C6A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2256-147-0x0000000007990000-0x000000000799A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2256-146-0x0000000007800000-0x000000000781E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2256-145-0x000000006FDB0000-0x000000006FDFC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2256-140-0x0000000000000000-mapping.dmp
      Download
    • memory/2256-144-0x0000000007820000-0x0000000007852000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3472-130-0x00000000006E0000-0x00000000006F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3848-139-0x0000000004E00000-0x0000000004E1A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3848-136-0x0000000005A60000-0x0000000005AC6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3848-132-0x0000000002AA0000-0x0000000002AD6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3848-138-0x00000000076E0000-0x0000000007D5A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3848-137-0x0000000006090000-0x00000000060AE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3848-131-0x0000000000000000-mapping.dmp
      Download
    • memory/3848-134-0x00000000050D0000-0x00000000050F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3848-133-0x0000000005220000-0x0000000005848000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3848-135-0x0000000005940000-0x00000000059A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4756-153-0x0000000000000000-mapping.dmp
      Download
    • memory/4756-154-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4756-155-0x0000000005920000-0x00000000059BC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4756-156-0x0000000006110000-0x00000000066B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5060-152-0x0000000000000000-mapping.dmp
      Download