Overview

overview

10

Static

static

a67e24a857...5f.exe

windows7_x64

10

a67e24a857...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    186s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a67e24a8575521f3eb6601dd6c2de85f.exe

  • Size

    1.1MB

  • MD5

    a67e24a8575521f3eb6601dd6c2de85f

  • SHA1

    4f7e56953e1e47397c277fd23487c3e29932ca55

  • SHA256

    00bcbf44a3a8dfdd43324ad3dc7a868049bc1856237d97307cc1bbec2ce68ffe

  • SHA512

    7ca3482f8ea42fc0554b23d21e277f0d7edaf44a0ba08606bf02af86328d5a1ad18917b47fa3f111c68ab2e267954eb8fccc9b404cf3c1433baf312a80a9c01c

Score
10/10
asyncratdefaultpersistenceratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

luispereiralora09.con-ip.com:1990

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a67e24a8575521f3eb6601dd6c2de85f.exe
    "C:\Users\Admin\AppData\Local\Temp\a67e24a8575521f3eb6601dd6c2de85f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/364-140-0x0000000000000000-mapping.dmp
    Download
  • memory/364-143-0x0000000006250000-0x00000000067F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/364-142-0x0000000005C00000-0x0000000005C9C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/364-141-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/916-136-0x00000000058F0000-0x0000000005956000-memory.dmp
    Filesize

    408KB

    Download
  • memory/916-135-0x0000000005880000-0x00000000058E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/916-137-0x0000000005700000-0x000000000571E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/916-138-0x0000000007440000-0x0000000007ABA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/916-139-0x00000000062A0000-0x00000000062BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/916-134-0x0000000005780000-0x00000000057A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/916-133-0x0000000004F70000-0x0000000005598000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/916-132-0x0000000002840000-0x0000000002876000-memory.dmp
    Filesize

    216KB

    Download
  • memory/916-131-0x0000000000000000-mapping.dmp
    Download
  • memory/3264-130-0x0000000000BF0000-0x0000000000D18000-memory.dmp
    Filesize

    1.2MB

    Download