Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
19-07-2022 17:14
General
-
Target
tmp.exe
-
Size
479KB
-
MD5
4c6b01344809054252095695fe24aa5f
-
SHA1
d1571b19723ebb0def5a71b7d977ef4c5bdb66ab
-
SHA256
b20bdd03ad605edafccbed9cbf281d1fd370116dd07e335fc2f428e9efb2863b
-
SHA512
a26600e8233e90034a3a731246bdc634bc30478ea995c37317ef2e8139200f09446c4b78b500ffec5d7a84045790d0e80d20e4ba58cf28f0e4358f80e1db3af0
Malware Config
Extracted
asyncrat
0.5.7B
Default
secureyourdataarea1.duckdns.org:56390
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Async RAT payload 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe03⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
464KB
-