Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
resource tags
-
submitted
19-07-2022 17:14
General
-
Target
tmp.exe
-
Size
479KB
-
MD5
4c6b01344809054252095695fe24aa5f
-
SHA1
d1571b19723ebb0def5a71b7d977ef4c5bdb66ab
-
SHA256
b20bdd03ad605edafccbed9cbf281d1fd370116dd07e335fc2f428e9efb2863b
-
SHA512
a26600e8233e90034a3a731246bdc634bc30478ea995c37317ef2e8139200f09446c4b78b500ffec5d7a84045790d0e80d20e4ba58cf28f0e4358f80e1db3af0
Malware Config
Extracted
asyncrat
0.5.7B
Default
secureyourdataarea1.duckdns.org:56390
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Async RAT payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe03⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
944B
MD5564716eed1d687a11ed72a316def6481
SHA1c2423fc47318cd25ecfab00cff85179cba4a9e01
SHA256636987560bea08b7ef5fd1886fd9b37e7d56aa7aa3ecb2b5d41129ae9150f615
SHA512052a4405491981896103c1fad4fb3ce36b1a1a0ed21802e1aba58164580b10baef1ea2d8cc1384578a9b67392cf9bb1f9c4d006eca3794178e01457ce42dd761
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
438KB
MD561f89c90f92b2579d100f2af29f8375b
SHA194b645443699532b764963a6340dc2001de78146
SHA256531a2ee7e49f863969f2e353cfc0d62117d4857c9cf3784fa387c72a9911b757
SHA512fadb57106257333e6e34de9f7a47ca99b1aa628ddb4d973b088a66e3d7d7dda339a680204671bedf96aab68adaeb3797f82c06743dd550eb71d3f850e4214715
-
Filesize
216KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
120KB
-
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
200KB
-
-
Filesize
464KB
-
Filesize
624KB
-
Filesize
120KB
-
Filesize
472KB
-
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
72KB