Analysis

  • max time kernel
    38s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2022 18:31

General

  • Target

    _.exe

  • Size

    54KB

  • MD5

    372bbbd0c71b8c26c57fa9b95e0cc77d

  • SHA1

    6c88c48264407b845bef8b669a610de1ceb04536

  • SHA256

    8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

  • SHA512

    9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\_.exe
    "C:\Users\Admin\AppData\Local\Temp\_.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1512
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1752
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpACF3.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:528
      • C:\Users\Admin\AppData\Roaming\.exe
        "C:\Users\Admin\AppData\Roaming\.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpACF3.tmp.bat
    Filesize

    144B

    MD5

    be5e4c8dd18ed25ae0674db64b658658

    SHA1

    a700ed3f01db4f7d905dae3e957208a25432a083

    SHA256

    db0ea282cfd141c1a02f41261e0e5a3adaed675f490d4985f21bca0cc21e32ae

    SHA512

    32745614b79d97a978cec6f4697a1c10cd51e749fff077311699e5d1b277521ec912676a8b560d7a53fe72b805ee1eff23238e7970e07c9c4f5f41eb762373ac

  • C:\Users\Admin\AppData\Roaming\.exe
    Filesize

    54KB

    MD5

    372bbbd0c71b8c26c57fa9b95e0cc77d

    SHA1

    6c88c48264407b845bef8b669a610de1ceb04536

    SHA256

    8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

    SHA512

    9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

  • C:\Users\Admin\AppData\Roaming\.exe
    Filesize

    54KB

    MD5

    372bbbd0c71b8c26c57fa9b95e0cc77d

    SHA1

    6c88c48264407b845bef8b669a610de1ceb04536

    SHA256

    8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

    SHA512

    9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

  • memory/528-60-0x0000000000000000-mapping.dmp
  • memory/564-58-0x0000000000000000-mapping.dmp
  • memory/1208-61-0x0000000000000000-mapping.dmp
  • memory/1208-63-0x0000000000C70000-0x0000000000C84000-memory.dmp
    Filesize

    80KB

  • memory/1512-55-0x0000000000000000-mapping.dmp
  • memory/1752-56-0x0000000000000000-mapping.dmp
  • memory/1920-54-0x0000000000800000-0x0000000000814000-memory.dmp
    Filesize

    80KB