Analysis

  • max time kernel
    51s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20220722-en
  • resource tags

    arch:x64arch:x86image:win10-20220722-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-08-2022 18:31

General

  • Target

    _.exe

  • Size

    54KB

  • MD5

    372bbbd0c71b8c26c57fa9b95e0cc77d

  • SHA1

    6c88c48264407b845bef8b669a610de1ceb04536

  • SHA256

    8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

  • SHA512

    9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\_.exe
    "C:\Users\Admin\AppData\Local\Temp\_.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3756
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3052
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B4A.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2980
      • C:\Users\Admin\AppData\Roaming\.exe
        "C:\Users\Admin\AppData\Roaming\.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7B4A.tmp.bat
    Filesize

    144B

    MD5

    0d1709f285740018daecc36ea23df7ae

    SHA1

    c15ada5c7d54f2d5507254b94ff861314c5cba7d

    SHA256

    2108147de94a3b4a6fccfbfad74799cd229a1a7d57e62dc36789c49bbd7b8b57

    SHA512

    d8c7d9a2b5302372f13474ee4e3c9ba2887b6d3b8f6f1f710857cd004842ae05335bc187989d5065ad79dea25663d97c60c93c1b0eb39a4ab8177e2998a33c7c

  • C:\Users\Admin\AppData\Roaming\.exe
    Filesize

    54KB

    MD5

    372bbbd0c71b8c26c57fa9b95e0cc77d

    SHA1

    6c88c48264407b845bef8b669a610de1ceb04536

    SHA256

    8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

    SHA512

    9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

  • C:\Users\Admin\AppData\Roaming\.exe
    Filesize

    54KB

    MD5

    372bbbd0c71b8c26c57fa9b95e0cc77d

    SHA1

    6c88c48264407b845bef8b669a610de1ceb04536

    SHA256

    8c1312b69f361f3ce20531d236474d170240f2150132adc6a0dba98a7dfd449b

    SHA512

    9561de33be094758d3863c896bfea587214e99a15346bb94d853b6290c8a9f7dd340a45ef1637afce63f93f4bddf08e9bb0ec65cf789976ac86a3fae441e2632

  • memory/2064-131-0x0000000000000000-mapping.dmp
  • memory/2980-133-0x0000000000000000-mapping.dmp
  • memory/3052-129-0x0000000000000000-mapping.dmp
  • memory/3756-128-0x0000000000000000-mapping.dmp
  • memory/4112-127-0x0000000000AA0000-0x0000000000AB4000-memory.dmp
    Filesize

    80KB

  • memory/4260-134-0x0000000000000000-mapping.dmp