Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2022 07:34

General

  • Target

    FedEx_Label_202218201.exe

  • Size

    28KB

  • MD5

    9fa348df801f0d2cebb02378b3546f6e

  • SHA1

    03a5c5344ad4c92366cb086ad78bb7f4fe4f7a17

  • SHA256

    d71cdeb52c0e74f3b4c96e4b5dbe70af00814283985036d62b43de0950d77b22

  • SHA512

    b48e919554920a4f441401b8f453a09eebf10fced670e1e35d01433a2edb990815894250cab3773104ca05064183be3779d4f6acac3040f5955a05a760476ae7

  • SSDEEP

    384:1iAAKDVj/yf2BGuegE3YCoLY40E6vDOT5kYgH5Oj8A5PPPPPPPPPPPPPPPQPPPPV:0AAGo2eg+YCc/6m5k75RPhNf2

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Adds Run key to start application ⋅ 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe
    "C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe"
    Adds Run key to start application
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe
      C:\Users\Admin\AppData\Local\Temp\FedEx_Label_202218201.exe
      PID:1964

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                      MD5

                      02aa78ff2c96bbb7a62296c60d930520

                      SHA1

                      4bcff4555caba288db86d304c61371ecaa21ead8

                      SHA256

                      e325250e9d7be443beb180340f30e452af82353ad0e210b19080975e9cd7c4d8

                      SHA512

                      50b389a3834655ec4648d38d51164aa36259118e82a3744d189855c2874f873cb3a49eb92a2764dc4cb07365ae0bd8fecae4b52cdc96cdfce90b5122de271ef5

                    • memory/1060-63-0x0000000000000000-mapping.dmp
                    • memory/1060-67-0x000000006EC40000-0x000000006F1EB000-memory.dmp
                    • memory/1060-66-0x000000006EC40000-0x000000006F1EB000-memory.dmp
                    • memory/1320-60-0x000000006EC70000-0x000000006F21B000-memory.dmp
                    • memory/1320-58-0x0000000000000000-mapping.dmp
                    • memory/1320-61-0x000000006EC70000-0x000000006F21B000-memory.dmp
                    • memory/1320-62-0x000000006EC70000-0x000000006F21B000-memory.dmp
                    • memory/1456-55-0x0000000075B51000-0x0000000075B53000-memory.dmp
                    • memory/1456-57-0x0000000005B50000-0x0000000005BE2000-memory.dmp
                    • memory/1456-56-0x0000000005610000-0x00000000056C4000-memory.dmp
                    • memory/1456-54-0x0000000000FF0000-0x0000000000FFC000-memory.dmp
                    • memory/1964-68-0x0000000000400000-0x000000000042E000-memory.dmp
                    • memory/1964-69-0x0000000000400000-0x000000000042E000-memory.dmp
                    • memory/1964-71-0x0000000000400000-0x000000000042E000-memory.dmp
                    • memory/1964-72-0x0000000000400000-0x000000000042E000-memory.dmp
                    • memory/1964-73-0x0000000000400000-0x000000000042E000-memory.dmp
                    • memory/1964-74-0x00000000004290CE-mapping.dmp
                    • memory/1964-76-0x0000000000400000-0x000000000042E000-memory.dmp
                    • memory/1964-78-0x0000000000400000-0x000000000042E000-memory.dmp