Analysis
-
max time kernel
144s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-10-2022 09:00
General
-
Target
BOLETA DE CITACION POLICIA NACIONAL.exe
-
Size
2.3MB
-
MD5
fd0875a959c9b325989d132991c27610
-
SHA1
7449341ee58c6ed396ce5687450ec59ea13904d4
-
SHA256
3610699951e813e124b8b4a874b96eedd23db3028cf91624db95521608dd0787
-
SHA512
087b43709d00409673690e9956ec2c711ab482568d0032542ae167d8868d676746b661fae812b3eed2413039d01371fe91513d98156c7f916724754c0c8fe131
-
SSDEEP
24576:Z1nYQb6VOfB5NVKkeybnvJPWOwxg+95KcupHURdpNasTavbgv36mDWp6QW8MAizq:mR01UTTsg36mD8Liz+RRX
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
ewtwet.duckdns.org:8091
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BOLETA DE CITACION POLICIA NACIONAL.exe"C:\Users\Admin\AppData\Local\Temp\BOLETA DE CITACION POLICIA NACIONAL.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1232-54-0x00000000002C0000-0x0000000000514000-memory.dmpFilesize
2.3MB
-
memory/1232-55-0x00000000044F0000-0x0000000004596000-memory.dmpFilesize
664KB
-
memory/1232-56-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1232-57-0x0000000000940000-0x00000000009D2000-memory.dmpFilesize
584KB
-
memory/1380-58-0x0000000000000000-mapping.dmp
-
memory/1380-60-0x000000006F570000-0x000000006FB1B000-memory.dmpFilesize
5.7MB
-
memory/1380-61-0x000000006F570000-0x000000006FB1B000-memory.dmpFilesize
5.7MB
-
memory/1784-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1784-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1784-65-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1784-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1784-67-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1784-68-0x000000000040C73E-mapping.dmp
-
memory/1784-70-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1784-72-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB