Analysis

  • max time kernel
    139s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 04:36

General

  • Target

    SecuriteInfo.com.Win32.DropperX-gen.6349.exe

  • Size

    7KB

  • MD5

    d1860473f9a55ae6d09604dc559888a1

  • SHA1

    1da7d140c29e91e73ab7bdbb1e5373933d867ff3

  • SHA256

    60b9dfe94376364fa7c7d47ca49cfcdae1b54cfad864098c6cf260f5bf870992

  • SHA512

    6af5a6b85b045195e82e5c9d791d6b152fed93cdaf975c1dbc44af03298cd987ff61e630706419daa453e985c5b027d760f31e8240521cb3a6e6468120caceb5

  • SSDEEP

    96:nUO+K83HPiLF5UyfzDuyGh0/aCdf0zNt:CqLF5Jfuy0qF+

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh02.ddns.net:2245

Attributes
delay
3
install
true
install_file
logs.exe
install_folder
%AppData%
aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload ⋅ 1 IoCs
  • Executes dropped EXE ⋅ 1 IoCs
  • Checks computer location settings ⋅ 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application ⋅ 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 27 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 5 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.6349.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.6349.exe"
    Checks computer location settings
    Adds Run key to start application
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.6349.exe
      C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.6349.exe
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
        Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
          Creates scheduled task(s)
          PID:3292
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2025.tmp.bat""
        Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          Delays execution with timeout.exe
          PID:4564
        • C:\Users\Admin\AppData\Roaming\logs.exe
          "C:\Users\Admin\AppData\Roaming\logs.exe"
          Executes dropped EXE
          Checks computer location settings
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:1696

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.6349.exe.log
                      MD5

                      e87e48b105757e1c7563d1c719059733

                      SHA1

                      28a3f2b2e0672da2b531f4757d2b20b53032dafc

                      SHA256

                      0aaf22dc84cc3fcfe53de7ccfed8e662247dfb7f1a9967032c88790d0c663461

                      SHA512

                      bf19c5743143aee914a453c41189c722c9b90a5b8bf299cecf3e1f97656d32cd209ecb74da8aebc89bb41c27d189f73aaaabbc64fe383410c95dc76ad4218968

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                      MD5

                      6195a91754effb4df74dbc72cdf4f7a6

                      SHA1

                      aba262f5726c6d77659fe0d3195e36a85046b427

                      SHA256

                      3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

                      SHA512

                      ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                      MD5

                      06ad34f9739c5159b4d92d702545bd49

                      SHA1

                      9152a0d4f153f3f40f7e606be75f81b582ee0c17

                      SHA256

                      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

                      SHA512

                      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      MD5

                      96266358c82c7250ee72b65b1221ac9f

                      SHA1

                      909afd31ac49d615a0701e3cd5fdefba5e8374d9

                      SHA256

                      aa1d66497228fd5c253cf02255c71d222ee7606b78aefeb65ff625c4976ba666

                      SHA512

                      7f1974a97e84695dd55f2960e3dfce0a4e7cb533b5341e52ef7933bffdf5c98237007eaa2c63d207402752dcbaaa0f2f407b98a5b2856ff064eb1eb8b3dc915d

                    • C:\Users\Admin\AppData\Local\Temp\tmp2025.tmp.bat
                      MD5

                      20927a2cc7b7323eba1fcedcf7ce1e59

                      SHA1

                      045e3801b59771b9db9d93cf2edc2437ef6b35e2

                      SHA256

                      c4e5628e55b1ad17150f542956443b0feae07522be7b94db2ca92c9eeaa1df47

                      SHA512

                      90f856fd53a4532924cb7f2d6bfdf36275aef7cfe2fc72a45336af6cf5177f583640b06e54bb3ce94ecab5ad44559ee926f76f4e94e1631f018044146fd95c2f

                    • C:\Users\Admin\AppData\Roaming\logs.exe
                      MD5

                      d1860473f9a55ae6d09604dc559888a1

                      SHA1

                      1da7d140c29e91e73ab7bdbb1e5373933d867ff3

                      SHA256

                      60b9dfe94376364fa7c7d47ca49cfcdae1b54cfad864098c6cf260f5bf870992

                      SHA512

                      6af5a6b85b045195e82e5c9d791d6b152fed93cdaf975c1dbc44af03298cd987ff61e630706419daa453e985c5b027d760f31e8240521cb3a6e6468120caceb5

                    • C:\Users\Admin\AppData\Roaming\logs.exe
                      MD5

                      d1860473f9a55ae6d09604dc559888a1

                      SHA1

                      1da7d140c29e91e73ab7bdbb1e5373933d867ff3

                      SHA256

                      60b9dfe94376364fa7c7d47ca49cfcdae1b54cfad864098c6cf260f5bf870992

                      SHA512

                      6af5a6b85b045195e82e5c9d791d6b152fed93cdaf975c1dbc44af03298cd987ff61e630706419daa453e985c5b027d760f31e8240521cb3a6e6468120caceb5

                    • memory/1276-142-0x0000000000000000-mapping.dmp
                    • memory/1276-143-0x0000000000400000-0x0000000000412000-memory.dmp
                    • memory/1276-145-0x0000000005260000-0x00000000052FC000-memory.dmp
                    • memory/1696-154-0x0000000000000000-mapping.dmp
                    • memory/1832-151-0x0000000000000000-mapping.dmp
                    • memory/2272-147-0x0000000000000000-mapping.dmp
                    • memory/2696-132-0x0000000000F10000-0x0000000000F18000-memory.dmp
                    • memory/2696-133-0x0000000006620000-0x0000000006642000-memory.dmp
                    • memory/2956-138-0x0000000006310000-0x0000000006376000-memory.dmp
                    • memory/2956-141-0x0000000006E10000-0x0000000006E2A000-memory.dmp
                    • memory/2956-140-0x0000000008160000-0x00000000087DA000-memory.dmp
                    • memory/2956-139-0x0000000006910000-0x000000000692E000-memory.dmp
                    • memory/2956-137-0x0000000006230000-0x0000000006296000-memory.dmp
                    • memory/2956-136-0x0000000005B60000-0x0000000006188000-memory.dmp
                    • memory/2956-135-0x0000000005350000-0x0000000005386000-memory.dmp
                    • memory/2956-134-0x0000000000000000-mapping.dmp
                    • memory/3112-146-0x0000000000000000-mapping.dmp
                    • memory/3292-149-0x0000000000000000-mapping.dmp
                    • memory/4564-150-0x0000000000000000-mapping.dmp