Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2022 03:48

General

  • Target

    4029013#.exe

  • Size

    300MB

  • MD5

    41308dae88480a4eaf61b36767990bbe

  • SHA1

    a347f3eb607df4c47b9473818866bcad6aef4e96

  • SHA256

    190324c758fe4e21f2254d10bc9871b5e8a2e0f063a0b49f1680b3ee9f8da519

  • SHA512

    ee0812562d7f0f16ea75ccc236ac85c986c47ed52fc75ffb8d1a21d9c62cb90855963d2678dfc01345e97f5435d320d0ba982d82f1d7395d066b843e49479c42

  • SSDEEP

    3072:ZuDu8y65Hc4/+683JZbqaZ75yEzHX7NXjPP8shYd0CwbI+hRx:ZuDu8y65Hc4SrbqXEz37BjzugbIg

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.4

Botnet

MAY 17

C2

paris-comrademay17.duckdns.org:25045

Attributes
delay
1
install
false
install_folder
%AppData%
aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload ⋅ 6 IoCs
  • Executes dropped EXE ⋅ 1 IoCs
  • Uses the VBS compiler for execution ⋅ 1 TTPs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4029013#.exe
    "C:\Users\Admin\AppData\Local\Temp\4029013#.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
      Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
        Creates scheduled task(s)
        PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\4029013#.exe" "C:\Users\Admin\AppData\Roaming\pmfr.exe"
      PID:1492
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Suspicious use of AdjustPrivilegeToken
      PID:1288
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {705D7806-5FF1-488C-BE95-3D61DB401813} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Roaming\pmfr.exe
      C:\Users\Admin\AppData\Roaming\pmfr.exe
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
        Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
          Creates scheduled task(s)
          PID:1700

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\pmfr.exe
                      MD5

                      0953e6106e5e369e6e96ac0d4bd67365

                      SHA1

                      a5531f314db75cb7f9a8f80dd9a642aca57a235e

                      SHA256

                      f9b54a6d4f278e9c72e4bca51f96e750eb22c40d76c838d2eb64e971a6035c9d

                      SHA512

                      988d92eb38c304b72fe543648d8215258ff2716886218eb24064008136f37bbea49a888bec6c5ef4b013cb24fa5273adef382095f629da4533a8fff1cf0bfec4

                    • C:\Users\Admin\AppData\Roaming\pmfr.exe
                      MD5

                      e0eafcf5d734e000c22201726cb6c3be

                      SHA1

                      b58208464dbc02507b9a9a540678f10a8a031a49

                      SHA256

                      23462ed4b3d4648b918ce2cdae47934a9882d2320fe914f110b93d253a622dae

                      SHA512

                      3b452f64ba3bdd32e87146e51acc9e448dc47549448f32160c4419c96e5a1868b4b8fe220dc5aec6bd9e9b3665fbd053c78931751a3bb824302d1ed2de38a81d

                    • memory/1116-74-0x0000000000B90000-0x0000000000BC2000-memory.dmp
                    • memory/1116-72-0x0000000000000000-mapping.dmp
                    • memory/1288-67-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1288-69-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1288-60-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1288-63-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1288-62-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1288-64-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1288-65-0x00000000004109BE-mapping.dmp
                    • memory/1288-59-0x0000000000400000-0x0000000000416000-memory.dmp
                    • memory/1312-58-0x0000000000000000-mapping.dmp
                    • memory/1488-56-0x0000000000000000-mapping.dmp
                    • memory/1492-57-0x0000000000000000-mapping.dmp
                    • memory/1512-76-0x0000000000000000-mapping.dmp
                    • memory/1700-77-0x0000000000000000-mapping.dmp
                    • memory/2000-54-0x0000000000E30000-0x0000000000E62000-memory.dmp
                    • memory/2000-55-0x0000000074F01000-0x0000000074F03000-memory.dmp