Analysis
-
max time kernel
130s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation transfer MT103 copy Ref010102562.js
Resource
win7-20220812-en
General
-
Target
Confirmation transfer MT103 copy Ref010102562.js
-
Size
93KB
-
MD5
bf0318f06d90661b7e6a8a4465cef37c
-
SHA1
848359829b1969522d00a72119d3a2d59ac891f2
-
SHA256
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
-
SHA512
0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
-
SSDEEP
1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/
Malware Config
Extracted
asyncrat
0.5.7B
Default
fresh02.ddns.net:2245
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
logs.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe asyncrat C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe asyncrat behavioral1/memory/2028-61-0x0000000000D00000-0x0000000000D12000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\logs.exe asyncrat \Users\Admin\AppData\Roaming\logs.exe asyncrat C:\Users\Admin\AppData\Roaming\logs.exe asyncrat behavioral1/memory/1768-72-0x0000000000A10000-0x0000000000A22000-memory.dmp asyncrat -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exeflow pid process 4 1200 wscript.exe 7 1200 wscript.exe 12 1200 wscript.exe 15 1200 wscript.exe 18 1200 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
AsyncClient02.exelogs.exepid process 2028 AsyncClient02.exe 1768 logs.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1180 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1444 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AsyncClient02.exepid process 2028 AsyncClient02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AsyncClient02.exelogs.exedescription pid process Token: SeDebugPrivilege 2028 AsyncClient02.exe Token: SeDebugPrivilege 1768 logs.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.exeAsyncClient02.execmd.execmd.exedescription pid process target process PID 780 wrote to memory of 1200 780 wscript.exe wscript.exe PID 780 wrote to memory of 1200 780 wscript.exe wscript.exe PID 780 wrote to memory of 1200 780 wscript.exe wscript.exe PID 780 wrote to memory of 2028 780 wscript.exe AsyncClient02.exe PID 780 wrote to memory of 2028 780 wscript.exe AsyncClient02.exe PID 780 wrote to memory of 2028 780 wscript.exe AsyncClient02.exe PID 780 wrote to memory of 2028 780 wscript.exe AsyncClient02.exe PID 2028 wrote to memory of 656 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 656 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 656 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 656 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 1180 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 1180 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 1180 2028 AsyncClient02.exe cmd.exe PID 2028 wrote to memory of 1180 2028 AsyncClient02.exe cmd.exe PID 656 wrote to memory of 1016 656 cmd.exe schtasks.exe PID 656 wrote to memory of 1016 656 cmd.exe schtasks.exe PID 656 wrote to memory of 1016 656 cmd.exe schtasks.exe PID 656 wrote to memory of 1016 656 cmd.exe schtasks.exe PID 1180 wrote to memory of 1444 1180 cmd.exe timeout.exe PID 1180 wrote to memory of 1444 1180 cmd.exe timeout.exe PID 1180 wrote to memory of 1444 1180 cmd.exe timeout.exe PID 1180 wrote to memory of 1444 1180 cmd.exe timeout.exe PID 1180 wrote to memory of 1768 1180 cmd.exe logs.exe PID 1180 wrote to memory of 1768 1180 cmd.exe logs.exe PID 1180 wrote to memory of 1768 1180 cmd.exe logs.exe PID 1180 wrote to memory of 1768 1180 cmd.exe logs.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp494.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Local\Temp\tmp494.tmp.batFilesize
147B
MD51e57cae89aaa7b9c0c2716041b87f6b8
SHA18e9d8428af46cfcdb1f3ef30c4fcc0666cdea17a
SHA2560ffec833ed67bc05ec7a298cab97fbed7b575f2e82e40b29be72dc74fa1d2b99
SHA5126b5a26c7968781a4fcdaeab50a64e0dd50ca57202858b7c014aa497dd709ce59e77d390458f301542a94b715ca52a37e26446fecd214a91b43d88b2d93259b9e
-
C:\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Roaming\nWINLmmfVH.jsFilesize
5KB
MD591e16cc28847b49a31fa84f5bb95d3e0
SHA131cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b
-
\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
memory/656-63-0x0000000000000000-mapping.dmp
-
memory/780-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmpFilesize
8KB
-
memory/1016-66-0x0000000000000000-mapping.dmp
-
memory/1180-64-0x0000000000000000-mapping.dmp
-
memory/1200-55-0x0000000000000000-mapping.dmp
-
memory/1444-67-0x0000000000000000-mapping.dmp
-
memory/1768-70-0x0000000000000000-mapping.dmp
-
memory/1768-72-0x0000000000A10000-0x0000000000A22000-memory.dmpFilesize
72KB
-
memory/2028-62-0x0000000076321000-0x0000000076323000-memory.dmpFilesize
8KB
-
memory/2028-61-0x0000000000D00000-0x0000000000D12000-memory.dmpFilesize
72KB
-
memory/2028-57-0x0000000000000000-mapping.dmp