Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 07:31
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation transfer MT103 copy Ref010102562.js
Resource
win7-20220812-en
General
-
Target
Confirmation transfer MT103 copy Ref010102562.js
-
Size
93KB
-
MD5
bf0318f06d90661b7e6a8a4465cef37c
-
SHA1
848359829b1969522d00a72119d3a2d59ac891f2
-
SHA256
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
-
SHA512
0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
-
SSDEEP
1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/
Malware Config
Extracted
asyncrat
0.5.7B
Default
fresh02.ddns.net:2245
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
logs.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe asyncrat C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe asyncrat behavioral2/memory/1324-137-0x0000000000FF0000-0x0000000001002000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\logs.exe asyncrat C:\Users\Admin\AppData\Roaming\logs.exe asyncrat -
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 5 3308 wscript.exe 18 3308 wscript.exe 35 3308 wscript.exe 39 3308 wscript.exe 43 3308 wscript.exe 46 3308 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
AsyncClient02.exelogs.exepid process 1324 AsyncClient02.exe 1276 logs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeAsyncClient02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AsyncClient02.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3512 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
AsyncClient02.exepid process 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AsyncClient02.exelogs.exedescription pid process Token: SeDebugPrivilege 1324 AsyncClient02.exe Token: SeDebugPrivilege 1276 logs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
wscript.exeAsyncClient02.execmd.execmd.exedescription pid process target process PID 552 wrote to memory of 3308 552 wscript.exe wscript.exe PID 552 wrote to memory of 3308 552 wscript.exe wscript.exe PID 552 wrote to memory of 1324 552 wscript.exe AsyncClient02.exe PID 552 wrote to memory of 1324 552 wscript.exe AsyncClient02.exe PID 552 wrote to memory of 1324 552 wscript.exe AsyncClient02.exe PID 1324 wrote to memory of 340 1324 AsyncClient02.exe cmd.exe PID 1324 wrote to memory of 340 1324 AsyncClient02.exe cmd.exe PID 1324 wrote to memory of 340 1324 AsyncClient02.exe cmd.exe PID 1324 wrote to memory of 100 1324 AsyncClient02.exe cmd.exe PID 1324 wrote to memory of 100 1324 AsyncClient02.exe cmd.exe PID 1324 wrote to memory of 100 1324 AsyncClient02.exe cmd.exe PID 340 wrote to memory of 3520 340 cmd.exe schtasks.exe PID 340 wrote to memory of 3520 340 cmd.exe schtasks.exe PID 340 wrote to memory of 3520 340 cmd.exe schtasks.exe PID 100 wrote to memory of 3512 100 cmd.exe timeout.exe PID 100 wrote to memory of 3512 100 cmd.exe timeout.exe PID 100 wrote to memory of 3512 100 cmd.exe timeout.exe PID 100 wrote to memory of 1276 100 cmd.exe logs.exe PID 100 wrote to memory of 1276 100 cmd.exe logs.exe PID 100 wrote to memory of 1276 100 cmd.exe logs.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp78FD.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Local\Temp\tmp78FD.tmp.batFilesize
148B
MD525ab5e2dc24bbc5c10de8b12930138e3
SHA19a476643ba80ba94657b9aec5dac2331e88ffced
SHA256efc90d7df1e9d907851beebd4aea589c74f38ae47ee86975c69cb94187ee1bbb
SHA5122d168828a7dde0f4b1fbb5310e88102e2f62f1667f0c89435b513742e7d612a8b8731b9854e525e84f62c265673c69a3ba1d1aa94432e6513ed1936d60702574
-
C:\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Roaming\nWINLmmfVH.jsFilesize
5KB
MD591e16cc28847b49a31fa84f5bb95d3e0
SHA131cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b
-
memory/100-140-0x0000000000000000-mapping.dmp
-
memory/340-139-0x0000000000000000-mapping.dmp
-
memory/1276-144-0x0000000000000000-mapping.dmp
-
memory/1324-134-0x0000000000000000-mapping.dmp
-
memory/1324-137-0x0000000000FF0000-0x0000000001002000-memory.dmpFilesize
72KB
-
memory/1324-138-0x0000000005AE0000-0x0000000005B7C000-memory.dmpFilesize
624KB
-
memory/3308-132-0x0000000000000000-mapping.dmp
-
memory/3512-143-0x0000000000000000-mapping.dmp
-
memory/3520-142-0x0000000000000000-mapping.dmp