Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 07:31
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation transfer MT103 copy Ref010102562.js
Resource
win7-20220812-en
General
-
Target
Confirmation transfer MT103 copy Ref010102562.js
-
Size
93KB
-
MD5
bf0318f06d90661b7e6a8a4465cef37c
-
SHA1
848359829b1969522d00a72119d3a2d59ac891f2
-
SHA256
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
-
SHA512
0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
-
SSDEEP
1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/
Malware Config
Extracted
asyncrat
0.5.7B
Default
fresh02.ddns.net:2245
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
logs.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000b000000022e3a-135.dat asyncrat behavioral2/files/0x000b000000022e3a-136.dat asyncrat behavioral2/memory/1324-137-0x0000000000FF0000-0x0000000001002000-memory.dmp asyncrat behavioral2/files/0x0007000000022e43-145.dat asyncrat behavioral2/files/0x0007000000022e43-146.dat asyncrat -
Blocklisted process makes network request 6 IoCs
flow pid Process 5 3308 wscript.exe 18 3308 wscript.exe 35 3308 wscript.exe 39 3308 wscript.exe 43 3308 wscript.exe 46 3308 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 1324 AsyncClient02.exe 1276 logs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AsyncClient02.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3520 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3512 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe 1324 AsyncClient02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1324 AsyncClient02.exe Token: SeDebugPrivilege 1276 logs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 552 wrote to memory of 3308 552 wscript.exe 84 PID 552 wrote to memory of 3308 552 wscript.exe 84 PID 552 wrote to memory of 1324 552 wscript.exe 85 PID 552 wrote to memory of 1324 552 wscript.exe 85 PID 552 wrote to memory of 1324 552 wscript.exe 85 PID 1324 wrote to memory of 340 1324 AsyncClient02.exe 89 PID 1324 wrote to memory of 340 1324 AsyncClient02.exe 89 PID 1324 wrote to memory of 340 1324 AsyncClient02.exe 89 PID 1324 wrote to memory of 100 1324 AsyncClient02.exe 91 PID 1324 wrote to memory of 100 1324 AsyncClient02.exe 91 PID 1324 wrote to memory of 100 1324 AsyncClient02.exe 91 PID 340 wrote to memory of 3520 340 cmd.exe 93 PID 340 wrote to memory of 3520 340 cmd.exe 93 PID 340 wrote to memory of 3520 340 cmd.exe 93 PID 100 wrote to memory of 3512 100 cmd.exe 94 PID 100 wrote to memory of 3512 100 cmd.exe 94 PID 100 wrote to memory of 3512 100 cmd.exe 94 PID 100 wrote to memory of 1276 100 cmd.exe 96 PID 100 wrote to memory of 1276 100 cmd.exe 96 PID 100 wrote to memory of 1276 100 cmd.exe 96
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'4⤵
- Creates scheduled task(s)
PID:3520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp78FD.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3512
-
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
148B
MD525ab5e2dc24bbc5c10de8b12930138e3
SHA19a476643ba80ba94657b9aec5dac2331e88ffced
SHA256efc90d7df1e9d907851beebd4aea589c74f38ae47ee86975c69cb94187ee1bbb
SHA5122d168828a7dde0f4b1fbb5310e88102e2f62f1667f0c89435b513742e7d612a8b8731b9854e525e84f62c265673c69a3ba1d1aa94432e6513ed1936d60702574
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
5KB
MD591e16cc28847b49a31fa84f5bb95d3e0
SHA131cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b