Analysis
-
max time kernel
61s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 07:55
Static task
static1
General
-
Target
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js
-
Size
93KB
-
MD5
bf0318f06d90661b7e6a8a4465cef37c
-
SHA1
848359829b1969522d00a72119d3a2d59ac891f2
-
SHA256
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
-
SHA512
0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
-
SSDEEP
1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/
Malware Config
Extracted
asyncrat
0.5.7B
Default
fresh02.ddns.net:2245
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
logs.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe asyncrat C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe asyncrat behavioral1/memory/4084-137-0x0000000000E90000-0x0000000000EA2000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\logs.exe asyncrat C:\Users\Admin\AppData\Roaming\logs.exe asyncrat -
Blocklisted process makes network request 3 IoCs
Processes:
wscript.exeflow pid process 5 2232 wscript.exe 24 2232 wscript.exe 64 2232 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
AsyncClient02.exelogs.exepid process 4084 AsyncClient02.exe 1856 logs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeAsyncClient02.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AsyncClient02.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4936 1476 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5040 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
AsyncClient02.exepid process 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AsyncClient02.exelogs.exedescription pid process Token: SeDebugPrivilege 4084 AsyncClient02.exe Token: SeDebugPrivilege 1856 logs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
wscript.exeAsyncClient02.execmd.execmd.exedescription pid process target process PID 4512 wrote to memory of 2232 4512 wscript.exe wscript.exe PID 4512 wrote to memory of 2232 4512 wscript.exe wscript.exe PID 4512 wrote to memory of 4084 4512 wscript.exe AsyncClient02.exe PID 4512 wrote to memory of 4084 4512 wscript.exe AsyncClient02.exe PID 4512 wrote to memory of 4084 4512 wscript.exe AsyncClient02.exe PID 4084 wrote to memory of 5016 4084 AsyncClient02.exe cmd.exe PID 4084 wrote to memory of 5016 4084 AsyncClient02.exe cmd.exe PID 4084 wrote to memory of 5016 4084 AsyncClient02.exe cmd.exe PID 4084 wrote to memory of 1472 4084 AsyncClient02.exe cmd.exe PID 4084 wrote to memory of 1472 4084 AsyncClient02.exe cmd.exe PID 4084 wrote to memory of 1472 4084 AsyncClient02.exe cmd.exe PID 5016 wrote to memory of 1300 5016 cmd.exe schtasks.exe PID 5016 wrote to memory of 1300 5016 cmd.exe schtasks.exe PID 5016 wrote to memory of 1300 5016 cmd.exe schtasks.exe PID 1472 wrote to memory of 5040 1472 cmd.exe timeout.exe PID 1472 wrote to memory of 5040 1472 cmd.exe timeout.exe PID 1472 wrote to memory of 5040 1472 cmd.exe timeout.exe PID 1472 wrote to memory of 1856 1472 cmd.exe logs.exe PID 1472 wrote to memory of 1856 1472 cmd.exe logs.exe PID 1472 wrote to memory of 1856 1472 cmd.exe logs.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1476 -ip 14761⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1476 -s 8481⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.batFilesize
148B
MD520f2b587ce94a65dd8e85fb394768c52
SHA1fe6fbfc21360e11a78a54775c7cbe38da34eff99
SHA256d199a8941dc08dc911cfebeec31d37b6dcb2292b2c1869a466ec7109a428d891
SHA51248b84c1e71b76a03196814c5ec5e13acb5fcd3478389849016a430c6bfafa475218f677cd227adc9ca685364b51a181912934e5aaa4bc017eecf0792c2c07963
-
C:\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Roaming\logs.exeFilesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
C:\Users\Admin\AppData\Roaming\nWINLmmfVH.jsFilesize
5KB
MD591e16cc28847b49a31fa84f5bb95d3e0
SHA131cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b
-
memory/1300-142-0x0000000000000000-mapping.dmp
-
memory/1472-140-0x0000000000000000-mapping.dmp
-
memory/1856-144-0x0000000000000000-mapping.dmp
-
memory/2232-132-0x0000000000000000-mapping.dmp
-
memory/4084-134-0x0000000000000000-mapping.dmp
-
memory/4084-137-0x0000000000E90000-0x0000000000EA2000-memory.dmpFilesize
72KB
-
memory/4084-138-0x0000000005B60000-0x0000000005BFC000-memory.dmpFilesize
624KB
-
memory/5016-139-0x0000000000000000-mapping.dmp
-
memory/5040-143-0x0000000000000000-mapping.dmp