Analysis
-
max time kernel
61s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2022, 07:55
Static task
static1
General
-
Target
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js
-
Size
93KB
-
MD5
bf0318f06d90661b7e6a8a4465cef37c
-
SHA1
848359829b1969522d00a72119d3a2d59ac891f2
-
SHA256
146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
-
SHA512
0fc0243d146c2afcdfbc94d439d12a2b18ef9f1d348ef0dee03d6b46fa4435178ae726b35fa6811f37a4453edafd85fc2374c33d723120862be109816f65ab0d
-
SSDEEP
1536:JUkTxiUoAcTzClzG6JhZgLQZNSZ+ufVkx1JknLYZZh/Myw3IY/p+/:GAcCpdeQZNW2kkJ/Ank/
Malware Config
Extracted
asyncrat
0.5.7B
Default
fresh02.ddns.net:2245
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
logs.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral1/files/0x0009000000022e12-135.dat asyncrat behavioral1/files/0x0009000000022e12-136.dat asyncrat behavioral1/memory/4084-137-0x0000000000E90000-0x0000000000EA2000-memory.dmp asyncrat behavioral1/files/0x000b000000022e0b-145.dat asyncrat behavioral1/files/0x000b000000022e0b-146.dat asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 5 2232 wscript.exe 24 2232 wscript.exe 64 2232 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 4084 AsyncClient02.exe 1856 logs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AsyncClient02.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4936 1476 WerFault.exe 84 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1300 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5040 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe 4084 AsyncClient02.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4084 AsyncClient02.exe Token: SeDebugPrivilege 1856 logs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4512 wrote to memory of 2232 4512 wscript.exe 82 PID 4512 wrote to memory of 2232 4512 wscript.exe 82 PID 4512 wrote to memory of 4084 4512 wscript.exe 83 PID 4512 wrote to memory of 4084 4512 wscript.exe 83 PID 4512 wrote to memory of 4084 4512 wscript.exe 83 PID 4084 wrote to memory of 5016 4084 AsyncClient02.exe 85 PID 4084 wrote to memory of 5016 4084 AsyncClient02.exe 85 PID 4084 wrote to memory of 5016 4084 AsyncClient02.exe 85 PID 4084 wrote to memory of 1472 4084 AsyncClient02.exe 87 PID 4084 wrote to memory of 1472 4084 AsyncClient02.exe 87 PID 4084 wrote to memory of 1472 4084 AsyncClient02.exe 87 PID 5016 wrote to memory of 1300 5016 cmd.exe 89 PID 5016 wrote to memory of 1300 5016 cmd.exe 89 PID 5016 wrote to memory of 1300 5016 cmd.exe 89 PID 1472 wrote to memory of 5040 1472 cmd.exe 90 PID 1472 wrote to memory of 5040 1472 cmd.exe 90 PID 1472 wrote to memory of 5040 1472 cmd.exe 90 PID 1472 wrote to memory of 1856 1472 cmd.exe 91 PID 1472 wrote to memory of 1856 1472 cmd.exe 91 PID 1472 wrote to memory of 1856 1472 cmd.exe 91
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'4⤵
- Creates scheduled task(s)
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:5040
-
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1476 -ip 14761⤵PID:4148
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1476 -s 8481⤵
- Program crash
PID:4936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
148B
MD520f2b587ce94a65dd8e85fb394768c52
SHA1fe6fbfc21360e11a78a54775c7cbe38da34eff99
SHA256d199a8941dc08dc911cfebeec31d37b6dcb2292b2c1869a466ec7109a428d891
SHA51248b84c1e71b76a03196814c5ec5e13acb5fcd3478389849016a430c6bfafa475218f677cd227adc9ca685364b51a181912934e5aaa4bc017eecf0792c2c07963
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
45KB
MD59e320f6163f8d53462d45fbebc282c64
SHA1b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA25643356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA5124c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
-
Filesize
5KB
MD591e16cc28847b49a31fa84f5bb95d3e0
SHA131cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b