Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 08:03

General

  • Target

    InvoicePrinting-MUM02322_22-23.js

  • Size

    244KB

  • MD5

    0afa9ad6977e7cfed21f642361e9bcef

  • SHA1

    61301fd144aac65ab7fdc847e7ef3cb5c339dcd1

  • SHA256

    7cdb69e4725d8cd97ba8e9b8d9e072e71cb3b796951dd6e4a0c92dea771a5686

  • SHA512

    c6acddf460b3eda7aed7fed654120d94899f76e382df3a96c007029e7653cbacd6e5efecc20ff25e1b5a2099f1494936c2f704a53bf278d65cb2f680f2bce438

  • SSDEEP

    6144:Gp8xbeXigeXfd1LH3dV6zMovRCBeGKWAklgF2GuuZmDuh5wTaR:42d1Lj65vfGKel029lDufwTo

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

172.93.220.135:6606

172.93.220.135:7707

172.93.220.135:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    shh.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 5 IoCs
  • Blocklisted process makes network request 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\InvoicePrinting-MUM02322_22-23.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\err.exe
      "C:\Users\Admin\AppData\Local\Temp\err.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "shh" /tr '"C:\Users\Admin\AppData\Roaming\shh.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1352
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "shh" /tr '"C:\Users\Admin\AppData\Roaming\shh.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C93.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:3816
        • C:\Users\Admin\AppData\Roaming\shh.exe
          "C:\Users\Admin\AppData\Roaming\shh.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\err.exe

    Filesize

    45KB

    MD5

    a1e6c547b3d494b82c0aec8e08cb444e

    SHA1

    7b851492a93cd9ebb9ceb88a77ee48634c0e82e7

    SHA256

    a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51

    SHA512

    e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27

  • C:\Users\Admin\AppData\Local\Temp\err.exe

    Filesize

    45KB

    MD5

    a1e6c547b3d494b82c0aec8e08cb444e

    SHA1

    7b851492a93cd9ebb9ceb88a77ee48634c0e82e7

    SHA256

    a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51

    SHA512

    e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27

  • C:\Users\Admin\AppData\Local\Temp\tmp9C93.tmp.bat

    Filesize

    147B

    MD5

    648c44a9e8a1dd288cf934d9f788f17a

    SHA1

    88c2db5f6eafbb7d305793b4e7b7a1513f2340db

    SHA256

    d63e0d5e466c4391ab7cb690a775cf7df1d9da9d7603be574f83954aeb326582

    SHA512

    78e1f51a6ca69cff158f7dade9e5ce920667cb1a360418c0f9116b3bea0ab7d83b7f46e8f0335ab4c742057f6cd5a82881340dfd600770f6f6fa64cacb7ac4b2

  • C:\Users\Admin\AppData\Roaming\shh.exe

    Filesize

    45KB

    MD5

    a1e6c547b3d494b82c0aec8e08cb444e

    SHA1

    7b851492a93cd9ebb9ceb88a77ee48634c0e82e7

    SHA256

    a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51

    SHA512

    e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27

  • C:\Users\Admin\AppData\Roaming\shh.exe

    Filesize

    45KB

    MD5

    a1e6c547b3d494b82c0aec8e08cb444e

    SHA1

    7b851492a93cd9ebb9ceb88a77ee48634c0e82e7

    SHA256

    a5d6ca8aaffdc369addcf120fe79dc6711e1865d0a4c9b05215d2b82c8a4de51

    SHA512

    e09eb4d3a4e9a2d1d094324ff7ea1b53e089f52b1ca64b17a8db7e8fe9f2e2c474600cb6a2a6ca8d7bb377c54f3630fb66fa6e9ca2c1378e6e3a380f52d9ef27

  • memory/4544-136-0x0000000005610000-0x00000000056AC000-memory.dmp

    Filesize

    624KB

  • memory/4544-135-0x0000000000940000-0x0000000000952000-memory.dmp

    Filesize

    72KB