Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    124KB

  • MD5

    5284960dae2439c297f945715ae10c36

  • SHA1

    b4be5b314fe573fb14d6074ba795ddd8fb78d944

  • SHA256

    accc29c7af47c1a42e7646a93b347f73fbb14a7a20177f3aad80ab26f4c819f4

  • SHA512

    a6259cc4b121d4b918490de6f6dcbaa9740f67174dadeef0965b8ba53fd196d2332a0b5d4fcf00d2da62b1e7ef095fb5b2d5dc57aecad6a3f2681475177dd3e6

  • SSDEEP

    3072:CuwGToVS2YFWt4bQa4tqsU1FJ+yC3pwRb6JPqB604Hgy7hRCd39vie:Cuw/fVt4bjCVJyB60OgyLC7vr

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

kadumello.ddns.net:1194

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    wermgr64.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 5 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wermgr64" /tr '"C:\Users\Admin\AppData\Roaming\wermgr64.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "wermgr64" /tr '"C:\Users\Admin\AppData\Roaming\wermgr64.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CF2.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:568
      • C:\Users\Admin\AppData\Roaming\wermgr64.exe
        "C:\Users\Admin\AppData\Roaming\wermgr64.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3CF2.tmp.bat
    Filesize

    152B

    MD5

    1f2bb8e6a0aff0941eb345a4c9f9ef9a

    SHA1

    461763d518b2f08a9358d9e4503abbcb9723fe63

    SHA256

    61969dc02e9993762c26c7817526d15d1ac1feff492a33fcbcf7c227525a5a34

    SHA512

    d15eedd319e6a5398d2f02188080a4b858473fc30d9bf070a99c8b9ee2b08805f88b44c73e31c4d49a0c5d612bd00d92b972249649d4dea6f580b3283a165ee1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wermgr64.exe
    Filesize

    124KB

    MD5

    5284960dae2439c297f945715ae10c36

    SHA1

    b4be5b314fe573fb14d6074ba795ddd8fb78d944

    SHA256

    accc29c7af47c1a42e7646a93b347f73fbb14a7a20177f3aad80ab26f4c819f4

    SHA512

    a6259cc4b121d4b918490de6f6dcbaa9740f67174dadeef0965b8ba53fd196d2332a0b5d4fcf00d2da62b1e7ef095fb5b2d5dc57aecad6a3f2681475177dd3e6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wermgr64.exe
    Filesize

    124KB

    MD5

    5284960dae2439c297f945715ae10c36

    SHA1

    b4be5b314fe573fb14d6074ba795ddd8fb78d944

    SHA256

    accc29c7af47c1a42e7646a93b347f73fbb14a7a20177f3aad80ab26f4c819f4

    SHA512

    a6259cc4b121d4b918490de6f6dcbaa9740f67174dadeef0965b8ba53fd196d2332a0b5d4fcf00d2da62b1e7ef095fb5b2d5dc57aecad6a3f2681475177dd3e6

    Download Submit

  • \Users\Admin\AppData\Roaming\wermgr64.exe
    Filesize

    124KB

    MD5

    5284960dae2439c297f945715ae10c36

    SHA1

    b4be5b314fe573fb14d6074ba795ddd8fb78d944

    SHA256

    accc29c7af47c1a42e7646a93b347f73fbb14a7a20177f3aad80ab26f4c819f4

    SHA512

    a6259cc4b121d4b918490de6f6dcbaa9740f67174dadeef0965b8ba53fd196d2332a0b5d4fcf00d2da62b1e7ef095fb5b2d5dc57aecad6a3f2681475177dd3e6

    Download Submit

  • memory/568-60-0x0000000000000000-mapping.dmp

    Download

  • memory/580-56-0x0000000000000000-mapping.dmp

    Download

  • memory/944-63-0x0000000000000000-mapping.dmp

    Download

  • memory/944-65-0x0000000000AE0000-0x0000000000B04000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1284-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1288-54-0x0000000000A80000-0x0000000000AA4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1288-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1752-59-0x0000000000000000-mapping.dmp

    Download