Overview

overview

10

Static

static

e91d02519d...d8.exe

windows7-x64

10

e91d02519d...d8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe

  • Size

    860KB

  • MD5

    1c4b81dc51aba18efdb7ca0018e57ee9

  • SHA1

    928e62adc64e8c72b16f9f62a18447df87d5a8cb

  • SHA256

    e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8

  • SHA512

    6865583489f879a90d642be21460bcd359d29ebfbf1654d0fe740b2443c625f59ab057b15b005c09c57ae0a739b6f98c8782fbf0daa46df0192195ce3cfd998d

  • SSDEEP

    768:WHuiL/OGH4e//KTGr/EwlqhrQcZdOjFV5gVwkz0EuHel9LEEXk+B4aqg1eXkDu1J:EzzZO1nMkQdkxBaLIhnyvzB

Score
10/10
asyncratdefaultevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

hgjvhnfgg.duckdns.org:8057

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Async RAT payload 6 IoCs
    rat
  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe
    "C:\Users\Admin\AppData\Local\Temp\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1008
    • C:\Users\Admin\AppData\Local\Temp\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe
      "C:\Users\Admin\AppData\Local\Temp\e91d02519dfb511754d45bd0ea6761ab41b0c96336ceb5b7ebf4d946e576bed8.exe"
      2⤵
        PID:1888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    5
    T1112

    Disabling Security Tools

    3
    T1089

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      d259d77ae463006b1e0426aafac9a0ea

      SHA1

      e3e129d0f0605db4bb253ada7eb7451eea3fdb21

      SHA256

      1b067d8d2dbf8806a9d20beb3c6c47c716c47a300dfd1d717681fa860f292030

      SHA512

      36a451625e64b47eba6b466b2525682e29cea1aacbdd418f481c816e413a8b63cf90261b8cecc09c130f7086ec4aada518ea60c9e19508e5b243e759cd7bdbfb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      d259d77ae463006b1e0426aafac9a0ea

      SHA1

      e3e129d0f0605db4bb253ada7eb7451eea3fdb21

      SHA256

      1b067d8d2dbf8806a9d20beb3c6c47c716c47a300dfd1d717681fa860f292030

      SHA512

      36a451625e64b47eba6b466b2525682e29cea1aacbdd418f481c816e413a8b63cf90261b8cecc09c130f7086ec4aada518ea60c9e19508e5b243e759cd7bdbfb

      Download Submit
    • memory/560-72-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/560-68-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/560-91-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/560-58-0x0000000000000000-mapping.dmp
      Download
    • memory/564-88-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/564-59-0x0000000000000000-mapping.dmp
      Download
    • memory/564-73-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/564-69-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/676-60-0x0000000000000000-mapping.dmp
      Download
    • memory/676-70-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/676-74-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/676-90-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1008-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1064-89-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1064-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1064-71-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1064-67-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1612-54-0x00000000008C0000-0x000000000099A000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1612-55-0x0000000075C81000-0x0000000075C83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1612-56-0x0000000000260000-0x0000000000288000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1888-78-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1888-82-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1888-77-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1888-85-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1888-87-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1888-83-0x000000000040C73E-mapping.dmp
      Download
    • memory/1888-80-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1888-81-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2004-75-0x0000000000000000-mapping.dmp
      Download