Overview

overview

10

Static

static

97de910f99...c3.exe

windows7-x64

10

97de910f99...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

  • Size

    878KB

  • MD5

    72d1a18668b9c354bec0c1f4bb282503

  • SHA1

    940cb647752ed13c34ea021f7617312960a61e35

  • SHA256

    97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3

  • SHA512

    91f1dfccb4b12ac2a46876da7422ec20865fd00c91ca06a2288cfe85787794b3b81bdd6bfc0f6a78ef70dfe1e2cf8112c94efc4f7b78d4318f99762d3f6a49a1

  • SSDEEP

    768:UfQf38+WbFafW237K6DpM38IDq+R6qc1CUMXfptSX5ItFaOT8MOrhI:Ub8MOy

Score
10/10
asyncratdefaultevasionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

asdfdsg.duckdns.org:8050

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Async RAT payload 6 IoCs
    rat
  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
    "C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:976
    • C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
      "C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe"
      2⤵
        PID:1276
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1912
        2⤵
        • Program crash
        PID:1616

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    6
    T1112

    Disabling Security Tools

    3
    T1089

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      e8930ac329dc85a69d9fe3ebb63f0fc2

      SHA1

      6e758a818a12f2761c10698e897f5e4c52af87eb

      SHA256

      225d7dde585f899932779bd4dabf2c002a0e0d5f76e4f24a2520e8144845da28

      SHA512

      00bececc1d6b7c6ddaeb2f654c0dde7691cb13fcce8ff0f2c20dbbb7239dfe19ffa8a65e03ce6df37e18a26773b5ecf8907db41622336871e43b87dea674c9ef

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      e8930ac329dc85a69d9fe3ebb63f0fc2

      SHA1

      6e758a818a12f2761c10698e897f5e4c52af87eb

      SHA256

      225d7dde585f899932779bd4dabf2c002a0e0d5f76e4f24a2520e8144845da28

      SHA512

      00bececc1d6b7c6ddaeb2f654c0dde7691cb13fcce8ff0f2c20dbbb7239dfe19ffa8a65e03ce6df37e18a26773b5ecf8907db41622336871e43b87dea674c9ef

      Download Submit
    • memory/432-74-0x0000000000000000-mapping.dmp
      Download
    • memory/520-57-0x0000000000000000-mapping.dmp
      Download
    • memory/520-73-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/520-68-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/976-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1276-76-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1276-82-0x000000000040C73E-mapping.dmp
      Download
    • memory/1276-79-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1276-77-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1276-86-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1276-84-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1276-81-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1276-80-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1380-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-72-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1616-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-71-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1708-69-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1752-56-0x00000000002E0000-0x0000000000308000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1752-54-0x0000000000DD0000-0x0000000000EB0000-memory.dmp
      Filesize

      896KB

      Download
    • memory/1752-55-0x0000000076261000-0x0000000076263000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1972-70-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1972-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-67-0x000000006F8F0000-0x000000006FE9B000-memory.dmp
      Filesize

      5.7MB

      Download