Overview

overview

10

Static

static

9b608fcfcf...69.exe

windows7-x64

10

9b608fcfcf...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b608fcfcff20713072deb68b58dd218cc10f880b5c85a7903aec99d9471f269.exe

  • Size

    315KB

  • MD5

    42ffde5af3d66024c0699f14922bb1da

  • SHA1

    b4019d8834f565877ead605a6930e5fdb1bdcfa1

  • SHA256

    9b608fcfcff20713072deb68b58dd218cc10f880b5c85a7903aec99d9471f269

  • SHA512

    cef54ced9dd019f24cd8619e3fd989a8ca146680ffb9b98217941068d79c26a38476d696d2a6c91c69fde70e3b8f25f05c18462682b26486f693c16badcd82fe

  • SSDEEP

    6144:D6xqzHOWLMGBgPcpdrVVsqy3WmSNRbNqfWvC:OxqzHOM/HVVs/3WNbMfWvC

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

40.75.8.74:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

Default

C2

23.102.129.234:7707

Mutex

uvkcjjugzqls

Attributes
  • delay

    1

  • install

    false

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 6 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b608fcfcff20713072deb68b58dd218cc10f880b5c85a7903aec99d9471f269.exe
    "C:\Users\Admin\AppData\Local\Temp\9b608fcfcff20713072deb68b58dd218cc10f880b5c85a7903aec99d9471f269.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\Cuubz.exe
      "C:\Users\Admin\AppData\Local\Temp\Cuubz.exe"
      2⤵
      • Executes dropped EXE
      PID:4468
    • C:\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe
      "C:\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe"
      2⤵
      • Executes dropped EXE
      PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cuubz.exe
    Filesize

    47KB

    MD5

    96073281c86416ec2a530a8e21431cac

    SHA1

    3760599c3ad5c487fdd0d67feed2d3527769d2a0

    SHA256

    e2966044f7a5771d7cae9b568d50672be4067be8e547382dbec13edc94e1e994

    SHA512

    aab5c5dfc7a1b5115231cde88291a4e8873edc7f79d5278465e15e0ccb5b44adb18dfef06d34bd78f88200b8380fcb3eccc571a2c5db2a8924071745a8524317

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cuubz.exe
    Filesize

    47KB

    MD5

    96073281c86416ec2a530a8e21431cac

    SHA1

    3760599c3ad5c487fdd0d67feed2d3527769d2a0

    SHA256

    e2966044f7a5771d7cae9b568d50672be4067be8e547382dbec13edc94e1e994

    SHA512

    aab5c5dfc7a1b5115231cde88291a4e8873edc7f79d5278465e15e0ccb5b44adb18dfef06d34bd78f88200b8380fcb3eccc571a2c5db2a8924071745a8524317

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe
    Filesize

    49KB

    MD5

    955fec4f0483cf02565ceba73ca2456d

    SHA1

    93aa63dace4f41464b9fa7c2950635f2cd2bc4b4

    SHA256

    87db4d2962807c84b27c1c759abb7744e01685be2e7fdda54e95fc502057491e

    SHA512

    4db6d3ba9492fcdb74c276a3cb46c158a6bbb153532a25210a7d11166403a2aaf1127b6445768106821586f46934ac0a3e60894c554767fdf604cae25b63766d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Izkemwkdhqej.exe
    Filesize

    49KB

    MD5

    955fec4f0483cf02565ceba73ca2456d

    SHA1

    93aa63dace4f41464b9fa7c2950635f2cd2bc4b4

    SHA256

    87db4d2962807c84b27c1c759abb7744e01685be2e7fdda54e95fc502057491e

    SHA512

    4db6d3ba9492fcdb74c276a3cb46c158a6bbb153532a25210a7d11166403a2aaf1127b6445768106821586f46934ac0a3e60894c554767fdf604cae25b63766d

    Download Submit
  • memory/1648-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-144-0x0000000000A40000-0x0000000000A52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4468-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4468-140-0x0000000000140000-0x0000000000152000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4684-136-0x0000000004B80000-0x0000000004B8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4684-135-0x0000000004D60000-0x0000000004DF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4684-132-0x0000000000110000-0x0000000000166000-memory.dmp
    Filesize

    344KB

    Download
  • memory/4684-134-0x0000000005270000-0x0000000005814000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4684-133-0x0000000004C00000-0x0000000004C9C000-memory.dmp
    Filesize

    624KB

    Download