Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    47KB

  • MD5

    6d717fe6e6123691c7d9ffee92625c2f

  • SHA1

    ac8e4b99c2398a48884805255f2fa90daf0dff3c

  • SHA256

    39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570

  • SHA512

    2b1d1ef8cc59b9916ccea5712609117d99576d59d3376bfe187eca473f988c0c76bc16dfff75d0e936af769963e13135f2f5f45ae7d4b62c619ffb88d20afdf8

  • SSDEEP

    768:R/IO5VILWCyh+DiWtelDSN+iV08YbygejovEgK/J/ZVc6KN:R/PNWtKDs4zb1BnkJ/ZVclN

Score
10/10
asyncratredlinedefaulttestdiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

193.233.48.17:8848

Mutex

dfas9asdf8as8z

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

test

C2

193.233.48.17:9832

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    37ccecb56eb0d2db0a5159b5bbc3ec5b

    SHA1

    7ba3a1ef06bbd6b1444337ff58736aeeec6d4164

    SHA256

    8dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc

    SHA512

    8f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    37ccecb56eb0d2db0a5159b5bbc3ec5b

    SHA1

    7ba3a1ef06bbd6b1444337ff58736aeeec6d4164

    SHA256

    8dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc

    SHA512

    8f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354

    Download Submit
  • memory/964-69-0x00000000766D1000-0x00000000766D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/964-68-0x00000000013B0000-0x00000000013CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/964-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1144-62-0x000000001B820000-0x000000001BB1F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1144-60-0x000007FEEB4A0000-0x000007FEEBFFD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1144-61-0x0000000002924000-0x0000000002927000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1144-59-0x000007FEEC000000-0x000007FEECA23000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1144-58-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1144-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1144-67-0x000000000292B000-0x000000000294A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1144-66-0x0000000002924000-0x0000000002927000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1452-56-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-54-0x0000000001330000-0x0000000001342000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2032-55-0x0000000000580000-0x000000000058C000-memory.dmp
    Filesize

    48KB

    Download