Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    47KB

  • MD5

    6d717fe6e6123691c7d9ffee92625c2f

  • SHA1

    ac8e4b99c2398a48884805255f2fa90daf0dff3c

  • SHA256

    39ae1a73d9326d866c0ea79742243790ed3aeeceac161f1a23f7b0c7b84b4570

  • SHA512

    2b1d1ef8cc59b9916ccea5712609117d99576d59d3376bfe187eca473f988c0c76bc16dfff75d0e936af769963e13135f2f5f45ae7d4b62c619ffb88d20afdf8

  • SSDEEP

    768:R/IO5VILWCyh+DiWtelDSN+iV08YbygejovEgK/J/ZVc6KN:R/PNWtKDs4zb1BnkJ/ZVclN

Score
10/10
asyncratredlinedefaulttestdiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

193.233.48.17:8848

Mutex

dfas9asdf8as8z

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

test

C2

193.233.48.17:9832

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\build.exe"'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4240
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    37ccecb56eb0d2db0a5159b5bbc3ec5b

    SHA1

    7ba3a1ef06bbd6b1444337ff58736aeeec6d4164

    SHA256

    8dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc

    SHA512

    8f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    95KB

    MD5

    37ccecb56eb0d2db0a5159b5bbc3ec5b

    SHA1

    7ba3a1ef06bbd6b1444337ff58736aeeec6d4164

    SHA256

    8dfbcef9c1dfe6a9bbc7d3a97ba8ac8928e6b4abc83bbd49e67a33c061a119cc

    SHA512

    8f93b9dce515b51cfb61fbc21881a83d8623a30849195299759edc9c8c2f3898562d5f461bc15b22c1abc7a9b3ab430a9bfdd7d610cf24d842ce28d672c77354

    Download Submit
  • memory/1484-147-0x0000000004E20000-0x0000000004E32000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1484-153-0x0000000006760000-0x00000000067F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1484-152-0x0000000007770000-0x0000000007D14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1484-151-0x0000000006C90000-0x00000000071BC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1484-150-0x0000000006590000-0x0000000006752000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1484-156-0x0000000006C30000-0x0000000006C4E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1484-155-0x0000000006A20000-0x0000000006A96000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1484-149-0x0000000005130000-0x000000000523A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1484-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1484-148-0x0000000004E80000-0x0000000004EBC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1484-154-0x0000000006800000-0x0000000006866000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1484-145-0x00000000004A0000-0x00000000004BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1484-146-0x00000000055A0000-0x0000000005BB8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2220-135-0x000000001D220000-0x000000001D296000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2220-133-0x00007FF905BB0000-0x00007FF906671000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2220-134-0x00007FF905BB0000-0x00007FF906671000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2220-132-0x0000000000B20000-0x0000000000B32000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2220-136-0x00000000014E0000-0x00000000014FE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3584-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4240-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4240-144-0x00007FF905BB0000-0x00007FF906671000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4240-140-0x00007FF905BB0000-0x00007FF906671000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4240-139-0x00000205F4940000-0x00000205F4962000-memory.dmp
    Filesize

    136KB

    Download