Overview

overview

10

Static

static

10

LocalSecurity.exe

windows7-x64

10

LocalSecurity.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LocalSecurity.exe

  • Size

    45KB

  • MD5

    82e07ce7c9183c9d8098c006a5717ead

  • SHA1

    f02f8f5374af906765b5fa1c4758252611767a19

  • SHA256

    5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

  • SHA512

    0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce

  • SSDEEP

    768:zujYm1TUET1/WUTQV9mo2qzNRt4TOPIvzjbrgX3iau2uCBVgAxm9VldBDZvx:zujYm1TU0I2kE3v3bUXSz29VgRzdvx

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:7707

127.0.0.1:1604

127.0.0.1:8808

127.0.0.1:6606

127.0.0.1:17172

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:1604

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:17172
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime Broker.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe
    "C:\Users\Admin\AppData\Local\Temp\LocalSecurity.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB09.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3748
      • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
      PID:4252
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2088

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpDB09.tmp.bat
      Filesize

      158B

      MD5

      4b88ca2adf3b0ee990a3502ece07e8b6

      SHA1

      e45acda33aed6e26ea87f97df9c97eaa81ecec15

      SHA256

      2cae43ad95a748a6ae34d4618f9bcdf6d4c93015632511aa45a6cdc578c702a1

      SHA512

      993d462b4e500841fcd4d1b86587609e692f560ed4e109d829c6f643c5a64bc992ffe444847692402634be33fc224a8913e56fc1641a8a87daed9b1ec828ff26

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      Filesize

      45KB

      MD5

      82e07ce7c9183c9d8098c006a5717ead

      SHA1

      f02f8f5374af906765b5fa1c4758252611767a19

      SHA256

      5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

      SHA512

      0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
      Filesize

      45KB

      MD5

      82e07ce7c9183c9d8098c006a5717ead

      SHA1

      f02f8f5374af906765b5fa1c4758252611767a19

      SHA256

      5dd9cfc17acc9bbbf3b5d24d2ce7044f1b57d712ddb6ecf88eab5da516d972a8

      SHA512

      0572be7700f2fd68acd1404d164184dd72b6c198ab37c164ef3fb1590e8ec9c14f9c08b29cb3b4d1153968fcb6ab7f9d51e128e71967afa472338ae5143a2dce

      Download Submit
    • memory/1948-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2700-132-0x00000000006E0000-0x00000000006F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2700-133-0x00000000055D0000-0x0000000005636000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2700-134-0x0000000005740000-0x00000000057DC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3560-140-0x0000000000000000-mapping.dmp
      Download
    • memory/3748-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4272-135-0x0000000000000000-mapping.dmp
      Download