Analysis
-
max time kernel
183s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 07:11
Behavioral task
behavioral1
Sample
a085750ab9332bd2f0ad4b14ceba4c8f.exe
Resource
win7-20221111-en
General
-
Target
a085750ab9332bd2f0ad4b14ceba4c8f.exe
-
Size
47KB
-
MD5
a085750ab9332bd2f0ad4b14ceba4c8f
-
SHA1
ceb4652807226f27eb9556e2f2c9fd080aa341d8
-
SHA256
ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
-
SHA512
ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
SSDEEP
768:Bu449TxAwVDWUPOvG6yxmo2qbNDwuNKKKlePIvmp40b+AQXaTPva2CznH3xBDZox:Bu449Tx72vGR2wEuuVu9b+AQarrC7Pda
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:51115
127.0.0.1:26993
185.246.220.26:6606
185.246.220.26:7707
185.246.220.26:8808
185.246.220.26:51115
185.246.220.26:26993
5.tcp.ngrok.io:6606
5.tcp.ngrok.io:7707
5.tcp.ngrok.io:8808
5.tcp.ngrok.io:51115
5.tcp.ngrok.io:26993
disownnet.duckdns.org:6606
disownnet.duckdns.org:7707
disownnet.duckdns.org:8808
disownnet.duckdns.org:51115
disownnet.duckdns.org:26993
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
services.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/944-54-0x0000000001180000-0x0000000001192000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\services.exe asyncrat C:\Users\Admin\AppData\Roaming\services.exe asyncrat C:\Users\Admin\AppData\Roaming\services.exe asyncrat behavioral1/memory/1348-65-0x0000000000120000-0x0000000000132000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1348 services.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1924 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 920 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.exepid process 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.exeservices.exedescription pid process Token: SeDebugPrivilege 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe Token: SeDebugPrivilege 1348 services.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
a085750ab9332bd2f0ad4b14ceba4c8f.execmd.execmd.exedescription pid process target process PID 944 wrote to memory of 1496 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1496 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1496 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1496 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1924 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1924 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1924 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 944 wrote to memory of 1924 944 a085750ab9332bd2f0ad4b14ceba4c8f.exe cmd.exe PID 1496 wrote to memory of 1332 1496 cmd.exe schtasks.exe PID 1496 wrote to memory of 1332 1496 cmd.exe schtasks.exe PID 1496 wrote to memory of 1332 1496 cmd.exe schtasks.exe PID 1496 wrote to memory of 1332 1496 cmd.exe schtasks.exe PID 1924 wrote to memory of 920 1924 cmd.exe timeout.exe PID 1924 wrote to memory of 920 1924 cmd.exe timeout.exe PID 1924 wrote to memory of 920 1924 cmd.exe timeout.exe PID 1924 wrote to memory of 920 1924 cmd.exe timeout.exe PID 1924 wrote to memory of 1348 1924 cmd.exe services.exe PID 1924 wrote to memory of 1348 1924 cmd.exe services.exe PID 1924 wrote to memory of 1348 1924 cmd.exe services.exe PID 1924 wrote to memory of 1348 1924 cmd.exe services.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a085750ab9332bd2f0ad4b14ceba4c8f.exe"C:\Users\Admin\AppData\Local\Temp\a085750ab9332bd2f0ad4b14ceba4c8f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr '"C:\Users\Admin\AppData\Roaming\services.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services" /tr '"C:\Users\Admin\AppData\Roaming\services.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B01.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\services.exe"C:\Users\Admin\AppData\Roaming\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1B01.tmp.batFilesize
152B
MD510f7c778f078c562dca9608e4d879c11
SHA17490bd433da8c5879c6dfa73ddaf316693cc6f71
SHA256e61bd73ab680bd87bc4caed9f7103077bfbaa4ca9960d7e4dbb26fdcb8ecfda0
SHA512d694eec379bad3c844e6b96bca47d0f3d94e7bc6222297a7a5309a449a0c9c6dcd8e711867e34f19b886ef58474a970e856a8883c41575dd23e1e4fb382e9e5f
-
C:\Users\Admin\AppData\Roaming\services.exeFilesize
47KB
MD5a085750ab9332bd2f0ad4b14ceba4c8f
SHA1ceb4652807226f27eb9556e2f2c9fd080aa341d8
SHA256ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
SHA512ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
C:\Users\Admin\AppData\Roaming\services.exeFilesize
47KB
MD5a085750ab9332bd2f0ad4b14ceba4c8f
SHA1ceb4652807226f27eb9556e2f2c9fd080aa341d8
SHA256ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
SHA512ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
\Users\Admin\AppData\Roaming\services.exeFilesize
47KB
MD5a085750ab9332bd2f0ad4b14ceba4c8f
SHA1ceb4652807226f27eb9556e2f2c9fd080aa341d8
SHA256ceb08316d1560c7c4f5b6b8b8209b98230fe95480b3a3905d841b313d49216ca
SHA512ad4daed223c00083e6dc0ecaeb2367a0e37d62a26a887be43a523aa6cfbd5e5ed8a740dee69c08b853abb85c9c53ecfa59d3cc2f8266d6a5addfbb5c2bb557f7
-
memory/920-60-0x0000000000000000-mapping.dmp
-
memory/944-54-0x0000000001180000-0x0000000001192000-memory.dmpFilesize
72KB
-
memory/944-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1332-58-0x0000000000000000-mapping.dmp
-
memory/1348-63-0x0000000000000000-mapping.dmp
-
memory/1348-65-0x0000000000120000-0x0000000000132000-memory.dmpFilesize
72KB
-
memory/1496-56-0x0000000000000000-mapping.dmp
-
memory/1924-57-0x0000000000000000-mapping.dmp