Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
13-01-2023 09:07
Static task
static1
Behavioral task
behavioral1
Sample
MV BMC ENDORA V0123- PDA.js
Resource
win7-20221111-en
General
-
Target
MV BMC ENDORA V0123- PDA.js
-
Size
128KB
-
MD5
3a084e6817bf9b361b8ff6618d767c09
-
SHA1
f27662987fd14d69523efec560e29c1d66a2a645
-
SHA256
cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
-
SHA512
a49b1732ea52aff5cdf57b10ef8c46c5185805ed13a6d032b5cc0aa326a4101aa6744ac12732ed5f8c87e9ad39d8b7da8b31a4c2208eb79c97db6c9e94b0fd11
-
SSDEEP
3072:ool0yHnHmo2BPDf/DUGOxxVZh/O5kaUH02x2RVy:ogHmouPDf/DnYhmhPRVy
Malware Config
Extracted
asyncrat
0.5.7B
Default
84.21.172.33:6606
84.21.172.33:7707
84.21.172.33:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Recycle Bin.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000012302-58.dat asyncrat behavioral1/files/0x000a000000012302-59.dat asyncrat behavioral1/memory/764-61-0x0000000000BD0000-0x0000000000BE2000-memory.dmp asyncrat behavioral1/files/0x0008000000012312-68.dat asyncrat behavioral1/files/0x0008000000012312-69.dat asyncrat behavioral1/files/0x0008000000012312-71.dat asyncrat behavioral1/memory/1432-72-0x0000000000CF0000-0x0000000000D02000-memory.dmp asyncrat -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid Process 4 556 wscript.exe 5 556 wscript.exe 9 556 wscript.exe 12 556 wscript.exe 13 556 wscript.exe 14 556 wscript.exe 16 556 wscript.exe 17 556 wscript.exe 18 556 wscript.exe 20 556 wscript.exe 21 556 wscript.exe 22 556 wscript.exe 24 556 wscript.exe 25 556 wscript.exe 26 556 wscript.exe 28 556 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
AsyncClient.exeRecycle Bin.exepid Process 764 AsyncClient.exe 1432 Recycle Bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid Process 316 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 1092 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AsyncClient.exepid Process 764 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AsyncClient.exeRecycle Bin.exedescription pid Process Token: SeDebugPrivilege 764 AsyncClient.exe Token: SeDebugPrivilege 1432 Recycle Bin.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.exeAsyncClient.execmd.execmd.exedescription pid Process procid_target PID 1336 wrote to memory of 556 1336 wscript.exe 28 PID 1336 wrote to memory of 556 1336 wscript.exe 28 PID 1336 wrote to memory of 556 1336 wscript.exe 28 PID 1336 wrote to memory of 764 1336 wscript.exe 29 PID 1336 wrote to memory of 764 1336 wscript.exe 29 PID 1336 wrote to memory of 764 1336 wscript.exe 29 PID 1336 wrote to memory of 764 1336 wscript.exe 29 PID 764 wrote to memory of 1888 764 AsyncClient.exe 33 PID 764 wrote to memory of 1888 764 AsyncClient.exe 33 PID 764 wrote to memory of 1888 764 AsyncClient.exe 33 PID 764 wrote to memory of 1888 764 AsyncClient.exe 33 PID 764 wrote to memory of 316 764 AsyncClient.exe 35 PID 764 wrote to memory of 316 764 AsyncClient.exe 35 PID 764 wrote to memory of 316 764 AsyncClient.exe 35 PID 764 wrote to memory of 316 764 AsyncClient.exe 35 PID 1888 wrote to memory of 864 1888 cmd.exe 37 PID 1888 wrote to memory of 864 1888 cmd.exe 37 PID 1888 wrote to memory of 864 1888 cmd.exe 37 PID 1888 wrote to memory of 864 1888 cmd.exe 37 PID 316 wrote to memory of 1092 316 cmd.exe 38 PID 316 wrote to memory of 1092 316 cmd.exe 38 PID 316 wrote to memory of 1092 316 cmd.exe 38 PID 316 wrote to memory of 1092 316 cmd.exe 38 PID 316 wrote to memory of 1432 316 cmd.exe 39 PID 316 wrote to memory of 1432 316 cmd.exe 39 PID 316 wrote to memory of 1432 316 cmd.exe 39 PID 316 wrote to memory of 1432 316 cmd.exe 39
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\MV BMC ENDORA V0123- PDA.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'4⤵
- Creates scheduled task(s)
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DFD.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1092
-
-
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD51b5be7647628e1de782bb8f33d369dd3
SHA1cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA51293de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155
-
Filesize
48KB
MD51b5be7647628e1de782bb8f33d369dd3
SHA1cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA51293de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155
-
Filesize
155B
MD5b082887b65398b485f4d092b71bc92e2
SHA121755648ebd2f9acb7319285e281fb7dc52907ad
SHA256266ba56cca74e30d895cbb31b9266697a5af8d8c909f583e72a9d9649ad779c2
SHA512c04bfe2a550b3fecdb45d224f456a92c218f69914e80c0a5c465338482802bd19c4751e601dd59561f956eaa9834af8d9558a930ecb1366b190b12113dc4588b
-
Filesize
16KB
MD57586d9e4467d26fde97538eab36cf88c
SHA1d7fcd37e0bc9e790023a38d2d470cd001f81ca92
SHA2567aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18
SHA51202676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a
-
Filesize
48KB
MD51b5be7647628e1de782bb8f33d369dd3
SHA1cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA51293de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155
-
Filesize
48KB
MD51b5be7647628e1de782bb8f33d369dd3
SHA1cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA51293de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155
-
Filesize
48KB
MD51b5be7647628e1de782bb8f33d369dd3
SHA1cd6e2f240ea97d03c6c796ab3573f728d6c30d9f
SHA256fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903
SHA51293de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155