Analysis
-
max time kernel
99s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
06-02-2023 10:49
General
-
Target
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe
-
Size
45KB
-
MD5
e16de135773985fd9ef2e0afb94f774a
-
SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58
-
SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630
-
SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34
-
SSDEEP
768:DuwQNToEjaNLWU3zKZmo2q723YZJugbbb409ybdPIK/JjbOgX3iWS9UmozmBDZfx:DuwQNToqaS2DYosymK/pbxXSzdfx
Malware Config
Extracted
asyncrat
0.5.7B
Default
sr5gsedfgwsers.freemyip.com:15420
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
tmpC723.tmp.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe"C:\Users\Admin\AppData\Local\Temp\af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tmpC723.tmp" /tr '"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "tmpC723.tmp" /tr '"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp812B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5324816e6416b1a706a54c33280250b87
SHA1bf2ea60d8547591046b1e459ed496ea1658bd7d5
SHA25640f48aadb3f0c30860c261e3629aadbbb58ee24e9ae7e0e9087c17fddab7dfaf
SHA512b6daacc3c4d28b4aa2c49ce7aff261d2607f8991e8f2be6119a21f1b8f14d49d18211741b44740dcd253a292e187526e060363cb39361e087d474cd40ff9125f
-
Filesize
45KB
MD5e16de135773985fd9ef2e0afb94f774a
SHA184c2dd69ec6247cea480925d9ecfc728f5d04c58
SHA256af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630
SHA5120573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34
-
Filesize
45KB
MD5e16de135773985fd9ef2e0afb94f774a
SHA184c2dd69ec6247cea480925d9ecfc728f5d04c58
SHA256af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630
SHA5120573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34
-
-
-
Filesize
5.6MB
-
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
624KB
-
-