Analysis
-
max time kernel
82s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 21:16
Static task
static1
Behavioral task
behavioral1
Sample
iFYEJ.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
General
-
Target
iFYEJ.exe
-
Size
2.5MB
-
MD5
acfe53c70928d44f9cf498495145ec84
-
SHA1
2a12b327d4e5628904cc25c5f134732d6265e662
-
SHA256
b706de1b9f7ef2d7f6c4d5fddd9525d907a7a0fdb087d98c4a01589f6178edc7
-
SHA512
345143bcc9895282d2843efee182eb07bc0d0179c0c1e6ffcdd7ff9f1d44c252ffccb1b56c2b48c70b554f3427f6a1c23a6ea6b1c9e76edcbe655e88e247741c
-
SSDEEP
49152:Gg8nNv+SzYW4ZOUB5hempuE8OOTRmgysj8k4:Gg8h14
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
89.117.21.143:6606
89.117.21.143:7707
89.117.21.143:8808
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3772-137-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
iFYEJ.exedescription pid process target process PID 4396 set thread context of 3772 4396 iFYEJ.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iFYEJ.exevbc.exedescription pid process Token: SeDebugPrivilege 4396 iFYEJ.exe Token: SeDebugPrivilege 3772 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
iFYEJ.execmd.exedescription pid process target process PID 4396 wrote to memory of 3952 4396 iFYEJ.exe cmd.exe PID 4396 wrote to memory of 3952 4396 iFYEJ.exe cmd.exe PID 4396 wrote to memory of 3952 4396 iFYEJ.exe cmd.exe PID 3952 wrote to memory of 3076 3952 cmd.exe schtasks.exe PID 3952 wrote to memory of 3076 3952 cmd.exe schtasks.exe PID 3952 wrote to memory of 3076 3952 cmd.exe schtasks.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe PID 4396 wrote to memory of 3772 4396 iFYEJ.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \oFNTE /tr "C:\Users\Admin\AppData\Local\Temp\iFYEJ.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3076-135-0x0000000000000000-mapping.dmp
-
memory/3772-136-0x0000000000000000-mapping.dmp
-
memory/3772-137-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3772-138-0x0000000005710000-0x00000000057AC000-memory.dmpFilesize
624KB
-
memory/3772-139-0x0000000005820000-0x0000000005886000-memory.dmpFilesize
408KB
-
memory/3952-134-0x0000000000000000-mapping.dmp
-
memory/4396-132-0x00000000003C0000-0x0000000000648000-memory.dmpFilesize
2.5MB
-
memory/4396-133-0x00000000055E0000-0x0000000005B84000-memory.dmpFilesize
5.6MB