Overview

overview

10

Static

static

1

7dd1b9c77b...07.exe

windows7-x64

10

7dd1b9c77b...07.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    202s
  • max time network
    205s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2023, 17:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe

  • Size

    4.4MB

  • MD5

    b9182a18d285439d5a8f54e43acf7ed0

  • SHA1

    6bdb5cb62375d0defb52426fd55f1e73ade3a9a9

  • SHA256

    7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07

  • SHA512

    7f0007306704cddff6070d90b44fd737a458b2169a9e5cba5cce25c1d63de51973b063600fe482b9c51470d9856a82d88b4a7ad9869499fa27169c83b5e1463f

  • SSDEEP

    98304:AyXPoKTkGvDygM1dqd4gCNMTcrSahyeCKWkxla:Pzv2P1gx8tc50xk

Score
10/10
asyncrat默认rat

Malware Config

Extracted

Family

asyncrat

Version

萝莉控

Botnet

默认

C2

cn-gx-plc-1.openfrp.top:25565

cn-gx-plc-1.openfrp.top:48454
Mutex

火绒远程管理

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Updata.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
    "C:\Users\Admin\AppData\Local\Temp\7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\HMCL-3.5.3.exe
      "C:\Windows\HMCL-3.5.3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:908
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://java.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:604
    • C:\Windows\Windows_Updata.exe
      "C:\Windows\Windows_Updata.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1872

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          462f125b244253af2398adfe00354b77

          SHA1

          b26ce28ddb4b8ffd243671e90c44fc2e8c332f50

          SHA256

          a4ce7eb7c45cf6080912088908c4d3a0f2a12e37a11a8c7258be93966732f8e3

          SHA512

          cf8054fb3e90580afc51ed955c7479838ff8298d96b953a59b24f0a853b7e050fd9d6ef7356c0cfe420adfa352e62b3ddd7cac2afbd3c63fc2bf3c867a908868

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat
          Filesize

          1KB

          MD5

          3130f97c268d30d64aa5fff9c1cd10eb

          SHA1

          f3ce52fd051cb00c0825fe44d330eaf621ad825a

          SHA256

          03a4a21d4c8bf2c164de7ac4381e669c57892dd3af9878288201ad8fccce7454

          SHA512

          f398b11c9ca87ea68e14e76f9a739bc92af435298a89af75225f67a32e5def092cab18b90f294666baad115e8013e5af32d8ddb514324fc2e6452bb6e4ad967a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IYE87ELC.txt
          Filesize

          601B

          MD5

          a5c61af2da3da30109090a6e901bdc8e

          SHA1

          eeb0bc89bf47aacb319e032f5bd2c95250387052

          SHA256

          362437049ee228da5fee3969dd9c8cf4434ef32b7800e0f250446903262f896c

          SHA512

          bd99152f7d0e2cc6ff3e78768945418c065e8697648b20a27353df6f4e39f96e482cf5a60d8ef85e2a3c7b6c53050886e44d0b5ae3d8ccabbd3a3b1890974d62

          Download Submit

        • C:\Windows\HMCL-3.5.3.exe
          Filesize

          4.4MB

          MD5

          a29167e249e8c1113a92bc033335b998

          SHA1

          71d097d12491a6e0c9e3b3bffaf98065ab322631

          SHA256

          bd7c8ea1eea5054a5a5c9c29c4a001c1b8f33036fccbed309801dd6f9e59234c

          SHA512

          f7aea383587840d34cc3eacbb87a33afb40e76f768c170407c4ea3694451f83d1778fa66647a50ef9a656e098443e1acae192eb66287a426ebe9743ee97d1738

          Download Submit

        • C:\Windows\Windows_Updata.exe
          Filesize

          152KB

          MD5

          739f33737de20fb9037ea304b0953249

          SHA1

          eb91946ff053272c4437b7d01cd2bf26f8954e10

          SHA256

          e22c92f125e5575b186ee09a98809b3addc86c5a827a81511170f87dc7244875

          SHA512

          41146a7ac8f17d839c291eff991cb0d552d54cc6487a65d4122d546e1a608f2db0a3ee83295923e47dbfdc2aa5e11fe6a7244f0f720cf7449372eec217348996

          Download Submit

        • memory/1304-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1872-61-0x00000000005C0000-0x00000000005D9000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1872-62-0x0000000001FF0000-0x0000000002006000-memory.dmp

          Filesize

          88KB

          Download