Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2023 03:48

General

  • Target

    fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

  • Size

    45KB

  • MD5

    b379d5f8e60203f7ac58330baf412e41

  • SHA1

    de08737859edb749490b33a2426011e169321684

  • SHA256

    fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

  • SHA512

    984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

  • SSDEEP

    768:3ukzVT0kLd3WULgPdVmo2qD7KjGKG6PIyzjbFgX3i08Bobv+L4yboBDZzx:3ukzVT0Mq12KKYDy3bCXS1tSdzx

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

101.33.208.151:6606

101.33.208.151:7707

101.33.208.151:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    window.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
    "C:\Users\Admin\AppData\Local\Temp\fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp70FE.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4452
      • C:\Users\Admin\AppData\Roaming\window.exe
        "C:\Users\Admin\AppData\Roaming\window.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp70FE.tmp.bat
    Filesize

    150B

    MD5

    a612fd86a80b9a72eb1c04fc93604cbb

    SHA1

    9479a473a51b97d9e3014ce9ab7ece69320bc67d

    SHA256

    db4a472d9dac37e815ce110c59eb5f21ea5123364ef6aad5fc90246cb551cbdc

    SHA512

    5740e7c3cef7ec6c48d22d68601915698c7d04461e54c8ba8f3c901edb0557a35aebf0bfca367ea3508546f0ec9bd91fed3efb0172c28ca92c4bbafb25a4c7bc

  • C:\Users\Admin\AppData\Roaming\window.exe
    Filesize

    45KB

    MD5

    b379d5f8e60203f7ac58330baf412e41

    SHA1

    de08737859edb749490b33a2426011e169321684

    SHA256

    fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

    SHA512

    984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

  • C:\Users\Admin\AppData\Roaming\window.exe
    Filesize

    45KB

    MD5

    b379d5f8e60203f7ac58330baf412e41

    SHA1

    de08737859edb749490b33a2426011e169321684

    SHA256

    fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

    SHA512

    984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

  • memory/1816-139-0x0000000000000000-mapping.dmp
  • memory/2616-137-0x0000000000000000-mapping.dmp
  • memory/3432-134-0x0000000000000000-mapping.dmp
  • memory/4128-135-0x0000000000000000-mapping.dmp
  • memory/4452-138-0x0000000000000000-mapping.dmp
  • memory/5088-132-0x0000000000660000-0x0000000000672000-memory.dmp
    Filesize

    72KB

  • memory/5088-133-0x0000000005300000-0x000000000539C000-memory.dmp
    Filesize

    624KB