Overview

overview

10

Static

static

1

FUDSilentCrypt.exe

windows7-x64

10

FUDSilentCrypt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2023 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FUDSilentCrypt.exe

  • Size

    53.0MB

  • MD5

    377475407f594a9a3054c3b012b52889

  • SHA1

    aab2a193aae478408be5b41f9c24a4d7e7ecf5ff

  • SHA256

    73da672e9c1adc2e13625aeb89bcc6f78382ff96ee41c25a6ccb817bc65e8521

  • SHA512

    68bce781a24c83713747695a6e19cd38b6066eb8c4866ca91c668190abf07aa99ac07e63059ae0b3c4564b1f7f97c0b818378ff2a2458b9100ef4597db68c89b

  • SSDEEP

    6144:Ih0CzEeWuPeZ3NUMOnpTdioT2NeLGp/uwONct43+4gU:W9zEGPeZ3Megce6pGHNu47gU

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

194.49.94.163:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    RuntimeService.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 7 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FUDSilentCrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\FUDSilentCrypt.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeService" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeService.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "RuntimeService" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeService.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:4288
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5321.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1844
        • C:\Users\Admin\AppData\Roaming\RuntimeService.exe
          "C:\Users\Admin\AppData\Roaming\RuntimeService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1072
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\RuntimeService"
      2⤵
        PID:3480
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4692
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:2636
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\FUDSilentCrypt.exe" "C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe"
        2⤵
          PID:2088
      • C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
        C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Users\Admin\AppData\Local\Temp\Payload.exe
          "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
          2⤵
          • Executes dropped EXE
          PID:1284
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\RuntimeService"
          2⤵
            PID:1256
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1436
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:2960
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c copy "C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe" "C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe"
            2⤵
              PID:1676
          • C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
            C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
            1⤵
            • Executes dropped EXE
            PID:3156

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.log
            Filesize

            614B

            MD5

            54920f388010333559bdff225040761d

            SHA1

            040972bf1fc83014f10c45832322c094f883ce30

            SHA256

            9ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359

            SHA512

            e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeService.exe.log
            Filesize

            897B

            MD5

            9dbc3adfc8775fe4c552c3db86475f8e

            SHA1

            ad7f64bdfeb6d7aa14362f9d3f95f621d3eee57d

            SHA256

            a4e385e6475e7d3864441a655560adc3a91f407ed7d3e3f77a6a444d1f84889e

            SHA512

            9b95a3a0d084dfc3707ee18b81d724e7ef30dad39ef9dbd394734fb0d4af8ddc609b92660d6105f6888ad7c192d82732106e8594cdd8b31a7acdaec50d902e1c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Payload.exe
            Filesize

            45KB

            MD5

            3dfaaf4e5b35b91fc538c9dc5c60b744

            SHA1

            493e9bf280746ffb2e8e95c0e5c14bb031fc9548

            SHA256

            65b334e703494d3e8594c706a128e13e0a6b06f4d4f822fa1553f82c161f986c

            SHA512

            18b44f89ac4a7078c9a4bcb811f3ffe8276bb81ae6adebc30122ea5bb0a975dcca553b3f9580b51288c4d7c40191910c639a7b6a5474905833cf7305770c16b5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Payload.exe
            Filesize

            45KB

            MD5

            3dfaaf4e5b35b91fc538c9dc5c60b744

            SHA1

            493e9bf280746ffb2e8e95c0e5c14bb031fc9548

            SHA256

            65b334e703494d3e8594c706a128e13e0a6b06f4d4f822fa1553f82c161f986c

            SHA512

            18b44f89ac4a7078c9a4bcb811f3ffe8276bb81ae6adebc30122ea5bb0a975dcca553b3f9580b51288c4d7c40191910c639a7b6a5474905833cf7305770c16b5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Payload.exe
            Filesize

            45KB

            MD5

            3dfaaf4e5b35b91fc538c9dc5c60b744

            SHA1

            493e9bf280746ffb2e8e95c0e5c14bb031fc9548

            SHA256

            65b334e703494d3e8594c706a128e13e0a6b06f4d4f822fa1553f82c161f986c

            SHA512

            18b44f89ac4a7078c9a4bcb811f3ffe8276bb81ae6adebc30122ea5bb0a975dcca553b3f9580b51288c4d7c40191910c639a7b6a5474905833cf7305770c16b5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Payload.exe
            Filesize

            45KB

            MD5

            3dfaaf4e5b35b91fc538c9dc5c60b744

            SHA1

            493e9bf280746ffb2e8e95c0e5c14bb031fc9548

            SHA256

            65b334e703494d3e8594c706a128e13e0a6b06f4d4f822fa1553f82c161f986c

            SHA512

            18b44f89ac4a7078c9a4bcb811f3ffe8276bb81ae6adebc30122ea5bb0a975dcca553b3f9580b51288c4d7c40191910c639a7b6a5474905833cf7305770c16b5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmp5321.tmp.bat
            Filesize

            158B

            MD5

            7070309dd520c4323a7696f3762e9970

            SHA1

            477998f7c43e6fe6c13b41a51ca1fc3597ce3b11

            SHA256

            ead576e672d0f0bcd384c01312b565fcaea7c46a2e601c74dc80705874a09531

            SHA512

            c24e2ec98f006f58b7f99ad529168b05db1f12cbd421443f2db1efb28473da7eb52056f52bef9b5b6342469c8032adec496b7a1c5e27f50f39d6c9f111846003

            Download Submit
          • C:\Users\Admin\AppData\Roaming\RuntimeService.exe
            Filesize

            45KB

            MD5

            3dfaaf4e5b35b91fc538c9dc5c60b744

            SHA1

            493e9bf280746ffb2e8e95c0e5c14bb031fc9548

            SHA256

            65b334e703494d3e8594c706a128e13e0a6b06f4d4f822fa1553f82c161f986c

            SHA512

            18b44f89ac4a7078c9a4bcb811f3ffe8276bb81ae6adebc30122ea5bb0a975dcca553b3f9580b51288c4d7c40191910c639a7b6a5474905833cf7305770c16b5

            Download Submit
          • C:\Users\Admin\AppData\Roaming\RuntimeService.exe
            Filesize

            45KB

            MD5

            3dfaaf4e5b35b91fc538c9dc5c60b744

            SHA1

            493e9bf280746ffb2e8e95c0e5c14bb031fc9548

            SHA256

            65b334e703494d3e8594c706a128e13e0a6b06f4d4f822fa1553f82c161f986c

            SHA512

            18b44f89ac4a7078c9a4bcb811f3ffe8276bb81ae6adebc30122ea5bb0a975dcca553b3f9580b51288c4d7c40191910c639a7b6a5474905833cf7305770c16b5

            Download Submit
          • C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
            Filesize

            53.0MB

            MD5

            377475407f594a9a3054c3b012b52889

            SHA1

            aab2a193aae478408be5b41f9c24a4d7e7ecf5ff

            SHA256

            73da672e9c1adc2e13625aeb89bcc6f78382ff96ee41c25a6ccb817bc65e8521

            SHA512

            68bce781a24c83713747695a6e19cd38b6066eb8c4866ca91c668190abf07aa99ac07e63059ae0b3c4564b1f7f97c0b818378ff2a2458b9100ef4597db68c89b

            Download Submit
          • C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
            Filesize

            53.0MB

            MD5

            377475407f594a9a3054c3b012b52889

            SHA1

            aab2a193aae478408be5b41f9c24a4d7e7ecf5ff

            SHA256

            73da672e9c1adc2e13625aeb89bcc6f78382ff96ee41c25a6ccb817bc65e8521

            SHA512

            68bce781a24c83713747695a6e19cd38b6066eb8c4866ca91c668190abf07aa99ac07e63059ae0b3c4564b1f7f97c0b818378ff2a2458b9100ef4597db68c89b

            Download Submit
          • C:\Users\Admin\AppData\Roaming\RuntimeService\RuntimeService.exe
            Filesize

            53.0MB

            MD5

            377475407f594a9a3054c3b012b52889

            SHA1

            aab2a193aae478408be5b41f9c24a4d7e7ecf5ff

            SHA256

            73da672e9c1adc2e13625aeb89bcc6f78382ff96ee41c25a6ccb817bc65e8521

            SHA512

            68bce781a24c83713747695a6e19cd38b6066eb8c4866ca91c668190abf07aa99ac07e63059ae0b3c4564b1f7f97c0b818378ff2a2458b9100ef4597db68c89b

            Download Submit
          • memory/1008-146-0x0000000000000000-mapping.dmp
            Download
          • memory/1072-150-0x0000000000000000-mapping.dmp
            Download
          • memory/1256-157-0x0000000000000000-mapping.dmp
            Download
          • memory/1284-155-0x0000000000000000-mapping.dmp
            Download
          • memory/1436-160-0x0000000000000000-mapping.dmp
            Download
          • memory/1676-161-0x0000000000000000-mapping.dmp
            Download
          • memory/1844-148-0x0000000000000000-mapping.dmp
            Download
          • memory/2088-142-0x0000000000000000-mapping.dmp
            Download
          • memory/2452-145-0x0000000000000000-mapping.dmp
            Download
          • memory/2532-135-0x0000000005110000-0x0000000005176000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2532-132-0x0000000000750000-0x000000000079A000-memory.dmp
            Filesize

            296KB

            Download
          • memory/2532-133-0x0000000005580000-0x0000000005B24000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/2532-134-0x0000000005070000-0x0000000005102000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2636-143-0x0000000000000000-mapping.dmp
            Download
          • memory/2960-162-0x0000000000000000-mapping.dmp
            Download
          • memory/3480-140-0x0000000000000000-mapping.dmp
            Download
          • memory/4288-149-0x0000000000000000-mapping.dmp
            Download
          • memory/4536-136-0x0000000000000000-mapping.dmp
            Download
          • memory/4536-139-0x0000000000370000-0x0000000000382000-memory.dmp
            Filesize

            72KB

            Download
          • memory/4536-144-0x0000000005150000-0x00000000051EC000-memory.dmp
            Filesize

            624KB

            Download
          • memory/4692-141-0x0000000000000000-mapping.dmp
            Download