Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2023, 15:27

General

  • Target

    0x000300000002287f-434.exe

  • Size

    63KB

  • MD5

    2d7e104a199600d550879e132d877ee7

  • SHA1

    9a702148bcb48c8f666d275b0b08bf2b1711e069

  • SHA256

    4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7

  • SHA512

    c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

  • SSDEEP

    768:a3lDmSRCvHxiP7VIiz9JS8cwoLw9Qq2R1+KASmv7mqb2nFpwH1ovTGU6eLMnqGzl:acHWRbc78du1ibb2w+3bdGztpqKmY7

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

CYB3R R4T 1.0.7

Botnet

Default

C2

ii-usd.at.ply.gg:25036

Mutex

Cyb3r_R4tMutex_Cyb3rw4rrior1011

Attributes
  • delay

    1

  • install

    true

  • install_file

    syscall.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4264
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF8E.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:404
      • C:\Users\Admin\AppData\Roaming\syscall.exe
        "C:\Users\Admin\AppData\Roaming\syscall.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3484

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpAF8E.tmp.bat

          Filesize

          151B

          MD5

          61f5339dbab00d413994520055e6d203

          SHA1

          0f6802af5a184d33a01ff80251f2c11db65d3d4a

          SHA256

          0a0b313be845e2db6ae73c10bc737b3bca555c7ae520ca3abb94dca3e033d5b4

          SHA512

          904161371c674c3f9598e3b2331938b81d7472fe270b0fc4cb199a1fe69b283cfe281625e045a951372417e33a11bd4aceb5b77952807a276d31155541bafc21

        • C:\Users\Admin\AppData\Roaming\syscall.exe

          Filesize

          63KB

          MD5

          2d7e104a199600d550879e132d877ee7

          SHA1

          9a702148bcb48c8f666d275b0b08bf2b1711e069

          SHA256

          4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7

          SHA512

          c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

        • C:\Users\Admin\AppData\Roaming\syscall.exe

          Filesize

          63KB

          MD5

          2d7e104a199600d550879e132d877ee7

          SHA1

          9a702148bcb48c8f666d275b0b08bf2b1711e069

          SHA256

          4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7

          SHA512

          c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

        • memory/2044-133-0x000002085E090000-0x000002085E0A6000-memory.dmp

          Filesize

          88KB

        • memory/2044-134-0x000002085FD80000-0x000002085FD90000-memory.dmp

          Filesize

          64KB

        • memory/3484-143-0x000002D4FBAC0000-0x000002D4FBAD0000-memory.dmp

          Filesize

          64KB

        • memory/3484-144-0x000002D4FBAC0000-0x000002D4FBAD0000-memory.dmp

          Filesize

          64KB