Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2023, 10:06

General

  • Target

    BG000896543.exe

  • Size

    469KB

  • MD5

    bf77e106994c623f8b5c1747e97ba97e

  • SHA1

    d66c2fc3c47cd4f60924cf863c43d1d8c28929d8

  • SHA256

    1fcf39f27164b5bfee7f234220f5cd10f73932d72794cafd678a0dac1297707f

  • SHA512

    1929159c8fed9205e0b37eeae899db58bf66159ac7c05fd810c0305d12a9377292e45a6d6f59b6438aee4c6532d7d8c871834072ab52c9451736bfff3caecb54

  • SSDEEP

    3072:IfY/TU9fE9PEtuoNbGi7KV6WBp9aHRhFDCPuu+CANvDZ23ykOnp3l7JO/:+Ya68G1p9aHRhd2+CANvDZ2CkI3dJy

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BG000896543.exe
    "C:\Users\Admin\AppData\Local\Temp\BG000896543.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe
      "C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe" C:\Users\Admin\AppData\Local\Temp\edfxh.uno
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe
        "C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:544

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\edfxh.uno

          Filesize

          7KB

          MD5

          c7a9d72dcb4c336ed5ce3bc3f84dd1ff

          SHA1

          89e84e7a721a8de1439caac348214df6130b1d95

          SHA256

          7d1e0ce820decb490b328f147d873cadf2cc2ff18d2f38fbe314835c0b0bce7d

          SHA512

          2265247e034ddef51853460a2dedb66e86851912aa4169d795e53911ba63d53857c097398be7d8f7a4b94b0067c47d1ae4baad0b26f0614b07f80cbe1f8452cb

        • C:\Users\Admin\AppData\Local\Temp\grfmfvqbxa.zsd

          Filesize

          82KB

          MD5

          da5c2ace84a6bda6b77fa44cffe23637

          SHA1

          477a8fa4732843cc3c0399cd9256d76e5c3080a9

          SHA256

          57e9c28db872eb5a639af48bb88a59da1c2c5e8af4832c444ef812162b311181

          SHA512

          20beee6e71d55a9da667f7d5db2d5480a8a82053a3fbcbe0b0e0d84ac952b120bb52ab424d35a75650d28901a4791d56f4f7520f5138f0da3353040c6344bea1

        • C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • \Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • \Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • \Users\Admin\AppData\Local\Temp\jmxpydzgw.exe

          Filesize

          93KB

          MD5

          41fcc8ea93e353c03f86c4f7f47fb8bf

          SHA1

          37766be6029410e596c103fa5aa660d4e7de5cb4

          SHA256

          328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d

          SHA512

          ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae

        • memory/544-69-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/544-72-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/544-74-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/544-75-0x0000000000400000-0x0000000000426000-memory.dmp

          Filesize

          152KB

        • memory/544-76-0x00000000005F0000-0x0000000000602000-memory.dmp

          Filesize

          72KB

        • memory/544-77-0x0000000001E10000-0x0000000001E50000-memory.dmp

          Filesize

          256KB