Overview

overview

10

Static

static

10

05b1080658...61.exe

windows7-x64

10

05b1080658...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361.exe

  • Size

    45KB

  • MD5

    a7f473e14b7c3e56561ff51f87b2f279

  • SHA1

    799bb3816916db3e6e92ff665c34e020cf444859

  • SHA256

    05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361

  • SHA512

    eb118655b71c4b04cc9da4de9f943b98ce9c7ca562835a39a757a4e5f333da0fdcb39c34eec0f5351855875a301078ecc96126af32c17f4f1eff512c4cdc5e69

  • SSDEEP

    768:TuERVThg5RXWUr/+1mo2qD84lNVx1VEHUPIKFjbmgX3inm6AhL1uQHQoBDZTx:TuERVThaa2AlQKNb5XSTApHdTx

Score
10/10
asyncratcom surrogaterat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

COM Surrogate

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

127.0.0.1:14576

127.0.0.1:15074

4.tcp.eu.ngrok.io:6606

4.tcp.eu.ngrok.io:7707

4.tcp.eu.ngrok.io:8808

4.tcp.eu.ngrok.io:1604

4.tcp.eu.ngrok.io:14576

4.tcp.eu.ngrok.io:15074

7.tcp.eu.ngrok.io:6606

7.tcp.eu.ngrok.io:7707

7.tcp.eu.ngrok.io:8808

7.tcp.eu.ngrok.io:1604

7.tcp.eu.ngrok.io:14576

7.tcp.eu.ngrok.io:15074
Mutex

COM Surrogate

Attributes
  • delay

    3

  • install

    true

  • install_file

    Microsoftfixer.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361.exe
    "C:\Users\Admin\AppData\Local\Temp\05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoftfixer" /tr '"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Microsoftfixer" /tr '"C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE43A.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:948
      • C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe
        "C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4472

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE43A.tmp.bat
    Filesize

    158B

    MD5

    a0bd5c1ad2a4a7b72fe795c708b75697

    SHA1

    18a959e7c08e6a919dceb7a286fdd5e6314c1124

    SHA256

    1ced53008aaf4dba8cc5a8cb15e8ec7c658424aec1196e07504467229b200c99

    SHA512

    d2afb4ef0080219eb71425984e186ad95747c792cfcbea5f61189c600823b7848fa69b91ef2fbbca6548e7ae701d55e8b55fd01f91ba1c852b764010e1b6c931

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe
    Filesize

    45KB

    MD5

    a7f473e14b7c3e56561ff51f87b2f279

    SHA1

    799bb3816916db3e6e92ff665c34e020cf444859

    SHA256

    05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361

    SHA512

    eb118655b71c4b04cc9da4de9f943b98ce9c7ca562835a39a757a4e5f333da0fdcb39c34eec0f5351855875a301078ecc96126af32c17f4f1eff512c4cdc5e69

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoftfixer.exe
    Filesize

    45KB

    MD5

    a7f473e14b7c3e56561ff51f87b2f279

    SHA1

    799bb3816916db3e6e92ff665c34e020cf444859

    SHA256

    05b1080658b2c922f7becdb930e8f9fc34822b27982a4d89784f335565df7361

    SHA512

    eb118655b71c4b04cc9da4de9f943b98ce9c7ca562835a39a757a4e5f333da0fdcb39c34eec0f5351855875a301078ecc96126af32c17f4f1eff512c4cdc5e69

    Download Submit
  • memory/3192-133-0x0000000000F40000-0x0000000000F52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3192-134-0x0000000005910000-0x0000000005920000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3192-135-0x00000000059B0000-0x0000000005A16000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3192-136-0x0000000005E40000-0x0000000005EDC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4472-145-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4472-146-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
    Filesize

    64KB

    Download