Analysis

  • max time kernel
    61s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 01:14

General

  • Target

    9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc.exe

  • Size

    47KB

  • MD5

    3693114744003b6641e3c767518e47da

  • SHA1

    22df3884394cedffe035dfd1e73d2969468ec793

  • SHA256

    9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc

  • SHA512

    eb278143a1fa490d497d9869b50697a51d562504d0ee50f45a0fcb95654bc2a1b4534757ec7e3f8edd8a92742ef3855d91e5318b64cc0fb1b925f9d07d268836

  • SSDEEP

    768:0oFKMJMj5I4G3y/NlIR2qeYhQjCY7jbzgr3irE5a4g1fVMjrClZZ2tYcFmVc6K:0oFKMJezqzhMvbsrSX38urZKmVcl

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

Default

C2

seznam.zapto.org:6606

seznam.zapto.org:7707

seznam.zapto.org:8808

milla11.publicvm.com:6606

milla11.publicvm.com:7707

milla11.publicvm.com:8808

Mutex

trffisyuiifgqcpeof

Attributes
  • delay

    5

  • install

    true

  • install_file

    explorere.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc.exe
    "C:\Users\Admin\AppData\Local\Temp\9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc /tr '"C:\Users\Admin\AppData\Roaming\explorere.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /ru system /rl highest /tn 9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc /tr '"C:\Users\Admin\AppData\Roaming\explorere.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4404
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF486.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4944
      • C:\Users\Admin\AppData\Roaming\explorere.exe
        "C:\Users\Admin\AppData\Roaming\explorere.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF486.tmp.bat
    Filesize

    153B

    MD5

    81d4e9dc53feb2788e5a4f1c0f3b39bc

    SHA1

    eb7835e3653d37b271392341c62b1c2d5135a52a

    SHA256

    874b9309e4e7ac0d9a258d92a52d99ee0965c2fc77e0a3986da7c2d6644d6ffe

    SHA512

    c867716e86a660f482aea22ea9e37e21a8b9e6821f7b08dd03d3ebe9146ba905db63a3a3d759f73d66c1f94fb7a293af4e0bdc7c92c6b36dded7eb12b323d096

  • C:\Users\Admin\AppData\Roaming\explorere.exe
    Filesize

    47KB

    MD5

    3693114744003b6641e3c767518e47da

    SHA1

    22df3884394cedffe035dfd1e73d2969468ec793

    SHA256

    9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc

    SHA512

    eb278143a1fa490d497d9869b50697a51d562504d0ee50f45a0fcb95654bc2a1b4534757ec7e3f8edd8a92742ef3855d91e5318b64cc0fb1b925f9d07d268836

  • C:\Users\Admin\AppData\Roaming\explorere.exe
    Filesize

    47KB

    MD5

    3693114744003b6641e3c767518e47da

    SHA1

    22df3884394cedffe035dfd1e73d2969468ec793

    SHA256

    9bbd2c016eefb9e2edab3e8202e8a848bebac36f1565b596c54a0c3278a182dc

    SHA512

    eb278143a1fa490d497d9869b50697a51d562504d0ee50f45a0fcb95654bc2a1b4534757ec7e3f8edd8a92742ef3855d91e5318b64cc0fb1b925f9d07d268836

  • memory/2372-133-0x0000000000D20000-0x0000000000D32000-memory.dmp
    Filesize

    72KB

  • memory/2372-134-0x000000001BAA0000-0x000000001BAB0000-memory.dmp
    Filesize

    64KB

  • memory/4424-143-0x000000001B520000-0x000000001B530000-memory.dmp
    Filesize

    64KB

  • memory/4424-144-0x000000001B520000-0x000000001B530000-memory.dmp
    Filesize

    64KB