Analysis

  • max time kernel
    123s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2023 07:25

General

  • Target

    tmp.exe

  • Size

    57KB

  • MD5

    7422d3af2fc6d1f7ecef432d86353456

  • SHA1

    fd470052846183329edd22a923d070ad71ba79cc

  • SHA256

    ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

  • SHA512

    24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

  • SSDEEP

    1536:aIUw2xx5XbyB/licYH6GlQZXRwA2IJYkbHTH1lmK9Xx:aIUw2xx5Xb0/EcYH6GlQEANCkbHTNVx

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

A&H

C2

aboreda.linkpc.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    10

  • install

    true

  • install_file

    WindowsUpdate.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Async RAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4532
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC643.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4880
      • C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
        "C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC643.tmp.bat
    Filesize

    157B

    MD5

    f34b416bcfd979f429103337b234cb5d

    SHA1

    699f931fec83f800685444150869fd346b6055e6

    SHA256

    3e826b31cff47f894e44b92862a3bd6fe92637d6b8791d83cbecd6a16a2f762a

    SHA512

    fbf5513996f1d466be25f708d6cad02e6bf2ede1ac597871a980c0024668632a67f08d537f416239cc61e853f8c3167970b61fa7b564de57cc99815c7710665b

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    Filesize

    57KB

    MD5

    7422d3af2fc6d1f7ecef432d86353456

    SHA1

    fd470052846183329edd22a923d070ad71ba79cc

    SHA256

    ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

    SHA512

    24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
    Filesize

    57KB

    MD5

    7422d3af2fc6d1f7ecef432d86353456

    SHA1

    fd470052846183329edd22a923d070ad71ba79cc

    SHA256

    ba0b8d476dc0152aa59cfc15b1a93fc039baab07cdf95677871d9157488babe4

    SHA512

    24baf349ae705d0d88571a79a5d449f3ee4bb3e9f751d44a26f263298d69e5872ee9d8e6f4b150dd24a669f534b67a1de184466ba25399b6d9da68537693063a

  • memory/1772-133-0x00000000005F0000-0x0000000000604000-memory.dmp
    Filesize

    80KB

  • memory/1772-134-0x0000000004F20000-0x0000000004F30000-memory.dmp
    Filesize

    64KB

  • memory/1772-135-0x00000000052D0000-0x000000000536C000-memory.dmp
    Filesize

    624KB

  • memory/4488-144-0x0000000004D40000-0x0000000004D50000-memory.dmp
    Filesize

    64KB

  • memory/4488-145-0x0000000005980000-0x0000000005F24000-memory.dmp
    Filesize

    5.6MB

  • memory/4488-146-0x0000000005440000-0x00000000054A6000-memory.dmp
    Filesize

    408KB

  • memory/4488-147-0x0000000004D40000-0x0000000004D50000-memory.dmp
    Filesize

    64KB