Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2023 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    307KB

  • MD5

    884714bd845895cbd4377d1ba6df376e

  • SHA1

    5a219cb01a10516eab59b2703d7bc4760fb5b5c0

  • SHA256

    5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

  • SHA512

    174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674

  • SSDEEP

    6144:Y1s6ZKvncbumIED8Qyl/RUpfPMm9Fy5RiLwFdhLoZxybN:pcbuLQyDebTLIdhLexG

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.101.190:2015

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2136
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D07.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3376
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
          4⤵
            PID:1952
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1312

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6D07.tmp.bat
      Filesize

      151B

      MD5

      d38e3e7e3fdb86ee4f2776acce366aab

      SHA1

      808b33fcab5f1a9be0dd250f7513bb9884eb8f06

      SHA256

      475aa41a0d1f0fc0e02263339b224c62ba52a69ba3390c3ba173cf67ef30b349

      SHA512

      20c151f6742407f1444f624a5826b912d2f1b9717abc923be3004d23257c78f8577bdce71b00cbe1368926ccae160557ed9f303a72cc8e139626955ea66492d4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      307KB

      MD5

      884714bd845895cbd4377d1ba6df376e

      SHA1

      5a219cb01a10516eab59b2703d7bc4760fb5b5c0

      SHA256

      5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

      SHA512

      174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      307KB

      MD5

      884714bd845895cbd4377d1ba6df376e

      SHA1

      5a219cb01a10516eab59b2703d7bc4760fb5b5c0

      SHA256

      5c85b25b5b4f277770b21a77796e7e1672eb046eabb76077c703a993e237a3a7

      SHA512

      174a7585784d24e4424661a03fbcd4f4195ec9b0b36cf4e01ea7fe5f5c5d7cbed2a74cb3a030531045e57af0c7e07d53e44e7e9f3d888883ee37ea21f4da0674

      Download Submit
    • memory/1312-145-0x0000000005620000-0x0000000005630000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1312-143-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1312-148-0x0000000005FB0000-0x000000000604C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1312-149-0x0000000006600000-0x0000000006BA4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1312-150-0x00000000060C0000-0x0000000006126000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1312-151-0x0000000006FB0000-0x0000000007026000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1312-152-0x0000000007060000-0x000000000707E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1312-153-0x0000000005620000-0x0000000005630000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2100-134-0x000001A672F50000-0x000001A672F60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2100-133-0x000001A6589E0000-0x000001A658A32000-memory.dmp
      Filesize

      328KB

      Download