Overview

overview

10

Static

static

3

SVD002837727.exe

windows7-x64

10

SVD002837727.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2023 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SVD002837727.exe

  • Size

    653KB

  • MD5

    98606a9e2540ba34e1c98760900ac508

  • SHA1

    9918ca6bf5c9b1ccc1206724514d56a41d7adeb1

  • SHA256

    46bdfb06a8c272dff04b4eeebba3fffd7849193c8a0ce13c2dc7b3a16b26a1a9

  • SHA512

    86cedacb5f46baa0d899573f44b67ed659e57f8c4a397992e745365c29099de4262c98f5678d54c66018264958c7821380c185905ffedf83208f1f48859e3829

  • SSDEEP

    12288:LZyvbhaDnLMzIL2q+RTdOL8lUzKlXt0nKXRa99uk1UFDuhZCQUKOWkZJJXv/LiQg:GOyqGUL8lV3nXRwuSqQJI

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

reportss.duckdns.org:3110

reportss.duckdns.org:4466

reportss.duckdns.org:7755
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SVD002837727.exe
    "C:\Users\Admin\AppData\Local\Temp\SVD002837727.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JxXPhhSexdm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JxXPhhSexdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47F6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1936
    • C:\Users\Admin\AppData\Local\Temp\SVD002837727.exe
      "C:\Users\Admin\AppData\Local\Temp\SVD002837727.exe"
      2⤵
        PID:2896
      • C:\Users\Admin\AppData\Local\Temp\SVD002837727.exe
        "C:\Users\Admin\AppData\Local\Temp\SVD002837727.exe"
        2⤵
          PID:2312

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SVD002837727.exe.log
        Filesize

        1KB

        MD5

        33d62ef2c354f839a8b2b987e6ee41e7

        SHA1

        d76f64ac411a61f3f232f7f9f7b179bd34042226

        SHA256

        f6a84062cb11ccf802324692c2c4c48543377cf717d98efd5de695ed6d0a97d9

        SHA512

        d68a426b2f4646bb45e2267d60680166a8effb9a461e5a07756ba13a3bdf36b27e6e9777d945d03a62362e6976e92214c53ffc7c4f03ec28d3fcfc9a442c5e3c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzxvngxz.lqw.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp47F6.tmp
        Filesize

        1KB

        MD5

        0ecf37eafc25fbfcbbd86f08ac52570c

        SHA1

        cca0b6219e37d0e32cda59d75474011922b0d554

        SHA256

        460e050398b400dc0bcb4bdfd456ec78afae0af100ff633587d068f29d6ada49

        SHA512

        f8e31b829dc45a515e1ab98d081a09883063c8ec387c9b12fc12e587fddee1b1a9cdc77b10bdf1cae3d6486a685b2265175e726768c107c1eea8dd4e21381123

        Download Submit
      • memory/2312-189-0x00000000055D0000-0x00000000055E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2312-148-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2312-182-0x00000000055D0000-0x00000000055E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2352-136-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2352-139-0x0000000006A70000-0x0000000006B0C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2352-138-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2352-137-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2352-133-0x0000000000430000-0x00000000004D8000-memory.dmp
        Filesize

        672KB

        Download
      • memory/2352-135-0x0000000004F20000-0x0000000004FB2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2352-134-0x0000000005430000-0x00000000059D4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3928-158-0x00000000058A0000-0x0000000005906000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3928-177-0x0000000004C30000-0x0000000004C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3928-149-0x0000000005270000-0x0000000005898000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3928-147-0x0000000004C30000-0x0000000004C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3928-159-0x00000000059C0000-0x0000000005A26000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3928-164-0x0000000006010000-0x000000000602E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3928-165-0x00000000071F0000-0x0000000007222000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3928-166-0x0000000071110000-0x000000007115C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3928-176-0x00000000065D0000-0x00000000065EE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3928-152-0x0000000005190000-0x00000000051B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3928-178-0x000000007FC10000-0x000000007FC20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3928-179-0x0000000007960000-0x0000000007FDA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3928-180-0x0000000007320000-0x000000000733A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3928-181-0x0000000007390000-0x000000000739A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3928-183-0x00000000075A0000-0x0000000007636000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3928-146-0x0000000004C30000-0x0000000004C40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3928-184-0x0000000007550000-0x000000000755E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3928-185-0x0000000007660000-0x000000000767A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3928-186-0x0000000007640000-0x0000000007648000-memory.dmp
        Filesize

        32KB

        Download
      • memory/3928-144-0x00000000026F0000-0x0000000002726000-memory.dmp
        Filesize

        216KB

        Download