Overview

overview

10

Static

static

3

New Order ...23.exe

windows7-x64

10

New Order ...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order SSRNSSIQ102-2023.exe

  • Size

    789KB

  • MD5

    40e90e03d1c397d3fede4c0e9d3dd2e4

  • SHA1

    2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

  • SHA256

    92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

  • SHA512

    a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

  • SSDEEP

    12288:fCBNfZFHB3gwr+1yjPHx0HGkYDHjrTCq:abHBQyjPHxqYDH/eq

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh03.ddns.net:45265

fresh03.ddns.net:34110

fresh03.ddns.net:2245

fresh01.ddns.net:45265

fresh01.ddns.net:34110

fresh01.ddns.net:2245
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    logs.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 10 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZSapQxocQt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1804.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2024
    • C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
      "{path}"
      2⤵
        PID:868
      • C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
        "{path}"
        2⤵
          PID:864
        • C:\Users\Admin\AppData\Local\Temp\New Order SSRNSSIQ102-2023.exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:476
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
              4⤵
              • Creates scheduled task(s)
              PID:1880
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp38FC.tmp.bat""
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:936
            • C:\Users\Admin\AppData\Roaming\logs.exe
              "C:\Users\Admin\AppData\Roaming\logs.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1884
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZSapQxocQt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9BB.tmp"
                5⤵
                • Creates scheduled task(s)
                PID:1720
              • C:\Users\Admin\AppData\Roaming\logs.exe
                "{path}"
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:732

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp1804.tmp
        Filesize

        1KB

        MD5

        d99488839a3539152e833113a575579d

        SHA1

        db475510176a4178004d5be8b164bc5ddc0e0337

        SHA256

        7517e1ce4822f1d238cd6717d8e942dffdf20f3816e5fdf53dc54ac4d3b87f94

        SHA512

        0d2d6d61ffc8eab7e5448e6ab358deb7c5fef661402c467e7a621123fa53d24757d63d533bd8ce8e31d539eb0d48d5e5ec7d8c7561035bae54274910c741e458

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp38FC.tmp.bat
        Filesize

        148B

        MD5

        bd938962b7be81b6d4cd673a31c2b7cf

        SHA1

        7d3b79efbc43c1e450096c5b6a75519f7fdf0840

        SHA256

        a9bde784c994326ad982c233a6e37a711aff231c4f6650d98c55651b31bd533b

        SHA512

        019e7c45dadeff52006ea481296bc8f0fac480aec2453a948213ef9bf78e45afb970454775509d44a0c45fc87d3236c6cb513a22cf1c5c4f8d49eb0ba3dd5923

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp38FC.tmp.bat
        Filesize

        148B

        MD5

        bd938962b7be81b6d4cd673a31c2b7cf

        SHA1

        7d3b79efbc43c1e450096c5b6a75519f7fdf0840

        SHA256

        a9bde784c994326ad982c233a6e37a711aff231c4f6650d98c55651b31bd533b

        SHA512

        019e7c45dadeff52006ea481296bc8f0fac480aec2453a948213ef9bf78e45afb970454775509d44a0c45fc87d3236c6cb513a22cf1c5c4f8d49eb0ba3dd5923

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpF9BB.tmp
        Filesize

        1KB

        MD5

        d99488839a3539152e833113a575579d

        SHA1

        db475510176a4178004d5be8b164bc5ddc0e0337

        SHA256

        7517e1ce4822f1d238cd6717d8e942dffdf20f3816e5fdf53dc54ac4d3b87f94

        SHA512

        0d2d6d61ffc8eab7e5448e6ab358deb7c5fef661402c467e7a621123fa53d24757d63d533bd8ce8e31d539eb0d48d5e5ec7d8c7561035bae54274910c741e458

        Download Submit
      • C:\Users\Admin\AppData\Roaming\logs.exe
        Filesize

        789KB

        MD5

        40e90e03d1c397d3fede4c0e9d3dd2e4

        SHA1

        2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

        SHA256

        92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

        SHA512

        a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\logs.exe
        Filesize

        789KB

        MD5

        40e90e03d1c397d3fede4c0e9d3dd2e4

        SHA1

        2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

        SHA256

        92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

        SHA512

        a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\logs.exe
        Filesize

        789KB

        MD5

        40e90e03d1c397d3fede4c0e9d3dd2e4

        SHA1

        2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

        SHA256

        92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

        SHA512

        a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

        Download Submit
      • \Users\Admin\AppData\Roaming\logs.exe
        Filesize

        789KB

        MD5

        40e90e03d1c397d3fede4c0e9d3dd2e4

        SHA1

        2ca12b01d5a31dd2076a7a4c0ca70fb61451331c

        SHA256

        92b0cc6184468867764c824f3086da312866b47b42642fd32166bfb7c87bdf7e

        SHA512

        a4f9ffb09d118407d3d63a116f5edcdb2a2e21176eed80984a2b323f1360771b14c0816ac6c8a66650d584993f0206f7c9f82504a59fdf3e222d76e7a88c80f6

        Download Submit
      • memory/732-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/732-104-0x0000000001080000-0x00000000010C0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/732-103-0x0000000001080000-0x00000000010C0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/732-102-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/732-100-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/944-58-0x00000000020E0000-0x0000000002146000-memory.dmp
        Filesize

        408KB

        Download
      • memory/944-54-0x00000000001B0000-0x000000000027C000-memory.dmp
        Filesize

        816KB

        Download
      • memory/944-59-0x00000000004B0000-0x00000000004C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/944-57-0x0000000000390000-0x00000000003A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/944-56-0x00000000006A0000-0x00000000006E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/944-55-0x00000000006A0000-0x00000000006E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1320-64-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1320-73-0x0000000004E00000-0x0000000004E40000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1320-72-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1320-70-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1320-68-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1320-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1320-63-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1320-66-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1320-65-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1884-86-0x0000000001100000-0x00000000011CC000-memory.dmp
        Filesize

        816KB

        Download
      • memory/1884-87-0x0000000004960000-0x00000000049A0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1884-88-0x0000000004960000-0x00000000049A0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1884-89-0x0000000000540000-0x0000000000552000-memory.dmp
        Filesize

        72KB

        Download