General

  • Target

    RNSM00431.7z

  • Size

    21.6MB

  • Sample

    241026-pv82nssjcr

  • MD5

    51b913c77686e4d72c6754fe38eb847d

  • SHA1

    33085b7950a0200a22a2c7f5ac7edd2c2cfed2ea

  • SHA256

    df972b858ff10bcabbcef5ec116549330919b30d5be3cd5aaefef3e8e33726a6

  • SHA512

    efb2431c3408deb0f707f55bec8a11432aa2bee55395f2776d58e48875591dc816fc5c562e91133bea43ea60cb5463c2b2982fbea80f3f776174d6628a984bca

  • SSDEEP

    393216:0xeeAqc18J3CjLlhFUxA4zILUS5bvPsgYSk0Fg2zYBgtR7BSQM5pwuxNzSy2AHm:0xeeQA3slhFUOHNF5bkVuaux0y4RN2AG

Malware Config

Targets

    • Target

      RNSM00431.7z

    • Size

      21.6MB

    • MD5

      51b913c77686e4d72c6754fe38eb847d

    • SHA1

      33085b7950a0200a22a2c7f5ac7edd2c2cfed2ea

    • SHA256

      df972b858ff10bcabbcef5ec116549330919b30d5be3cd5aaefef3e8e33726a6

    • SHA512

      efb2431c3408deb0f707f55bec8a11432aa2bee55395f2776d58e48875591dc816fc5c562e91133bea43ea60cb5463c2b2982fbea80f3f776174d6628a984bca

    • SSDEEP

      393216:0xeeAqc18J3CjLlhFUxA4zILUS5bvPsgYSk0Fg2zYBgtR7BSQM5pwuxNzSy2AHm:0xeeQA3slhFUOHNF5bkVuaux0y4RN2AG

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Modifies WinLogon for persistence

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Renames multiple (2195) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks