Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 21:45

General

  • Target

    A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe

  • Size

    2.0MB

  • MD5

    a6c1f985465f58baa96e2fb863368258

  • SHA1

    48dbf29f9719644738fd849fb22e10e6e4f51d7c

  • SHA256

    a4b02b376cc1b68b65ec04e802746b9befc7d4db84a749ebf7b7aa1371628275

  • SHA512

    c9ac3680661a3af08aa468c37ab3fb80a7e8085561e6f845b18fa16154ce117661b862a1147135f533850b71ef676c7339f200029b321058ed84cea27df996ba

  • SSDEEP

    49152:3AI+Fl/k/n8JIgBeMCoT+DheCsR15+Vgy7tNByI6Aop:3AI+Fl/kPhghCS+FyCCy7tNBj6Aop

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

novachrono.dyndns-ip.com:55319

novachrono.dyndns-ip.com:51397

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    repair-win.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 28 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 6 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe
    "C:\Users\Admin\AppData\Local\Temp\A4B02B376CC1B68B65EC04E802746B9BEFC7D4DB84A749EBF7B7AA1371628275.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Program Files (x86)\Common Files\data-com.exe
      "C:\Program Files (x86)\Common Files\data-com.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Local\Temp\com-win867.exe
        "C:\Users\Admin\AppData\Local\Temp\com-win867.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 516
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1380
      • C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe
        "C:\Users\Admin\AppData\Local\Temp\netshare-winw.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2308
      • C:\Users\Admin\AppData\Local\Temp\repair-winv.exe
        "C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Users\Admin\AppData\Local\Temp\repair-winv.exe
          "C:\Users\Admin\AppData\Local\Temp\repair-winv.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "repair-win" /tr '"C:\Users\Admin\AppData\Roaming\repair-win.exe"' & exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "repair-win" /tr '"C:\Users\Admin\AppData\Roaming\repair-win.exe"'
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2456
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.bat""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:484
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:612
            • C:\Users\Admin\AppData\Roaming\repair-win.exe
              "C:\Users\Admin\AppData\Roaming\repair-win.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:2840
              • C:\Users\Admin\AppData\Roaming\repair-win.exe
                "C:\Users\Admin\AppData\Roaming\repair-win.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\50x50.jpg

    Filesize

    990B

    MD5

    ca6477ef69993246149bd34b857651db

    SHA1

    01411f9b09d58c6ea7f4068ace6207db4fb1b46f

    SHA256

    10c7923013668a793ba279dff60675fde5077234e5b2be84dd7c297d43540ad6

    SHA512

    02e5c2b806f58774e3f5b7d0b71c2c3ced543170ab643d211a6839ddb82676a88a321bfcccc65700272b0b9595193d8c2573bf7f477b945d1a8e798e7f7226fe

  • C:\Users\Admin\AppData\Local\Temp\README.md

    Filesize

    1KB

    MD5

    0b61e9b2d174d66a91074558158d061c

    SHA1

    93d625d555981387466aca8018075b1195496b9c

    SHA256

    20d1cea77432e36ac12c16a2636344d92fab61c3f349444f3a7808ab3f57a1ac

    SHA512

    6ad59fd9f375d5e2b0e92ecb60406523f9333fff8a837963fb685ed3bf40f888c2d4847d4be6cfda16e1bfc668eb21d2724d073504af1bbf82a18aca58e9577f

  • C:\Users\Admin\AppData\Local\Temp\download.png

    Filesize

    6KB

    MD5

    a7032131575edf08d718f4d3a1343e99

    SHA1

    4f6fef19c9b8f75f9e962fd3c78e92cd3b836446

    SHA256

    8a4bd6e4675e40248040db34c43fbf4bf7f8d0a67404efb4bed3d7a47f2c6dbd

    SHA512

    a6f47acff9d8b1bf48f9c8f3a64b75a8f3e5be071ac378eaa46252eaf27c84b075347ae052390ed892f17d820d7fda7a516298b787cda02718cd47bcf8c0a0a0

  • C:\Users\Admin\AppData\Local\Temp\dtlxba.sx

    Filesize

    118KB

    MD5

    31dd3087ad33376599520916bd5e01c6

    SHA1

    8f885821619d0b5721b5660a5c5170f20feb49c1

    SHA256

    7d1fb3094f3330e47c6f2607ea48b4ca1e63e6fdc8d2d615ac2d682096af965e

    SHA512

    819e1a187c26097f668fe178ad76a2200808bf0b001b56f7b6a7442c5145421302eb31a500a4a98989a4041efdc9d537015a98e6d079ab44e0f8dcecf12b4884

  • C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.bat

    Filesize

    154B

    MD5

    a96b2b98280548d2ed91afaf46a929d7

    SHA1

    258c273c58afa506230678605d44e17703327baf

    SHA256

    b67bc13cbeed6962dad8e8b75d63b2020b729f4b407759983de893c8d9c962db

    SHA512

    c0b0d04f961b102fee39e40ff443bae3ec0dd31c4b372f19c4ce70539d444bdbdbec2454080c03c87aa678af0685e98a91f0314c5ca783b868270560b8c526a5

  • C:\Users\Admin\AppData\Local\Temp\yrcvb.dll

    Filesize

    10KB

    MD5

    e6ad792dd8ea01b5c3d1358782d0a7b3

    SHA1

    35a3f7e97ab74b8c7c7844be275eb93ebbc3be20

    SHA256

    9db645f6dc6d6a242e9c4629b06929c5cadcf7842e16f245aba57d535a6d3af0

    SHA512

    30162aefb98f580638c7cffc3a917b67f3a3375ea96706584351f016d0a1968393b33767e9b0f15d1730d5a9bbc559c455b454f481f383d7727487391d8cf89a

  • \Program Files (x86)\Common Files\data-com.exe

    Filesize

    1.6MB

    MD5

    c4f5279ac008bd516fac948b9ed07ef4

    SHA1

    dfd6b2cde45d61cb5f470d7cc9aa02ea14a88b0c

    SHA256

    e62f25c348f1a803072a3fa6991c3c624982f1a0db33a835af27ec22bab577f6

    SHA512

    54c5c1c397c3c9a2a3737447b7e2b1b048ffcaa8478453fb25bc9c4e9c9204a58f41318b80ff806c91cd77e09bac47152bc3ea56ce7faaa088f7f20d67632bd3

  • \Users\Admin\AppData\Local\Temp\com-win867.exe

    Filesize

    454KB

    MD5

    ece598774bd28cbe3caa0ee1f2212725

    SHA1

    48433d51044b0d1c9e802a6c95f9c994b5b0a142

    SHA256

    7ed2531a506e24a014493c92de25ca92fe712aa71a2ce981b14f25e053d5d5b6

    SHA512

    29aad65aa5827996bfd1ffb932803f2691450aeede912c0e6f60712af8b622b517b440bade503fbc076bb4245817fba1823bb54b1fadaddaab4c3057ca91b70b

  • \Users\Admin\AppData\Local\Temp\netshare-winw.exe

    Filesize

    793KB

    MD5

    937e8c3bed1eae721daf1b8aa0e2ae38

    SHA1

    a53fd1565b9d92986db6383830cadee69dfe8723

    SHA256

    69988bab12a838d28a2cca55bddb05da74ec8653ac887f8f0340a178325f2872

    SHA512

    277edd5c91ca22661d08d9e456f0b93666c3e0906af2fe589a68b9cdf565d51666030907f8096837ac5bcc33072d5df27bd5f543a90d24cb08db0a1f8be66a70

  • \Users\Admin\AppData\Local\Temp\nsdA3DE.tmp\System.dll

    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

  • \Users\Admin\AppData\Local\Temp\repair-winv.exe

    Filesize

    502KB

    MD5

    3436f616a07a2d43b067b0c7a9ee0aab

    SHA1

    9acc3914853a04bfc795d8d97e7862ae0d873276

    SHA256

    fc3a8e4291ca21ecc1f28995bf8834e46aeddfafaf959413b2b9cd2ab87f51e3

    SHA512

    eb51df5c9855cc0dc310a2ea08b46e3b6b5aa190cc84e2ff6ccbc9b670352b099b35464fcad2b300086c74174fcd0105f6deb5fd6d9f96205a529f8d6b375c68

  • memory/796-163-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/796-160-0x00000000002E0000-0x00000000002F2000-memory.dmp

    Filesize

    72KB

  • memory/796-159-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1052-131-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1052-121-0x00000000003E0000-0x00000000003F2000-memory.dmp

    Filesize

    72KB

  • memory/1052-112-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1052-114-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2332-115-0x0000000010000000-0x0000000010005000-memory.dmp

    Filesize

    20KB

  • memory/2468-19-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2840-158-0x0000000010000000-0x0000000010005000-memory.dmp

    Filesize

    20KB

  • memory/2944-107-0x0000000010000000-0x0000000010005000-memory.dmp

    Filesize

    20KB