Analysis
-
max time kernel
122s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 05:56
Behavioral task
behavioral1
Sample
aba9ea59aab84849cf371965c19ef46c.exe
Resource
win7-en-20210920
General
-
Target
aba9ea59aab84849cf371965c19ef46c.exe
-
Size
88KB
-
MD5
aba9ea59aab84849cf371965c19ef46c
-
SHA1
366050aca450a5d1ea67ea5b6b1902a60c721c01
-
SHA256
99988371c15bd38fc947d898dc6eeb0d425c98f7bd471d040c24c8c667bd2b0b
-
SHA512
f38d27e4a58492a59043cf8ee3df3eb317581f3fb98b59d6d1b32163acc83a403425a554e1974e60c857b3489cf1d49a0e6de8734a9a159fea4d6fe571302248
Malware Config
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-61-0x0000000001F30000-0x0000000001F4B000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
yipvnj.exepid process 1396 yipvnj.exe -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 1448 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 freegeoip.app 10 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
yipvnj.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 yipvnj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier yipvnj.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeaba9ea59aab84849cf371965c19ef46c.exeyipvnj.exepid process 1448 powershell.exe 2032 aba9ea59aab84849cf371965c19ef46c.exe 1448 powershell.exe 1448 powershell.exe 1396 yipvnj.exe 1396 yipvnj.exe 1396 yipvnj.exe 1396 yipvnj.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
aba9ea59aab84849cf371965c19ef46c.exepowershell.exeyipvnj.exedescription pid process Token: SeDebugPrivilege 2032 aba9ea59aab84849cf371965c19ef46c.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 1396 yipvnj.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aba9ea59aab84849cf371965c19ef46c.execmd.exepowershell.exedescription pid process target process PID 2032 wrote to memory of 1260 2032 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 2032 wrote to memory of 1260 2032 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 2032 wrote to memory of 1260 2032 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 2032 wrote to memory of 1260 2032 aba9ea59aab84849cf371965c19ef46c.exe cmd.exe PID 1260 wrote to memory of 1448 1260 cmd.exe powershell.exe PID 1260 wrote to memory of 1448 1260 cmd.exe powershell.exe PID 1260 wrote to memory of 1448 1260 cmd.exe powershell.exe PID 1260 wrote to memory of 1448 1260 cmd.exe powershell.exe PID 1448 wrote to memory of 1396 1448 powershell.exe yipvnj.exe PID 1448 wrote to memory of 1396 1448 powershell.exe yipvnj.exe PID 1448 wrote to memory of 1396 1448 powershell.exe yipvnj.exe PID 1448 wrote to memory of 1396 1448 powershell.exe yipvnj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe"C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"'3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yipvnj.exeMD5
c42164ad1b51e44d1ab913473a5d4111
SHA1cc15753f958287c179941285878c569022934e18
SHA256221c8d921fd6d429eb61902697f0ffaa5cc351b9d33f769990d50eaba05ed437
SHA5121ea9dc418d12ffe290b96517d775e40f15abdea0a2e0a463a0bbc8e8675f3d0de87535a4bc8777730a879f15b5c964d44c4a43c93e0e2e5bee86c206cf7086c6
-
C:\Users\Admin\AppData\Local\Temp\yipvnj.exeMD5
c42164ad1b51e44d1ab913473a5d4111
SHA1cc15753f958287c179941285878c569022934e18
SHA256221c8d921fd6d429eb61902697f0ffaa5cc351b9d33f769990d50eaba05ed437
SHA5121ea9dc418d12ffe290b96517d775e40f15abdea0a2e0a463a0bbc8e8675f3d0de87535a4bc8777730a879f15b5c964d44c4a43c93e0e2e5bee86c206cf7086c6
-
\Users\Admin\AppData\Local\Temp\yipvnj.exeMD5
c42164ad1b51e44d1ab913473a5d4111
SHA1cc15753f958287c179941285878c569022934e18
SHA256221c8d921fd6d429eb61902697f0ffaa5cc351b9d33f769990d50eaba05ed437
SHA5121ea9dc418d12ffe290b96517d775e40f15abdea0a2e0a463a0bbc8e8675f3d0de87535a4bc8777730a879f15b5c964d44c4a43c93e0e2e5bee86c206cf7086c6
-
memory/1260-62-0x0000000000000000-mapping.dmp
-
memory/1396-74-0x000000001B340000-0x000000001B342000-memory.dmpFilesize
8KB
-
memory/1396-72-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/1396-70-0x0000000000000000-mapping.dmp
-
memory/1448-67-0x0000000002112000-0x0000000002114000-memory.dmpFilesize
8KB
-
memory/1448-63-0x0000000000000000-mapping.dmp
-
memory/1448-64-0x00000000759B1000-0x00000000759B3000-memory.dmpFilesize
8KB
-
memory/1448-66-0x0000000002111000-0x0000000002112000-memory.dmpFilesize
4KB
-
memory/1448-65-0x0000000002110000-0x0000000002111000-memory.dmpFilesize
4KB
-
memory/2032-54-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/2032-61-0x0000000001F30000-0x0000000001F4B000-memory.dmpFilesize
108KB
-
memory/2032-60-0x0000000005AA0000-0x0000000005AF9000-memory.dmpFilesize
356KB
-
memory/2032-59-0x0000000006820000-0x00000000068AD000-memory.dmpFilesize
564KB
-
memory/2032-58-0x00000000009F0000-0x00000000009F4000-memory.dmpFilesize
16KB
-
memory/2032-57-0x0000000005FF0000-0x0000000006069000-memory.dmpFilesize
484KB
-
memory/2032-56-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB