Analysis
-
max time kernel
146s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:21
Behavioral task
behavioral1
Sample
UD_PO_000681.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
UD_PO_000681.exe
Resource
win10v2004-20220414-en
General
-
Target
UD_PO_000681.exe
-
Size
483KB
-
MD5
24a8d8c071bbb496ba8e64e7817fd6c9
-
SHA1
f40194270a9475aeb044a062bd7ef9376d8ed857
-
SHA256
c890bc2e899bdb9c2a7cbe9ab52b852c5ea6832e44615f2afc66ab47925866d2
-
SHA512
c4dcbb0b0fdc7469c6e5abc038867f3c65e179a3692dc884d7713db20c2fdefb4f96d5369210aedf807008cbe3821b05fb2a162c45a603aa0c68d56962d4e9a0
Malware Config
Extracted
asyncrat
0.5.7B
cbcc
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
billionaire.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/8wApsDtD
Signatures
-
Async RAT payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/1468-54-0x0000000000280000-0x00000000002FE000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\asnsn.exe asyncrat C:\Users\Admin\AppData\Roaming\asnsn.exe asyncrat C:\Users\Admin\AppData\Roaming\asnsn.exe asyncrat behavioral1/memory/1684-63-0x0000000000AE0000-0x0000000000B5E000-memory.dmp asyncrat behavioral1/memory/1436-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1436-72-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1436-73-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1436-74-0x000000000040C77E-mapping.dmp asyncrat behavioral1/memory/1436-77-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1436-79-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
asnsn.exeAddInProcess32.exepid process 1684 asnsn.exe 1436 AddInProcess32.exe -
Loads dropped DLL 2 IoCs
Processes:
UD_PO_000681.exeasnsn.exepid process 1468 UD_PO_000681.exe 1684 asnsn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\dnfnf = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\asnsn.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
asnsn.exedescription pid process target process PID 1684 set thread context of 1436 1684 asnsn.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
AddInProcess32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 AddInProcess32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
UD_PO_000681.exeasnsn.exepid process 1468 UD_PO_000681.exe 1468 UD_PO_000681.exe 1684 asnsn.exe 1684 asnsn.exe 1684 asnsn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
UD_PO_000681.exeasnsn.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1468 UD_PO_000681.exe Token: SeDebugPrivilege 1684 asnsn.exe Token: SeDebugPrivilege 1436 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
UD_PO_000681.execmd.exeasnsn.exedescription pid process target process PID 1468 wrote to memory of 1288 1468 UD_PO_000681.exe cmd.exe PID 1468 wrote to memory of 1288 1468 UD_PO_000681.exe cmd.exe PID 1468 wrote to memory of 1288 1468 UD_PO_000681.exe cmd.exe PID 1468 wrote to memory of 1288 1468 UD_PO_000681.exe cmd.exe PID 1288 wrote to memory of 1420 1288 cmd.exe reg.exe PID 1288 wrote to memory of 1420 1288 cmd.exe reg.exe PID 1288 wrote to memory of 1420 1288 cmd.exe reg.exe PID 1288 wrote to memory of 1420 1288 cmd.exe reg.exe PID 1468 wrote to memory of 1684 1468 UD_PO_000681.exe asnsn.exe PID 1468 wrote to memory of 1684 1468 UD_PO_000681.exe asnsn.exe PID 1468 wrote to memory of 1684 1468 UD_PO_000681.exe asnsn.exe PID 1468 wrote to memory of 1684 1468 UD_PO_000681.exe asnsn.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe PID 1684 wrote to memory of 1436 1684 asnsn.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UD_PO_000681.exe"C:\Users\Admin\AppData\Local\Temp\UD_PO_000681.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v dnfnf /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\asnsn.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v dnfnf /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\asnsn.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\asnsn.exe"C:\Users\Admin\AppData\Roaming\asnsn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Roaming\asnsn.exeFilesize
483KB
MD524a8d8c071bbb496ba8e64e7817fd6c9
SHA1f40194270a9475aeb044a062bd7ef9376d8ed857
SHA256c890bc2e899bdb9c2a7cbe9ab52b852c5ea6832e44615f2afc66ab47925866d2
SHA512c4dcbb0b0fdc7469c6e5abc038867f3c65e179a3692dc884d7713db20c2fdefb4f96d5369210aedf807008cbe3821b05fb2a162c45a603aa0c68d56962d4e9a0
-
C:\Users\Admin\AppData\Roaming\asnsn.exeFilesize
483KB
MD524a8d8c071bbb496ba8e64e7817fd6c9
SHA1f40194270a9475aeb044a062bd7ef9376d8ed857
SHA256c890bc2e899bdb9c2a7cbe9ab52b852c5ea6832e44615f2afc66ab47925866d2
SHA512c4dcbb0b0fdc7469c6e5abc038867f3c65e179a3692dc884d7713db20c2fdefb4f96d5369210aedf807008cbe3821b05fb2a162c45a603aa0c68d56962d4e9a0
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\AppData\Roaming\asnsn.exeFilesize
483KB
MD524a8d8c071bbb496ba8e64e7817fd6c9
SHA1f40194270a9475aeb044a062bd7ef9376d8ed857
SHA256c890bc2e899bdb9c2a7cbe9ab52b852c5ea6832e44615f2afc66ab47925866d2
SHA512c4dcbb0b0fdc7469c6e5abc038867f3c65e179a3692dc884d7713db20c2fdefb4f96d5369210aedf807008cbe3821b05fb2a162c45a603aa0c68d56962d4e9a0
-
memory/1288-57-0x0000000000000000-mapping.dmp
-
memory/1420-58-0x0000000000000000-mapping.dmp
-
memory/1436-71-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1436-72-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1436-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1436-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1436-74-0x000000000040C77E-mapping.dmp
-
memory/1436-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1436-69-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1436-73-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1468-56-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1468-54-0x0000000000280000-0x00000000002FE000-memory.dmpFilesize
504KB
-
memory/1468-55-0x0000000000310000-0x000000000031A000-memory.dmpFilesize
40KB
-
memory/1684-63-0x0000000000AE0000-0x0000000000B5E000-memory.dmpFilesize
504KB
-
memory/1684-60-0x0000000000000000-mapping.dmp
-
memory/1684-65-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB