Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 18:34
Behavioral task
behavioral1
Sample
decrypted.exe
Resource
win7-20220812-en
General
-
Target
decrypted.exe
-
Size
36KB
-
MD5
804457c473500f8fe0d57b0864c4c87f
-
SHA1
633c8ff70bc17c12e2727c3e1278349a8b67fe50
-
SHA256
601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
-
SHA512
f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
SSDEEP
768:C9S2Mfp8Y8JuL8O2qD86BhEOaDUeKR0F6Ehq5lxOBcmZPtqojC:C9S2MfgQQahEOaDUzRb5lxOWmyl
Malware Config
Extracted
asyncrat
0.5.7B
Default
virtual-rome.at.ply.gg:1111
virtual-rome.at.ply.gg:62832
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows Critical Update.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe asyncrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe asyncrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe asyncrat behavioral1/memory/1156-70-0x00000000009F0000-0x0000000000A0E000-memory.dmp asyncrat \Users\Admin\AppData\Roaming\Windows Critical Update.exe asyncrat C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe asyncrat C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe asyncrat behavioral1/memory/1668-82-0x0000000000920000-0x000000000093E000-memory.dmp asyncrat -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 3 IoCs
Processes:
wlninit.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4f23b08f31e19e05b45991905c12da.exe wlninit.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe wlninit.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4f23b08f31e19e05b45991905c12da.exe wlninit.exe -
Executes dropped EXE 3 IoCs
Processes:
wlninit.exeAsyncClient.exeWindows Critical Update.exepid process 240 wlninit.exe 1156 AsyncClient.exe 1668 Windows Critical Update.exe -
Loads dropped DLL 3 IoCs
Processes:
decrypted.exewlninit.execmd.exepid process 1236 decrypted.exe 240 wlninit.exe 1732 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wlninit.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\bf4f23b08f31e19e05b45991905c12da = "\"C:\\Users\\Admin\\AppData\\Roaming\\wlninit.exe\" .." wlninit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bf4f23b08f31e19e05b45991905c12da = "\"C:\\Users\\Admin\\AppData\\Roaming\\wlninit.exe\" .." wlninit.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
wlninit.exedescription ioc process File opened for modification C:\autorun.inf wlninit.exe File created D:\autorun.inf wlninit.exe File created C:\autorun.inf wlninit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1088 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wlninit.exepid process 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe 240 wlninit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wlninit.exepid process 240 wlninit.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
wlninit.exeAsyncClient.exeWindows Critical Update.exedescription pid process Token: SeDebugPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: SeDebugPrivilege 1156 AsyncClient.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: SeDebugPrivilege 1668 Windows Critical Update.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe Token: 33 240 wlninit.exe Token: SeIncBasePriorityPrivilege 240 wlninit.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
decrypted.exewlninit.exeAsyncClient.execmd.execmd.exedescription pid process target process PID 1236 wrote to memory of 240 1236 decrypted.exe wlninit.exe PID 1236 wrote to memory of 240 1236 decrypted.exe wlninit.exe PID 1236 wrote to memory of 240 1236 decrypted.exe wlninit.exe PID 1236 wrote to memory of 240 1236 decrypted.exe wlninit.exe PID 240 wrote to memory of 732 240 wlninit.exe netsh.exe PID 240 wrote to memory of 732 240 wlninit.exe netsh.exe PID 240 wrote to memory of 732 240 wlninit.exe netsh.exe PID 240 wrote to memory of 732 240 wlninit.exe netsh.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 240 wrote to memory of 1156 240 wlninit.exe AsyncClient.exe PID 1156 wrote to memory of 1696 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1696 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1696 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1696 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1732 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1732 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1732 1156 AsyncClient.exe cmd.exe PID 1156 wrote to memory of 1732 1156 AsyncClient.exe cmd.exe PID 1696 wrote to memory of 1812 1696 cmd.exe schtasks.exe PID 1696 wrote to memory of 1812 1696 cmd.exe schtasks.exe PID 1696 wrote to memory of 1812 1696 cmd.exe schtasks.exe PID 1696 wrote to memory of 1812 1696 cmd.exe schtasks.exe PID 240 wrote to memory of 1816 240 wlninit.exe cmd.exe PID 240 wrote to memory of 1816 240 wlninit.exe cmd.exe PID 240 wrote to memory of 1816 240 wlninit.exe cmd.exe PID 240 wrote to memory of 1816 240 wlninit.exe cmd.exe PID 1732 wrote to memory of 1088 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1088 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1088 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1088 1732 cmd.exe timeout.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe PID 1732 wrote to memory of 1668 1732 cmd.exe Windows Critical Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wlninit.exe"C:\Users\Admin\AppData\Roaming\wlninit.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\wlninit.exe" "wlninit.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Critical Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Critical Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE9D3.tmp.bat""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE9D3.tmp.batFilesize
167B
MD588a74a2f689c70d3d9759e5b10b9befb
SHA155c186efdd925b010a3cd228c95fedc250bab1b1
SHA2567abb3dfad5f9ee85559672185fd47a1037d5796a2914d6edfe355976b18df373
SHA512fce2e9efccd47cfcf77fe9e4006b04af5fbc8d43887b2e1926ac7727e71b4b7bdcfa7af47da44769e62e94d5a7abb8cae572a4ef3e0d845471caa7172fc62eed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\Windows Critical Update.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\Windows Critical Update.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\wlninit.exeFilesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
C:\Users\Admin\AppData\Roaming\wlninit.exeFilesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
\Users\Admin\AppData\Roaming\Windows Critical Update.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
\Users\Admin\AppData\Roaming\wlninit.exeFilesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
memory/240-62-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/240-65-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/240-57-0x0000000000000000-mapping.dmp
-
memory/732-63-0x0000000000000000-mapping.dmp
-
memory/1088-77-0x0000000000000000-mapping.dmp
-
memory/1156-67-0x0000000000000000-mapping.dmp
-
memory/1156-70-0x00000000009F0000-0x0000000000A0E000-memory.dmpFilesize
120KB
-
memory/1236-61-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1236-54-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB
-
memory/1236-55-0x0000000074610000-0x0000000074BBB000-memory.dmpFilesize
5.7MB
-
memory/1668-80-0x0000000000000000-mapping.dmp
-
memory/1668-82-0x0000000000920000-0x000000000093E000-memory.dmpFilesize
120KB
-
memory/1696-72-0x0000000000000000-mapping.dmp
-
memory/1732-73-0x0000000000000000-mapping.dmp
-
memory/1812-74-0x0000000000000000-mapping.dmp
-
memory/1816-75-0x0000000000000000-mapping.dmp