Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 18:34
Behavioral task
behavioral1
Sample
decrypted.exe
Resource
win7-20220812-en
General
-
Target
decrypted.exe
-
Size
36KB
-
MD5
804457c473500f8fe0d57b0864c4c87f
-
SHA1
633c8ff70bc17c12e2727c3e1278349a8b67fe50
-
SHA256
601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
-
SHA512
f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
SSDEEP
768:C9S2Mfp8Y8JuL8O2qD86BhEOaDUeKR0F6Ehq5lxOBcmZPtqojC:C9S2MfgQQahEOaDUzRb5lxOWmyl
Malware Config
Extracted
asyncrat
0.5.7B
Default
virtual-rome.at.ply.gg:1111
virtual-rome.at.ply.gg:62832
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows Critical Update.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe asyncrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe asyncrat behavioral2/memory/3572-143-0x0000000000D90000-0x0000000000DAE000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe asyncrat C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe asyncrat -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
decrypted.exewlninit.exeAsyncClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation decrypted.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation wlninit.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Drops startup file 3 IoCs
Processes:
wlninit.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe wlninit.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4f23b08f31e19e05b45991905c12da.exe wlninit.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf4f23b08f31e19e05b45991905c12da.exe wlninit.exe -
Executes dropped EXE 3 IoCs
Processes:
wlninit.exeAsyncClient.exeWindows Critical Update.exepid process 4604 wlninit.exe 3572 AsyncClient.exe 3704 Windows Critical Update.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wlninit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bf4f23b08f31e19e05b45991905c12da = "\"C:\\Users\\Admin\\AppData\\Roaming\\wlninit.exe\" .." wlninit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf4f23b08f31e19e05b45991905c12da = "\"C:\\Users\\Admin\\AppData\\Roaming\\wlninit.exe\" .." wlninit.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
wlninit.exedescription ioc process File created C:\autorun.inf wlninit.exe File opened for modification C:\autorun.inf wlninit.exe File created D:\autorun.inf wlninit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4100 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wlninit.exepid process 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe 4604 wlninit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
wlninit.exepid process 4604 wlninit.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
wlninit.exeAsyncClient.exeWindows Critical Update.exedescription pid process Token: SeDebugPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: SeDebugPrivilege 3572 AsyncClient.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: SeDebugPrivilege 3704 Windows Critical Update.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe Token: 33 4604 wlninit.exe Token: SeIncBasePriorityPrivilege 4604 wlninit.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
decrypted.exewlninit.exeAsyncClient.execmd.execmd.exedescription pid process target process PID 4460 wrote to memory of 4604 4460 decrypted.exe wlninit.exe PID 4460 wrote to memory of 4604 4460 decrypted.exe wlninit.exe PID 4460 wrote to memory of 4604 4460 decrypted.exe wlninit.exe PID 4604 wrote to memory of 3316 4604 wlninit.exe netsh.exe PID 4604 wrote to memory of 3316 4604 wlninit.exe netsh.exe PID 4604 wrote to memory of 3316 4604 wlninit.exe netsh.exe PID 4604 wrote to memory of 3572 4604 wlninit.exe AsyncClient.exe PID 4604 wrote to memory of 3572 4604 wlninit.exe AsyncClient.exe PID 4604 wrote to memory of 3572 4604 wlninit.exe AsyncClient.exe PID 3572 wrote to memory of 2228 3572 AsyncClient.exe cmd.exe PID 3572 wrote to memory of 2228 3572 AsyncClient.exe cmd.exe PID 3572 wrote to memory of 2228 3572 AsyncClient.exe cmd.exe PID 3572 wrote to memory of 1268 3572 AsyncClient.exe cmd.exe PID 3572 wrote to memory of 1268 3572 AsyncClient.exe cmd.exe PID 3572 wrote to memory of 1268 3572 AsyncClient.exe cmd.exe PID 2228 wrote to memory of 2016 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 2016 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 2016 2228 cmd.exe schtasks.exe PID 1268 wrote to memory of 4100 1268 cmd.exe timeout.exe PID 1268 wrote to memory of 4100 1268 cmd.exe timeout.exe PID 1268 wrote to memory of 4100 1268 cmd.exe timeout.exe PID 1268 wrote to memory of 3704 1268 cmd.exe Windows Critical Update.exe PID 1268 wrote to memory of 3704 1268 cmd.exe Windows Critical Update.exe PID 1268 wrote to memory of 3704 1268 cmd.exe Windows Critical Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wlninit.exe"C:\Users\Admin\AppData\Roaming\wlninit.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\wlninit.exe" "wlninit.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Critical Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Critical Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"'5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"C:\Users\Admin\AppData\Roaming\Windows Critical Update.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp.batFilesize
166B
MD512cfc56d0a473f22aeb959c5bf713dd5
SHA115121be7395438fff6877a2096cebcd4a6083667
SHA256962080a10096ac31463278f5a4c14626eaafba161078e61f31b13d1a2cd81351
SHA512a0021e497feb58ce4cf7b2d81477cea15a00a13ac69ea27435f95ef19b3dac17decd75a9e8489d181bf7c6dfbb94ddf3a81de25612860f77dda4d6b5cd1f6041
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsyncClient.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\Windows Critical Update.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\Windows Critical Update.exeFilesize
96KB
MD51803b28ef79113aaf3c06607db2cca71
SHA18f05b9410a1881fb24882c749d4e074ce2cf5c95
SHA256df8d4da1ef01121a256dcf4c790d77b45756d9f929e821ca7e89cbf85f6b85ad
SHA5126d2eb07cde6ef8a6ea042df6bcdc4586c36fa5f9f6d6e397c0a961ad2fa5bebd7e4fceb84dfc2e4d85f77635bfd331c7f9e5defbaf3374eb2af7e4b38ab077ce
-
C:\Users\Admin\AppData\Roaming\wlninit.exeFilesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
C:\Users\Admin\AppData\Roaming\wlninit.exeFilesize
36KB
MD5804457c473500f8fe0d57b0864c4c87f
SHA1633c8ff70bc17c12e2727c3e1278349a8b67fe50
SHA256601ac6852746a608f82af16fe69b07a5c65afc584d59479a8fcf43bd0537997f
SHA512f68e765f26d6ff16a4f2a89f367e0cf57278a595f321a362c8b037526106dc319cd6894b4def3d1aa474ce412db0395926e7483d26abca72e196f4eac97247d9
-
memory/1268-146-0x0000000000000000-mapping.dmp
-
memory/2016-147-0x0000000000000000-mapping.dmp
-
memory/2228-145-0x0000000000000000-mapping.dmp
-
memory/3316-138-0x0000000000000000-mapping.dmp
-
memory/3572-143-0x0000000000D90000-0x0000000000DAE000-memory.dmpFilesize
120KB
-
memory/3572-144-0x0000000005A70000-0x0000000005B0C000-memory.dmpFilesize
624KB
-
memory/3572-140-0x0000000000000000-mapping.dmp
-
memory/3704-150-0x0000000000000000-mapping.dmp
-
memory/3704-154-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/3704-153-0x0000000005F80000-0x0000000006524000-memory.dmpFilesize
5.6MB
-
memory/4100-149-0x0000000000000000-mapping.dmp
-
memory/4460-132-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/4460-136-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/4604-133-0x0000000000000000-mapping.dmp
-
memory/4604-137-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB
-
memory/4604-139-0x00000000746D0000-0x0000000074C81000-memory.dmpFilesize
5.7MB