Analysis

  • max time kernel
    149s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2023 17:24

General

  • Target

    AnkaBotPC_4.0.5/AnkaBotPC/Bypass.exe

  • Size

    66KB

  • MD5

    ed8ed2bfb05f2f2a5496c4d32095c34b

  • SHA1

    57002f5bf97a9ddf1aafd909dcc676e60343d322

  • SHA256

    8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c

  • SHA512

    e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1

  • SSDEEP

    1536:ToUWMO7oo0sS7UAkj9O8QQHFdCxlTk/sbbXApJZLTD9VclN:TJof9O8QQHFPsbbXI7PY

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.0

Botnet

Default

C2

141.98.11.72:4449

Mutex

sdtgyxyhor

Attributes
  • delay

    1

  • install

    true

  • install_file

    Ankabotkey.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnkaBotPC_4.0.5\AnkaBotPC\Bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\AnkaBotPC_4.0.5\AnkaBotPC\Bypass.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ankabotkey" /tr '"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Ankabotkey" /tr '"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3352
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D1F.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3792
      • C:\Users\Admin\AppData\Roaming\Ankabotkey.exe
        "C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9D1F.tmp.bat
    Filesize

    154B

    MD5

    69a4f25f5f3d8cc27796024effec8078

    SHA1

    1c9ed4df2dbcafc4cbb38ee73e21156f8224f947

    SHA256

    d18feaebd4df78db6773aea7c6c858acbfb192952c237a2bf67f8fc0b3b25e4f

    SHA512

    2625e21e6237bccd97d54982d680c5da25d6bb5f6e7a553486f0f8ac44569ead046e1e3c61ca90f859dd0b54df1a79c1d71ad6b714fbffc1d4c28d63adedade7

  • C:\Users\Admin\AppData\Roaming\Ankabotkey.exe
    Filesize

    66KB

    MD5

    ed8ed2bfb05f2f2a5496c4d32095c34b

    SHA1

    57002f5bf97a9ddf1aafd909dcc676e60343d322

    SHA256

    8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c

    SHA512

    e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1

  • C:\Users\Admin\AppData\Roaming\Ankabotkey.exe
    Filesize

    66KB

    MD5

    ed8ed2bfb05f2f2a5496c4d32095c34b

    SHA1

    57002f5bf97a9ddf1aafd909dcc676e60343d322

    SHA256

    8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c

    SHA512

    e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1

  • memory/3352-137-0x0000000000000000-mapping.dmp
  • memory/3792-139-0x0000000000000000-mapping.dmp
  • memory/4192-138-0x00007FFE08EB0000-0x00007FFE09971000-memory.dmp
    Filesize

    10.8MB

  • memory/4192-133-0x00007FFE08EB0000-0x00007FFE09971000-memory.dmp
    Filesize

    10.8MB

  • memory/4192-132-0x0000000000E60000-0x0000000000E76000-memory.dmp
    Filesize

    88KB

  • memory/4800-135-0x0000000000000000-mapping.dmp
  • memory/4972-140-0x0000000000000000-mapping.dmp
  • memory/4972-143-0x00007FFE08EB0000-0x00007FFE09971000-memory.dmp
    Filesize

    10.8MB

  • memory/4972-144-0x00007FFE08EB0000-0x00007FFE09971000-memory.dmp
    Filesize

    10.8MB

  • memory/5056-134-0x0000000000000000-mapping.dmp