Analysis

  • max time kernel
    20s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2023, 03:21

General

  • Target

    Christine-Fink_ByZ‮rar.scr

  • Size

    173.3MB

  • MD5

    acda0aa3ac109f59131c728eea4b06d8

  • SHA1

    0cf9a9b70bcb179c24e54b56003176e111c8646d

  • SHA256

    b9ddb91a6de8542f1bbf920fbf40cc84780e18a3865b4f6407b4b168af0d13c5

  • SHA512

    93e50e73a24a84b186ecd9f7ce3e512ada50b2c4c411d076b2829310c54db02323d3f5529bb11d22f21b76cd49e975925a84c7749d92b397bb9509b3e8796e85

  • SSDEEP

    1572864:RgkU31ipgnoAQ3GJ/j7gbZQwxx3WIXHQmBUucN:RgkU1SrBm/fI3QiXcN

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

Mutex

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/3Z9zi18j

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr
    "C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr" /S
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\csrss.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4680
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4112

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\csrss.exe

            Filesize

            48KB

            MD5

            80536cf3325d6dbd0d961300bce4e707

            SHA1

            58c1868bc443e509d9fa2d268c6bd0be66e52ebd

            SHA256

            ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831

            SHA512

            5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b

          • C:\Users\Admin\AppData\Local\Temp\csrss.exe

            Filesize

            48KB

            MD5

            80536cf3325d6dbd0d961300bce4e707

            SHA1

            58c1868bc443e509d9fa2d268c6bd0be66e52ebd

            SHA256

            ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831

            SHA512

            5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b

          • C:\Users\Admin\AppData\Local\Temp\csrss.exe

            Filesize

            48KB

            MD5

            80536cf3325d6dbd0d961300bce4e707

            SHA1

            58c1868bc443e509d9fa2d268c6bd0be66e52ebd

            SHA256

            ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831

            SHA512

            5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b

          • memory/4404-133-0x0000000000400000-0x0000000001400000-memory.dmp

            Filesize

            16.0MB

          • memory/4680-214-0x0000000000E10000-0x0000000000E22000-memory.dmp

            Filesize

            72KB