Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2023, 11:22

General

  • Target

    CASH OFFER AND PROOF OF FUNDS.exe

  • Size

    78KB

  • MD5

    9a40168e711a0bd875ee4c912c0357a0

  • SHA1

    96505a9fd271da437eff5c191fbfbc3572e5bdb4

  • SHA256

    be7c5be95e0d3f3c841b3dace8eb4c46acb9e42970324ee976a41ec210ae9f86

  • SHA512

    ca35e6c155044aa35b4194605b7ca2341b0c15f9e37228d46a99198d08cb3442d9d6c2d51d6a2c60490b68a9d7752e96a6dc75e5c28981d682602af0f74b6f8d

  • SSDEEP

    1536:guvph1oILHFw7Dunm48VoDYednpbM/9oI6eYnw7TPxdF8o75F943hh:jvph1oILHOXut8O86S9oRe8wfxvXX4

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

191.101.130.28:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • .NET Reactor proctector 4 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe
    "C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 1
        3⤵
          PID:2352

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe

            Filesize

            520KB

            MD5

            bb1a64c7b6c9d5df1597b2d49b059e80

            SHA1

            efb690910d1179915ed1822c2878ab5186df2122

            SHA256

            a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226

            SHA512

            de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe

            Filesize

            520KB

            MD5

            bb1a64c7b6c9d5df1597b2d49b059e80

            SHA1

            efb690910d1179915ed1822c2878ab5186df2122

            SHA256

            a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226

            SHA512

            de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe

            Filesize

            520KB

            MD5

            bb1a64c7b6c9d5df1597b2d49b059e80

            SHA1

            efb690910d1179915ed1822c2878ab5186df2122

            SHA256

            a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226

            SHA512

            de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24

          • memory/228-146-0x0000026D36B50000-0x0000026D36BD6000-memory.dmp

            Filesize

            536KB

          • memory/2176-133-0x0000000000B50000-0x0000000000B64000-memory.dmp

            Filesize

            80KB

          • memory/2176-134-0x00000000054D0000-0x00000000054E0000-memory.dmp

            Filesize

            64KB

          • memory/3916-148-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

          • memory/3916-150-0x0000000002A00000-0x0000000002A10000-memory.dmp

            Filesize

            64KB

          • memory/3916-151-0x0000000005660000-0x00000000056FC000-memory.dmp

            Filesize

            624KB

          • memory/3916-152-0x0000000005CB0000-0x0000000006254000-memory.dmp

            Filesize

            5.6MB

          • memory/3916-153-0x0000000005770000-0x00000000057D6000-memory.dmp

            Filesize

            408KB

          • memory/3916-154-0x00000000068E0000-0x0000000006956000-memory.dmp

            Filesize

            472KB

          • memory/3916-155-0x0000000006980000-0x000000000699E000-memory.dmp

            Filesize

            120KB

          • memory/3916-156-0x0000000002A00000-0x0000000002A10000-memory.dmp

            Filesize

            64KB