Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2023, 11:22
Static task
static1
Behavioral task
behavioral1
Sample
CASH OFFER AND PROOF OF FUNDS.exe
Resource
win7-20230220-en
General
-
Target
CASH OFFER AND PROOF OF FUNDS.exe
-
Size
78KB
-
MD5
9a40168e711a0bd875ee4c912c0357a0
-
SHA1
96505a9fd271da437eff5c191fbfbc3572e5bdb4
-
SHA256
be7c5be95e0d3f3c841b3dace8eb4c46acb9e42970324ee976a41ec210ae9f86
-
SHA512
ca35e6c155044aa35b4194605b7ca2341b0c15f9e37228d46a99198d08cb3442d9d6c2d51d6a2c60490b68a9d7752e96a6dc75e5c28981d682602af0f74b6f8d
-
SSDEEP
1536:guvph1oILHFw7Dunm48VoDYednpbM/9oI6eYnw7TPxdF8o75F943hh:jvph1oILHOXut8O86S9oRe8wfxvXX4
Malware Config
Extracted
asyncrat
0.5.7B
Default
191.101.130.28:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3916-148-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Downloads MZ/PE file
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/files/0x000c000000021593-139.dat net_reactor behavioral2/files/0x000c000000021593-144.dat net_reactor behavioral2/files/0x000c000000021593-145.dat net_reactor behavioral2/memory/228-146-0x0000026D36B50000-0x0000026D36BD6000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation CASH OFFER AND PROOF OF FUNDS.exe -
Executes dropped EXE 1 IoCs
pid Process 228 MA.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 228 set thread context of 3916 228 MA.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2176 CASH OFFER AND PROOF OF FUNDS.exe Token: SeDebugPrivilege 3916 caspol.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2176 wrote to memory of 228 2176 CASH OFFER AND PROOF OF FUNDS.exe 86 PID 2176 wrote to memory of 228 2176 CASH OFFER AND PROOF OF FUNDS.exe 86 PID 2176 wrote to memory of 4480 2176 CASH OFFER AND PROOF OF FUNDS.exe 87 PID 2176 wrote to memory of 4480 2176 CASH OFFER AND PROOF OF FUNDS.exe 87 PID 2176 wrote to memory of 4480 2176 CASH OFFER AND PROOF OF FUNDS.exe 87 PID 4480 wrote to memory of 2352 4480 cmd.exe 89 PID 4480 wrote to memory of 2352 4480 cmd.exe 89 PID 4480 wrote to memory of 2352 4480 cmd.exe 89 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90 PID 228 wrote to memory of 3916 228 MA.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 13⤵PID:2352
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520KB
MD5bb1a64c7b6c9d5df1597b2d49b059e80
SHA1efb690910d1179915ed1822c2878ab5186df2122
SHA256a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226
SHA512de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24
-
Filesize
520KB
MD5bb1a64c7b6c9d5df1597b2d49b059e80
SHA1efb690910d1179915ed1822c2878ab5186df2122
SHA256a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226
SHA512de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24
-
Filesize
520KB
MD5bb1a64c7b6c9d5df1597b2d49b059e80
SHA1efb690910d1179915ed1822c2878ab5186df2122
SHA256a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226
SHA512de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24