Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2023, 11:26

General

  • Target

    CASH OFFER AND PROOF OF FUNDS.exe

  • Size

    78KB

  • MD5

    9a40168e711a0bd875ee4c912c0357a0

  • SHA1

    96505a9fd271da437eff5c191fbfbc3572e5bdb4

  • SHA256

    be7c5be95e0d3f3c841b3dace8eb4c46acb9e42970324ee976a41ec210ae9f86

  • SHA512

    ca35e6c155044aa35b4194605b7ca2341b0c15f9e37228d46a99198d08cb3442d9d6c2d51d6a2c60490b68a9d7752e96a6dc75e5c28981d682602af0f74b6f8d

  • SSDEEP

    1536:guvph1oILHFw7Dunm48VoDYednpbM/9oI6eYnw7TPxdF8o75F943hh:jvph1oILHOXut8O86S9oRe8wfxvXX4

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

191.101.130.28:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • .NET Reactor proctector 4 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe
    "C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4308
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\CASH OFFER AND PROOF OF FUNDS.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 1
        3⤵
          PID:4920

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe

            Filesize

            520KB

            MD5

            bb1a64c7b6c9d5df1597b2d49b059e80

            SHA1

            efb690910d1179915ed1822c2878ab5186df2122

            SHA256

            a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226

            SHA512

            de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe

            Filesize

            520KB

            MD5

            bb1a64c7b6c9d5df1597b2d49b059e80

            SHA1

            efb690910d1179915ed1822c2878ab5186df2122

            SHA256

            a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226

            SHA512

            de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\MA.exe

            Filesize

            520KB

            MD5

            bb1a64c7b6c9d5df1597b2d49b059e80

            SHA1

            efb690910d1179915ed1822c2878ab5186df2122

            SHA256

            a2182b8ab5276ecc8e6a874703394625e38929425476985c079bf330beca3226

            SHA512

            de267c490a28acc23f7b08cba86c15df8abe461bedcb98acee6c62b1b43c631a5928733ba8d59fe6b857792f70477c7e2515b31a05e2d5a6138f7baa1d783b24

          • memory/3848-133-0x0000000000970000-0x0000000000984000-memory.dmp

            Filesize

            80KB

          • memory/3848-134-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

            Filesize

            64KB

          • memory/4128-146-0x00000212935D0000-0x0000021293656000-memory.dmp

            Filesize

            536KB

          • memory/4308-148-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

          • memory/4308-150-0x0000000004E50000-0x0000000004E60000-memory.dmp

            Filesize

            64KB

          • memory/4308-153-0x0000000005700000-0x000000000579C000-memory.dmp

            Filesize

            624KB

          • memory/4308-154-0x0000000005D50000-0x00000000062F4000-memory.dmp

            Filesize

            5.6MB

          • memory/4308-155-0x0000000005810000-0x0000000005876000-memory.dmp

            Filesize

            408KB

          • memory/4308-156-0x0000000006700000-0x0000000006776000-memory.dmp

            Filesize

            472KB

          • memory/4308-157-0x00000000067D0000-0x00000000067EE000-memory.dmp

            Filesize

            120KB

          • memory/4308-158-0x0000000004E50000-0x0000000004E60000-memory.dmp

            Filesize

            64KB