Overview

overview

10

Static

static

3

AUNova.exe

windows7-x64

10

AUNova.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AUNova.exe

  • Size

    2.1MB

  • MD5

    3d37da85a895fc9dc6abb3885041d9ef

  • SHA1

    a80e01133d9a0fe9f4675bd127d46c9a283cdab3

  • SHA256

    fc5945aa217c7a8eca8d501693d491f5efdf88c629ab5758369db1ee6967517a

  • SHA512

    27e9f0c5da0f3fa05219d607de1816b3e4193f7a742e8ec41b9633653de4f020000ea1e97d000458694c82e9c58bd4583c495c4ec513b1a483b2c64b623ca413

  • SSDEEP

    24576:9GzSVNqaWt+eTVXydlYmVSdh0Tzt0ReIumwxmV59C6qBJETV/rkDJSTIDS4Fuvrm:czoNK9M7Y8GUzg9IY9C2VTQwvrYZzBJ

Score
10/10
asyncratxmrigdefaultevasionexecutionminerpersistenceratupx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes
  • delay

    1

  • install

    true

  • install_file

    Load.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Async RAT payload 1 IoCs
    rat
  • XMRig Miner payload 9 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\AUNova.exe
    "C:\Users\Admin\AppData\Local\Temp\AUNova.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\AU.exe
      "C:\Users\Admin\AppData\Local\Temp\AU.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2316
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:596
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Drops file in Windows directory
          PID:380
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop UsoSvc
        3⤵
        • Launches sc.exe
        PID:692
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        3⤵
        • Launches sc.exe
        PID:1172
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        3⤵
        • Launches sc.exe
        PID:992
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        3⤵
        • Launches sc.exe
        PID:2704
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        3⤵
        • Launches sc.exe
        PID:2972
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1440
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:492
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:768
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe delete "svchost.exe"
        3⤵
        • Launches sc.exe
        PID:1960
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe create "svchost.exe" binpath= "C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe" start= "auto"
        3⤵
        • Launches sc.exe
        PID:2216
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        3⤵
        • Launches sc.exe
        PID:1928
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "svchost.exe"
        3⤵
        • Launches sc.exe
        PID:2536
    • C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2748
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpABF8.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2860
        • C:\Users\Admin\AppData\Roaming\Load.exe
          "C:\Users\Admin\AppData\Roaming\Load.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2652
  • C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe
    C:\ProgramData\qfunhtryjkwt\iyjrynjkzgum.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:1160
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:568
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      2⤵
      • Launches sc.exe
      PID:1092
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      2⤵
      • Launches sc.exe
      PID:2148
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:1320
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      2⤵
      • Launches sc.exe
      PID:996
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Power Settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2020
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Load.exe
      Filesize

      74KB

      MD5

      4fc5086bcb8939429aea99f7322e619b

      SHA1

      8d3bd7d005710a8ae0bd0143d18b437be20018d7

      SHA256

      e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

      SHA512

      04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpABF8.tmp.bat
      Filesize

      148B

      MD5

      e3455413c2fbac5a2fc4b8acd6484163

      SHA1

      e22fc2e1c62203904d654516bfac57e9b5cdf2ea

      SHA256

      7bf358679da5d81565a72543d69216ef9b548f58253a43625dbf97f4a9153966

      SHA512

      1469cc6e8d606aff498e51a81d4d755a50f0d660f11222a7bec9ce76f7914abe44aefb54fca9c6d593b855835277839bbe6416b16c0083655e159007ebfb7011

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
      Filesize

      8B

      MD5

      cf759e4c5f14fe3eec41b87ed756cea8

      SHA1

      c27c796bb3c2fac929359563676f4ba1ffada1f5

      SHA256

      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

      SHA512

      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\AU.exe
      Filesize

      2.5MB

      MD5

      f81ff7313709cb4a94d7063aebe28410

      SHA1

      e85f7f1c21ad801d04dadaa3a52c3dae0120838a

      SHA256

      55b9842f81f3d83e47e72cff32f4ec903c9a06bd60ea631be3d6c463fcb457f8

      SHA512

      dc65acc20940e57799546a5e55ebec6ca8f57a1dc0033a4ef892a13991516e5cebe307bc73e3c98d7060eb352d043764fe5c2a6b94ea71b2d0c55d4e97930474

      Download Submit

    • memory/632-1-0x0000000000340000-0x000000000055A000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/632-3-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/632-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-16-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1592-48-0x0000000019D60000-0x000000001A042000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1592-49-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2020-56-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2020-50-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2020-52-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2020-53-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2020-55-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2020-51-0x0000000140000000-0x000000014000E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2396-28-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2396-31-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2396-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2396-18-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2396-17-0x00000000013A0000-0x00000000013B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2452-65-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-68-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-60-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-62-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-73-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-64-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-61-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-67-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-70-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-59-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-69-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-66-0x0000000000130000-0x0000000000150000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2452-63-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-72-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2452-71-0x0000000140000000-0x0000000140835000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2652-35-0x0000000000840000-0x0000000000858000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3068-41-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3068-42-0x00000000029B0000-0x00000000029B8000-memory.dmp

      Filesize

      32KB

      Download