Overview

overview

10

Static

static

BmckepSR.ps1

windows7_x64

1

BmckepSR.ps1

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BmckepSR.ps1

  • Size

    102KB

  • MD5

    f7d5a302748c4a9597c27349e3f63fd1

  • SHA1

    fcc71d41687fa5f221b25a76ce1df4223b813ffd

  • SHA256

    9c6c9115420eb317d294ae65768bb0f65facd77fb3df489a7a8f301808ecfecf

  • SHA512

    6a0400bc555f258ee05fddadee852b465ace689fbe08032bd12902c3fd75bb733c58bfed2767174546a27f56ee421445d8cbbc5f7cbfc81d8d8e3fa390806cc1

Score
10/10
asyncratrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\BmckepSR.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\txxi44nw\txxi44nw.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B9C.tmp" "c:\Users\Admin\AppData\Local\Temp\txxi44nw\CSC7B437A74882E4100A1AAE88329A26A7.TMP"
        3⤵
          PID:2180
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:724
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3580
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2EC1.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:804
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:1112

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES1B9C.tmp
        MD5

        709c97cd91546b9b1d1e94afc17b74a9

        SHA1

        47c61c5a6b05e40566a89bb5cbcc1bac0513da75

        SHA256

        c79974592499a2994bf3ef1a28f653cd172a16c2f78508928cf9974b2c5f4dce

        SHA512

        0971a6f5b0c4617dd4f499c88117808ad18ce0fcfb779597f1aa832c088a3f0c982f03b6e84860977613c308ab8fcaec367fba8540d6432b7f94c015f8f3bbcd

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp2EC1.tmp.bat
        MD5

        1ffcb52043f40edc5bf6f11f439db4c7

        SHA1

        28f6f5c2dd597c9e9396c57e269ec776a42ef18c

        SHA256

        03a390753be121f09844a59b476713fba9a635aed805948aa1af9df3f1a1de7e

        SHA512

        e474a6e9e45ef95019d5516e3df83227fc4125c4109ee087459de921a3b928ffc592e82f1108207becf3b7f2c770953c9bb262158ca631a610c2f1c4d1976c3d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\txxi44nw\txxi44nw.dll
        MD5

        5b40eaa537e10ce4f76ecb7e8e64b815

        SHA1

        bceb0aaac2084250898c63f58a3b830484ce4593

        SHA256

        c983240657624dcdd76b8f7ffd1985d3ce53eaa6344bacc6dc5dc2aa93b78ee7

        SHA512

        1a96083d21d6ecf2ac95c9ae832a52548c292ef0316c3929766aa3f106ec66ca8cf6a3380a988174fcd7c2ae4f016160dc4b8527bad7b108165135165f7d5426

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\txxi44nw\CSC7B437A74882E4100A1AAE88329A26A7.TMP
        MD5

        2efe27c7796f3ad36c747ac526fe00db

        SHA1

        e7acd5b5bbd468e8d3ad04c730211a70e8183767

        SHA256

        710488952e1f8e5a3205e3dcffcb31ab65d07ceab455e6ee79c5f05a621b8b75

        SHA512

        4793a5422d6fc57ce4870c3e4bd0ead0ae20183858d60cb8b54376d73e1379d8f4fbaec3217181a3b01940cfe2ac2df56560468dad88794f1167611e497bc7a9

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\txxi44nw\txxi44nw.0.cs
        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\txxi44nw\txxi44nw.cmdline
        MD5

        571adb632e81abb61914e363700c13cd

        SHA1

        de0b16101e4b04eb17fad5a90e52148838bfafb9

        SHA256

        1be185cbf1788b47136ed39e1d83e64bfea3bd294ef34d724fff136036d1b932

        SHA512

        fbd033dfb5141d47438bfb4ce05fa7938e08e6ca0a57a504cc1bd45847bc77521af2db1bd435b4c8d06175da3530be8ae1376fcdb367bb803665d5e7bab12f25

        Download Submit
      • memory/648-177-0x0000000000000000-mapping.dmp
        Download
      • memory/804-190-0x0000000000000000-mapping.dmp
        Download
      • memory/1112-192-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-118-0x000001C135830000-0x000001C135831000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-123-0x000001C135B20000-0x000001C135B21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1736-122-0x000001C135893000-0x000001C135895000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1736-184-0x000001C135AA0000-0x000001C135AA4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1736-188-0x000001C135896000-0x000001C135898000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1736-119-0x000001C135890000-0x000001C135892000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2180-180-0x0000000000000000-mapping.dmp
        Download
      • memory/3580-187-0x000000000040C71E-mapping.dmp
        Download
      • memory/3580-189-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
        Filesize

        4KB

        Download