Overview

overview

10

Static

static

10

a.ps1

windows7-x64

8

a.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2022 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.ps1

  • Size

    567B

  • MD5

    b3cd9511ce088df0735164e5f5e7761e

  • SHA1

    7ce808db75239f6931c3551d8ba96cc6d668967d

  • SHA256

    5f19a9226fad05ac74b065bf8691daf121a04c33469e712e684dc9162e67b2fb

  • SHA512

    30a023f496fcc2b43b0aba8ce113293cb902c17a1ab3f85848ecf66d35309faae3ba4d148efa4753ea75bb3fc97369db85235cec36de0017e132eadedfe20e7b

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

zerocool888.duckdns.org:8848

zerocool888.duckdns.org:8898
Mutex

DcRatMutex_imlegion

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5040
    • C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR.vbs /d C:\ProgramData\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR.vbs
      2⤵
      • Adds Run key to start application
      PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4572-132-0x000001977A1C0000-0x000001977A1E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4572-133-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4572-137-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4816-136-0x0000000000000000-mapping.dmp
    Download
  • memory/5040-134-0x0000000000400000-0x0000000000416000-memory.dmp
    Filesize

    88KB

    Download
  • memory/5040-135-0x000000000041096E-mapping.dmp
    Download