Analysis
-
max time kernel
298s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
a.ps1
Resource
win7-20220901-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral2
Sample
a.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
300 seconds
General
-
Target
a.ps1
-
Size
567B
-
MD5
b3cd9511ce088df0735164e5f5e7761e
-
SHA1
7ce808db75239f6931c3551d8ba96cc6d668967d
-
SHA256
5f19a9226fad05ac74b065bf8691daf121a04c33469e712e684dc9162e67b2fb
-
SHA512
30a023f496fcc2b43b0aba8ce113293cb902c17a1ab3f85848ecf66d35309faae3ba4d148efa4753ea75bb3fc97369db85235cec36de0017e132eadedfe20e7b
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
1.0.7
Botnet
Default
C2
zerocool888.duckdns.org:8848
zerocool888.duckdns.org:8898
Mutex
DcRatMutex_imlegion
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5040-134-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat behavioral2/memory/5040-135-0x000000000041096E-mapping.dmp asyncrat -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 2 4572 powershell.exe 7 4572 powershell.exe 9 4572 powershell.exe 14 4572 powershell.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR.vbs = "C:\\ProgramData\\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR\\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR.vbs" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4572 set thread context of 5040 4572 powershell.exe ngentask.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4572 powershell.exe 4572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exengentask.exedescription pid process Token: SeDebugPrivilege 4572 powershell.exe Token: SeDebugPrivilege 5040 ngentask.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
powershell.exedescription pid process target process PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 5040 4572 powershell.exe ngentask.exe PID 4572 wrote to memory of 4816 4572 powershell.exe reg.exe PID 4572 wrote to memory of 4816 4572 powershell.exe reg.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a.ps11⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR.vbs /d C:\ProgramData\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR\MacOS_sostemsing1nUsdf8ui3rwenIdfd9ftoieR.vbs2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4572-132-0x000001977A1C0000-0x000001977A1E2000-memory.dmpFilesize
136KB
-
memory/4572-133-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4572-137-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmpFilesize
10.8MB
-
memory/4816-136-0x0000000000000000-mapping.dmp
-
memory/5040-134-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/5040-135-0x000000000041096E-mapping.dmp