Overview

overview

10

Static

static

aaf4a4acaa...28.ps1

windows7-x64

1

aaf4a4acaa...28.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2022 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aaf4a4acaa8e45b1cbd8a3da7c988ba6465a3a2a714abaacb632230e91556d28.ps1

  • Size

    187KB

  • MD5

    a345138c96b8d5b50e401192b819d49d

  • SHA1

    bdcc4ef88b1d5377409ad2f45fcb4e04d8fba5c3

  • SHA256

    aaf4a4acaa8e45b1cbd8a3da7c988ba6465a3a2a714abaacb632230e91556d28

  • SHA512

    942d48b221dbe2a67b9edc5992aef3a54438befe715ded5996437b17ed2ccad1c647b74273792567819c3cca8f95940595cbd8e25d9c6a43c391452770c77bed

  • SSDEEP

    3072:ngijttzaOYYzmqIzDNSuoT3ApmNwLqU/QIU:nT/zaOYYz4zDNo3Apm6qU/QIU

Score
10/10
asyncrataaaaaaaaaaaa+++aaaaaaaaaaaarat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

AAAAAAAAAAAA+++AAAAAAAAAAAA

C2

chromedata.accesscam.org:7707

chromedata.accesscam.org:4404

chromedata.accesscam.org:5505

chromedata.accesscam.org:3303

chromedata.accesscam.org:2222

chromedata.accesscam.org:6606

chromedata.accesscam.org:8808

chromedata.accesscam.org:5155

chromedata.accesscam.org:5122

chromedata.accesscam.org:8001

chromedata.accesscam.org:9000

chromedata.accesscam.org:9999

chromedata.accesscam.org:8888

cdt.3utilities.com:7707

cdt.3utilities.com:4404

cdt.3utilities.com:5505

cdt.3utilities.com:3303

cdt.3utilities.com:2222

cdt.3utilities.com:6606

cdt.3utilities.com:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    DesbravadorUpdata.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aaf4a4acaa8e45b1cbd8a3da7c988ba6465a3a2a714abaacb632230e91556d28.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:2476
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RequestTrace.ps1xml
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2388
      • C:\Windows\system32\werfault.exe
        werfault.exe /h /shared Global\e1a304418e68475e95aa6b949b45983e /t 1880 /p 2388
        1⤵
          PID:4348
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2064

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1084-132-0x000001A6310D0000-0x000001A6310F2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1084-133-0x00007FFC86D70000-0x00007FFC87831000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1084-136-0x00007FFC86D70000-0x00007FFC87831000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2476-134-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2476-135-0x000000000040DD7E-mapping.dmp
          Download