Overview

overview

10

Static

static

chris-server.ps1

windows7-x64

10

chris-server.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2022 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chris-server.ps1

  • Size

    255KB

  • MD5

    7a82388b85eb4abac99ef658d7b0d1cf

  • SHA1

    45cef26f5d4397ea8155857520a11a141ba465e2

  • SHA256

    44b973071a7a8b22ab1a3defe1b2ec8028c39de957180e9a71e09b48c0d8a641

  • SHA512

    2a112f190f56d9d2aad7e3b68369e45c89650334561ce9b7eca37a24e4b81089282b1889e9f0df501ae6c9f4430b686ec6a9c46d140740d002c143520c6dd723

  • SSDEEP

    6144:wRQRmeIR/ENCsO8cruAw9GH8dIhpk/Gkk4DwS:SXY7kHhpckLS

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

107.173.63.199:5656

Mutex

Monster_Master72381936781263781

Attributes
  • delay

    3

  • install

    false

  • install_file

    Explorer.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Async RAT payload 2 IoCs
    rat
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\chris-server.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.vbs"
        3⤵
          PID:2280
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1872
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:3488
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4692
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
                PID:4324

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat
        Filesize

        706B

        MD5

        c5dc49fe999bbd184028c2322216f34f

        SHA1

        6de54f03eaf77fe28e88f6ad461b37371da0db0c

        SHA256

        34bd396295ba567cc78dfa910e6e9db8d54b35df73a553c91a407f067bbe2241

        SHA512

        e30064f421f37310bb6a3156e1f54fe7cb7988bc26947ebef7d1933ba7b912077cc855ebb9d5da18aa5a8f92043c5cbab887212f9a5a9810e07eebfc23168454

        Download Submit
      • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.ps1
        Filesize

        3KB

        MD5

        c800c44beca2cfa73dc8113cb84e90d4

        SHA1

        aca79156fb80732bc556472574f04d40b3d4a0e2

        SHA256

        4f72092255c228f5c03546a3c351baae4f3bb9d6eb8aeb0c709c74da6ec9f09d

        SHA512

        e384d770f00c566d3246f0aa67b47033bad4713e0c5341e258b951e26bee4205ec9037732393b06b2966903f216dd0c55791c6d6c067a543c93de53cd126f466

        Download Submit
      • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.vbs
        Filesize

        2KB

        MD5

        6be2ca965d6ec7eed5fc2ca94c70be5d

        SHA1

        127a21034790b8f07a4c6c95b64b0253011df068

        SHA256

        a134febf91fe6fe748bfe937aefa809349f3c36a5791516d4cfc5bf7f2db9525

        SHA512

        da9a71167f22f394f72fbf153571b75dbce4642331f5d59b2f6cb7e4f64a3faf7267b188760e74d27804b70f55d83f3e44ae77a6344d80039d59658571d83565

        Download Submit
      • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1
        Filesize

        245KB

        MD5

        9003c61627db62d6d2091d2b6383a630

        SHA1

        1b80514173761d3627d737b1e7dea52abb5c8761

        SHA256

        864e1a7757e96375629837f696cbf6ac1d3db941949dbdbaa52538ee0d4010da

        SHA512

        deb3db4961ec6d49a11ebc143a8d54c1c383dd27dd753638b766fd7877a27cd7c69de8bf8691b248f10f0bbee787f487fb1e6ff5fea5b3a0e3bdb6ddd16f3c33

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        00e7da020005370a518c26d5deb40691

        SHA1

        389b34fdb01997f1de74a5a2be0ff656280c0432

        SHA256

        a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

        SHA512

        9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        806286a9ea8981d782ba5872780e6a4c

        SHA1

        99fe6f0c1098145a7b60fda68af7e10880f145da

        SHA256

        cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

        SHA512

        362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        02a1a26525c65a359d41483180eaa6f7

        SHA1

        c0e2578b92d20e925c1c87016d1a9fccee1ec56f

        SHA256

        d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e

        SHA512

        d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        5caad758326454b5788ec35315c4c304

        SHA1

        3aef8dba8042662a7fcf97e51047dc636b4d4724

        SHA256

        83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

        SHA512

        4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

        Download Submit
      • memory/1316-152-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1316-134-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1316-133-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1316-132-0x0000018F77100000-0x0000018F77122000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1872-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2280-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3488-143-0x0000000000000000-mapping.dmp
        Download
      • memory/3752-146-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3752-159-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3796-149-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3796-136-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3796-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4324-163-0x0000000005310000-0x0000000005376000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4324-162-0x0000000005E70000-0x0000000006414000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4324-161-0x0000000005820000-0x00000000058BC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4324-155-0x000000000040D06E-mapping.dmp
        Download
      • memory/4324-154-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4324-160-0x0000000000830000-0x0000000000842000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4516-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4692-148-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4692-157-0x00007FF970370000-0x00007FF970E31000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4692-153-0x0000017CEA6E0000-0x0000017CEA6FA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4692-145-0x0000000000000000-mapping.dmp
        Download
      • memory/4900-140-0x0000000000000000-mapping.dmp
        Download