Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 09:01
Static task
static1
Behavioral task
behavioral1
Sample
a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
b.ps1
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
b.ps1
Resource
win10v2004-20220812-en
General
-
Target
b.ps1
-
Size
310KB
-
MD5
220e9238b05cb802d63f7d79d11b2a32
-
SHA1
77324ddee92b5ee1c2d50680ea15dd6e28ef402b
-
SHA256
248d8893d926c765d168bd48211650094dbcf8a8988c448f3b271c41bec8ca9d
-
SHA512
748f9149ceaa46789938d66a87dad5c92a9beea65a7c84c07fa42378fdee70b1340d777fcfc78efcd85254660fd4a858fe10bd83464564cde7b12c01ebbcdb7a
-
SSDEEP
6144:bgkc0c/OjocmHEk4Oz7XzoUdd9qkcM1E1nvwmtPEeJDCiRO9jEYMJD:bgkc0c/OjocmH5XXEUdd97t2Vvwm1Ee3
Malware Config
Extracted
asyncrat
XieBroRAT-1.7
Default
127.0.0.1:8880
8079048a.e2.luyouxia.net:8880
gorousdwoqxqqq
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/848-59-0x000000001C5D0000-0x000000001C5E2000-memory.dmp asyncrat -
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 3 848 powershell.exe 4 848 powershell.exe 5 848 powershell.exe 7 848 powershell.exe 10 848 powershell.exe 14 848 powershell.exe 15 848 powershell.exe 16 848 powershell.exe 17 848 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 848 powershell.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB
-
memory/848-55-0x000007FEF3D20000-0x000007FEF4743000-memory.dmpFilesize
10.1MB
-
memory/848-56-0x000007FEF2F20000-0x000007FEF3A7D000-memory.dmpFilesize
11.4MB
-
memory/848-57-0x0000000002544000-0x0000000002547000-memory.dmpFilesize
12KB
-
memory/848-58-0x000000000254B000-0x000000000256A000-memory.dmpFilesize
124KB
-
memory/848-59-0x000000001C5D0000-0x000000001C5E2000-memory.dmpFilesize
72KB
-
memory/848-60-0x000000001C560000-0x000000001C575000-memory.dmpFilesize
84KB
-
memory/848-61-0x0000000002544000-0x0000000002547000-memory.dmpFilesize
12KB
-
memory/848-62-0x000000000254B000-0x000000000256A000-memory.dmpFilesize
124KB