Overview

overview

10

Static

static

import.ps1

windows7-x64

10

import.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2022 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    import.ps1

  • Size

    7.7MB

  • MD5

    aeeb7afa26cff3fff16e54c677056b73

  • SHA1

    28b0befdbfa2a3fc66b328756c7c6ac636336ec2

  • SHA256

    112f2f582654691ec17bd5dade694cca5d2447c53c9d6b3a668611907ceb1d52

  • SHA512

    8d51343705aa0bf078159acf5161356a7ea25fc5b134f86220de46728a4bb089c1667267480dbc314a121cb0180007cd6e9c451966f28d381347fffa74ae762d

  • SSDEEP

    24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vE:w

Score
10/10
asyncratdefaultevasionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

antivirus-ssl.myiphost.com:195

Mutex

AsyncMutex_6SI8OkLrx

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Async RAT payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\import.ps1
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\a.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Favorites\a.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:236
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\b.ps1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3776
          • C:\Windows\system32\cmstp.exe
            "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\jw2xbdsy.inf
            5⤵
              PID:4536
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /tn administartor /sc minute /st 00:10 /tr C:\Users\Admin\Favorites\System.vbs
        2⤵
        • Creates scheduled task(s)
        PID:1280
    • C:\Windows\system32\mshta.exe
      mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd.exe /c start """""""" """"%USERPROFILE%\Favorites\Assembly.vbs"""""",0:close")
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\Favorites\Assembly.vbs"
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:708
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\Assembly.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Favorites\x.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\x.ps1
              5⤵
              • UAC bypass
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1300
    • C:\Windows\system32\mshta.exe
      mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\System32\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:4592
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3020

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        556084f2c6d459c116a69d6fedcc4105

        SHA1

        633e89b9a1e77942d822d14de6708430a3944dbc

        SHA256

        88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

        SHA512

        0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        95e1c8db6eb5be60fa7c5f7ca36bfaed

        SHA1

        5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9

        SHA256

        3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18

        SHA512

        de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        50a8221b93fbd2628ac460dd408a9fc1

        SHA1

        7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

        SHA256

        46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

        SHA512

        27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        57866c0b343808442b8657c28107e5cd

        SHA1

        b131d901e867ca5a3de95ca3fc12b5a483137e31

        SHA256

        232e6e16bb2f27daa78c8f60a34e6b2da4314cc004487c0b5b8ed0563d82fb73

        SHA512

        45b9cb4901b36bb32ac1807a43f91b6e023a88ac3f92091051a0162bc275d21b850d6861f15caae188a8ac5c8d3fd9ef8cd8925afb230f4588208b1e449b59cc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        e1fb26de120faadab3c093b78644964f

        SHA1

        bb587dd3b1ad8384b6d612bc4bb806f41562982f

        SHA256

        e1ce351162cae7e8671f980192da54b8440d309985687d8eef56fec0b3180a85

        SHA512

        6e4d18e9506e72f90aea0c93d190b9817566bbbfa2409c1ae6ca98c2b81f8a2bd4204270ce951444d49dfc85c9f1b913952afe6b8fceea918dd97006cf322518

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        4d444e4cd8a1f7d9c922d8f581fec35a

        SHA1

        5b260b1fc3c0d08ba8d7165a9e801ee2e0c1f50c

        SHA256

        0bcbe921e49d7e8ede4198c0f9e5577c3ee9e6514389b19de22bc5296935de52

        SHA512

        cdb484b89c2340955f35ea1d16ef5f5b96f1afb53143f413b714b512249e716fed0f9211c2638cd44862ac4b0e7c2f9d80e8868f2347023c3e65bb5a0a13825e

        Download Submit

      • C:\Users\Admin\Favorites\Assembly.vbs
        Filesize

        331B

        MD5

        66d268811c166c82aaef2f52450b0c73

        SHA1

        f7810c1003732c440b986718a8217dd733e88f74

        SHA256

        581df8170200c95d38ce78eba4e9942d47cad443bbc0148954e48df04eec3b34

        SHA512

        36de3a5f59ee7a531832ae7e43997a3019ad8a15b0d1b321e589a85d77af27dab80b90a0ef5c978c4fffcc4d32fe8d870f60e9cf3e5bff302e4292bfc6196830

        Download Submit

      • C:\Users\Admin\Favorites\System.vbs
        Filesize

        121B

        MD5

        dada8407cf4051919362d16a6d735cde

        SHA1

        8a2788926f97dbd59c99ad51b3383c59992c6c2e

        SHA256

        ee512a4266049b505b2b5c6c4c7bd66baadd37eda61bfe7f31f6cfcc1c955a77

        SHA512

        42c6b1fac8502e3b21cbd6cda11601afc55ca539db03667eec7c839bc33c70ed1a6aeba5a3c9684951143658b17183c2782bec8a0108b345c0ac2aebdaa8fc9f

        Download Submit

      • C:\Users\Admin\Favorites\UAC-B.dll
        Filesize

        11KB

        MD5

        cc6ba6fc273dbfbb5c9698c0cf4719b9

        SHA1

        a2b3433b728b0874ec69d8a629d5f0dd05c0946d

        SHA256

        320316cdda2aa0e8709472a2b8eb8debcd0f8bb6f9af4d4d4b3bc67068ceebe7

        SHA512

        fe2fe2f150fbf619dd7616c86c93a42446b7c915b92fb865971dcf7dd595c6483da7386ce40b99802dc0942068bd1703821e0e3b15a6ebe557619cf6fa413c61

        Download Submit

      • C:\Users\Admin\Favorites\a.bat
        Filesize

        86B

        MD5

        4625a049cd6ea721b706699ab3c36dff

        SHA1

        dbb82c9e8cb7bdcf617e7c4e158d031275b5ec24

        SHA256

        c751a3cb67ab1c75f1de6e24b7193123cc815524c538973110d1f6027da24dc0

        SHA512

        35674c3c1d6c449b3716ddf2ca8733e255a8f642723186a847694fb936b50a91e6bd7ab7f6edf1489592a583109739a4f0c12769823e2fc163860eeb7004b6c0

        Download Submit

      • C:\Users\Admin\Favorites\a.vbs
        Filesize

        485B

        MD5

        5ce49e20c572f2b6d4b43fc61a6906ec

        SHA1

        170185b8ab9fc4749f28e5796999c23b50be89dc

        SHA256

        d6a43aad0aa8e510f01409921c8b0b5c8d93d51d1f7f39340db775c164686412

        SHA512

        c49e14c094e4d5e108aa50889a9fb06428a3d7a1f74d868c9b7d37f35658a64ea205b00681ad83aef428113fdf6fead8ef98dd1e6b38d84b8306765025c2e8e3

        Download Submit

      • C:\Users\Admin\Favorites\b.ps1
        Filesize

        173B

        MD5

        e1d9cbc41ffacef02695df17824a82e0

        SHA1

        970ae087b8a3d11fb3e2a9b8de1592a166436fa7

        SHA256

        61571d1fd0000c02eef19b7dd6e452e2f9eba2e947f4c96d781e79d35802043f

        SHA512

        3b4034b2072a309adeb1af8b540023791262915f4b1347f4aa27f8aedcbbb6e1126c1a4d5f1db1ce2ad5638d24d7ba3025a8451c291241db2f2a99b0832f620a

        Download Submit

      • C:\Users\Admin\Favorites\micro.ps1
        Filesize

        889KB

        MD5

        6aebe5e40338074dcdf1a2fdf5ec052c

        SHA1

        0affad0eab774562a022100f11c367e83b72c4b2

        SHA256

        03b5c1eab769693201ca761bd2050ddd7bad82925fa19015701560aa05e5c296

        SHA512

        7f7ac71e80557184ea78f75d1f436a9f4808e4f0bf555fe6fd4a924b1f982931c0c8a7345df6df717fe99b60534e948e5994acdeab172c5a778ecdf99eda4774

        Download Submit

      • C:\Users\Admin\Favorites\micro.ps1
        Filesize

        444KB

        MD5

        33e535c339dfe5328e4f6244151a6938

        SHA1

        24da1a168d3196928278d737cb01e6ddb3958e7f

        SHA256

        6e55e21f7d21c41dc3635782947a3bcbb60ebf8e047048bcac537150c28f4735

        SHA512

        81a764be599c62f11767cb5a23bc7dd3ed91ec1640c8de16504523921829c7f000491b19728c74a0ea074d501fe582e6eb1048ccc55e632b0d6163daccda3122

        Download Submit

      • C:\Users\Admin\Favorites\x.bat
        Filesize

        86B

        MD5

        03fc58bceab448c9f183fbe86fed1f11

        SHA1

        07f3d54b0b40755e8f58f5fdab95049def6578e3

        SHA256

        6062f0e764ccd855b61ba49720065dfd6f6c6864c4eb1e9dce95ba8a293fd756

        SHA512

        c0e9aec7a6c5aaae3b018d44f1fbdc1939026ce16fad20211a0521e3db9e470d842508b7d2167672e1585bafeb4b2f1fe694ca96ddb9137ff9e5d3b4ca53ea4f

        Download Submit

      • C:\Users\Admin\Favorites\x.ps1
        Filesize

        567B

        MD5

        e9859d3134c68db3134a6ca7df484344

        SHA1

        f4eec5ee9aa11a82d19bdb78a174c574669fd1d8

        SHA256

        a4aaf6c64969788732b20c79c1299719b84a52eddda13778a672195bbfba4a6c

        SHA512

        47982ddf074418c350790f5f7d53edddbbb47e7768939ebf88f4812b01f241c8bff509dbd9a8e6232eb6ec7f8b0344a1a59474ea45da0c80af9f04ba21498cdb

        Download Submit

      • C:\Windows\temp\jw2xbdsy.inf
        Filesize

        834B

        MD5

        09c0056318d62ee84963c66ae83d6c1b

        SHA1

        625936963d4a0059daff7222a1628198be9b7a4f

        SHA256

        25b2a55bade39fe6d90e0fb06068062a95af522f62d743454ffa4ddd478781d8

        SHA512

        b03301fcafbc905ac7724b5ee878208c4c7dc039b02edcfc00e51742c868ab4cf3f830dbbe52b314ee24f8d87f39b6c9eb3e6c188ddc75a9b52f7dfab85cb2d0

        Download Submit

      • memory/236-138-0x0000000000000000-mapping.dmp

        Download

      • memory/708-150-0x0000000000000000-mapping.dmp

        Download

      • memory/1280-135-0x0000000000000000-mapping.dmp

        Download

      • memory/1300-155-0x0000000000000000-mapping.dmp

        Download

      • memory/1300-160-0x00007FFD3FA00000-0x00007FFD404C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1300-161-0x00007FFD3FA00000-0x00007FFD404C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1412-173-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1412-178-0x0000000005D70000-0x0000000005DD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1412-177-0x0000000006320000-0x00000000068C4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1412-176-0x0000000005CD0000-0x0000000005D6C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1412-174-0x000000000040DF2E-mapping.dmp

        Download

      • memory/2040-168-0x0000000000000000-mapping.dmp

        Download

      • memory/2040-175-0x00007FFD40AC0000-0x00007FFD41581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2040-172-0x00007FFD40AC0000-0x00007FFD41581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2040-171-0x00007FFD40AC0000-0x00007FFD41581000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2120-163-0x0000000000000000-mapping.dmp

        Download

      • memory/2120-166-0x00007FFD41670000-0x00007FFD42131000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2120-167-0x00007FFD41670000-0x00007FFD42131000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2160-154-0x0000000000000000-mapping.dmp

        Download

      • memory/2228-159-0x0000000000000000-mapping.dmp

        Download

      • memory/2396-152-0x0000000000000000-mapping.dmp

        Download

      • memory/2864-132-0x00000232513F0000-0x0000023251412000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2864-133-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2864-139-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3020-179-0x0000000000000000-mapping.dmp

        Download

      • memory/3776-145-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3776-148-0x00007FFD41540000-0x00007FFD42001000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3776-140-0x0000000000000000-mapping.dmp

        Download

      • memory/3972-134-0x0000000000000000-mapping.dmp

        Download

      • memory/4536-146-0x0000000000000000-mapping.dmp

        Download