Overview

overview

10

Static

static

img.jpg.ps1

windows7-x64

5

img.jpg.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2022 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    img.jpg.ps1

  • Size

    771KB

  • MD5

    5ac2d245025afdd32eb83ee07c5eac2c

  • SHA1

    2d7afe2482c8b00f64a3c06f1991e9d31e5e4992

  • SHA256

    b1b279e81410d415a097e9cab59aa3a04728adf62095c99d1aee345b124d4b49

  • SHA512

    f27af8054d6898da00de2b999cb421f26307d46f6b64c041d617b84b7012cec872e7f827f0befe71464e2ee0644d606a20cf231bbab52de9af78b806778f00e3

  • SSDEEP

    3072:DWYU4444d444444444444444g44444444444444444K44444444444444449444a:D1/QImq4sn+kdnuzDT03ApT

Score
10/10
asyncratxrat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

x

C2

jok7oda.publicvm.com:7777

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\img.jpg.ps1
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Logs\install.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\install.ps1'))
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /tn det /sc minute /st 00:10 /tr C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
          4⤵
          • Creates scheduled task(s)
          PID:2876
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 3 /tr C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
          4⤵
          • Creates scheduled task(s)
          PID:2860
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\Report.ps1'))
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2772
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /delete /tn det /f
        3⤵
          PID:4100

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      223bd4ae02766ddc32e6145fd1a29301

      SHA1

      900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

      SHA256

      1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

      SHA512

      648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      27fdb1beb89b56345e585d480be3026b

      SHA1

      2626e41ca27668518d01c04e1579f77027ff31a1

      SHA256

      ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2

      SHA512

      bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      055cd1930e45c3d77aa744d53bcc29d9

      SHA1

      af1464daf329f36930b71fb33119c61a13472b6d

      SHA256

      fcd4a469c653f6bd319b201326633c2183a70184bc159c071915a9c4abd92d3c

      SHA512

      00ee038f281f34c7d727b7d6d7734bdfc61ee742b33edc5f905adae6afa949b9a9da8c575d949e98b24b59005e469628e99f113e0fc612dc24bbba7f098fa65d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
      Filesize

      1KB

      MD5

      7a1f08fd27f797b5a5cc2d79f8f6bba7

      SHA1

      bd63d22c44ed12788a81cbc06b7c2bb91e0c338c

      SHA256

      922dc773abdfd0812b0e1adcaabf9dea2e5f0264573266cf0b024feb984c632e

      SHA512

      306649a84b7c57acb67d5baca1f288e9211028a19a2d9a2a331db59026d3c557a225eaaa4b325df9bc1bdf1cef2d823b1eadffaa40b6f1cf1d19ce5bfd77d449

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Logs\Report.ps1
      Filesize

      766KB

      MD5

      8d881e40488abde98aa11a3c098e491c

      SHA1

      379a8ce68bd5834e0df24b0dbcd22576d1cba800

      SHA256

      aa918a89a7f9b75ced739a879db39a7b3ba1e322f4871fd32f731661847aaf9b

      SHA512

      54106c664804e49d84a0398d9e0c60e076acf12e0a22646d0543d01684526b29125f9f8aa2120329b5aa4d8faa965bd197f541753c9985255ba8d1c5ff8860af

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Logs\install.ps1
      Filesize

      237B

      MD5

      6bdb23dd1842efaa701ced26bb8ae3a5

      SHA1

      67938eee711bca4d76581ad4ce157d1f197c97f8

      SHA256

      4e0c891ba520fc17f612e1d65b0549aea0533070237b7bc27ee36613e212429c

      SHA512

      16b5044b13b3c172f50c0dbfb11544750385c92144e1a2fe7dc3a3d18b361d722c72668eb11fcccecdc7dc4858f22383432515f7c9f3a353b04e52d3c4622c0e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Logs\install.vbs
      Filesize

      2KB

      MD5

      e35d96b22a7a748d8a85089ea37b003e

      SHA1

      6b91c72388ed718c5ea75d1bd31263c8cb466878

      SHA256

      06b9130d3e031c4729ad96332ed15189d5391b88f81c5bbb0f3a94ac4a05185a

      SHA512

      f45a67d4dc0338ba62cfd6413f7d02889a186b8893397f32df3c88dec903fd79c849ea38538aefead378db1ea2071a0a3b921d7f9fa35729ea71371c7a3d6809

      Download Submit
    • memory/224-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2632-136-0x00007FF9C7460000-0x00007FF9C7F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2632-132-0x000001C2A0200000-0x000001C2A0222000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2632-133-0x00007FF9C7460000-0x00007FF9C7F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2772-155-0x0000000005980000-0x0000000005F24000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2772-152-0x00000000004107CE-mapping.dmp
      Download
    • memory/2772-156-0x00000000055C0000-0x0000000005652000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2772-159-0x0000000005810000-0x0000000005876000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2772-151-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/2772-158-0x0000000006170000-0x000000000620C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2772-157-0x00000000055A0000-0x00000000055AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2860-143-0x0000000000000000-mapping.dmp
      Download
    • memory/2876-142-0x0000000000000000-mapping.dmp
      Download
    • memory/3924-144-0x00007FF9C7460000-0x00007FF9C7F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3924-139-0x00007FF9C7460000-0x00007FF9C7F21000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3924-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4100-153-0x0000000000000000-mapping.dmp
      Download
    • memory/5072-154-0x00007FF9C7820000-0x00007FF9C82E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5072-150-0x00007FF9C7820000-0x00007FF9C82E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5072-149-0x00007FF9C7820000-0x00007FF9C82E1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5072-146-0x0000000000000000-mapping.dmp
      Download