Analysis
-
max time kernel
80s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
ca7205724f31290cdef29a7e0f0743d0.ps1
Resource
win7-20230220-en
General
-
Target
ca7205724f31290cdef29a7e0f0743d0.ps1
-
Size
226KB
-
MD5
ca7205724f31290cdef29a7e0f0743d0
-
SHA1
e7dbb3b8bd7a31698f97a21b25cd03e67f8be91f
-
SHA256
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d
-
SHA512
661e18b9d63c8ff1849f7b6ba81b5d44a68fc3e605c207d965a7e4841e244a114881a6f0ca77e1ad18fbef2d881327ea460333e27741521107bf2314e7b65c98
-
SSDEEP
1536:vNUP7fvRYjFYFWPApqqPDXdkSajySbVeJ+ARXqX3XXSX3XHCyyvL93yVxgQ51kIN:G+/mjLnfhUd3tNTrrD4Qzxu
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
xxxprofxxx.dnsdojo.com:5126
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4444-189-0x0000000000400000-0x0000000000414000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3816 set thread context of 4444 3816 powershell.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4252 powershell.exe 4252 powershell.exe 3804 powershell.exe 3804 powershell.exe 3816 powershell.exe 3816 powershell.exe 3816 powershell.exe 3816 powershell.exe 4444 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4252 powershell.exe Token: SeDebugPrivilege 3804 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe Token: SeDebugPrivilege 4444 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4444 RegSvcs.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4252 wrote to memory of 3924 4252 powershell.exe 86 PID 4252 wrote to memory of 3924 4252 powershell.exe 86 PID 3924 wrote to memory of 3804 3924 WScript.exe 87 PID 3924 wrote to memory of 3804 3924 WScript.exe 87 PID 3804 wrote to memory of 3720 3804 powershell.exe 92 PID 3804 wrote to memory of 3720 3804 powershell.exe 92 PID 3720 wrote to memory of 1932 3720 WScript.exe 94 PID 3720 wrote to memory of 1932 3720 WScript.exe 94 PID 1932 wrote to memory of 3820 1932 cmd.exe 96 PID 1932 wrote to memory of 3820 1932 cmd.exe 96 PID 3820 wrote to memory of 3816 3820 mshta.exe 97 PID 3820 wrote to memory of 3816 3820 mshta.exe 97 PID 3816 wrote to memory of 2760 3816 powershell.exe 101 PID 3816 wrote to memory of 2760 3816 powershell.exe 101 PID 3816 wrote to memory of 2760 3816 powershell.exe 101 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102 PID 3816 wrote to memory of 4444 3816 powershell.exe 102
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ca7205724f31290cdef29a7e0f0743d0.ps11⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"8⤵PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4444
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705B
MD58d451fd494230dd4127b275966ba290f
SHA102c3e43b381cfd619cb3291eb493d4bda3f9ab12
SHA256c2ffafbfb8579c34128f518f2b263bdfe4de13002d74ba59c880fb2759ca5557
SHA512fb74663c62111fccb11e2590dfa5c429c54a68fec0be21ef84540191ffbc56656bfff4429fbe254a0fb8e9b11211130ff8c3ca4edbee25a8a4f149279be9238e
-
Filesize
433B
MD5f7da689911a44bf28a2908f1522267f6
SHA18a07c961848dcbc095e22edeab099ef3f36ab2b6
SHA25660e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834
SHA5128dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd
-
Filesize
222KB
MD5f70b15212eb48b388ce2d17676fcf92f
SHA13fa0b8f34b57e8cef40b9d9a75ad59257341e11a
SHA256de8557c41394ce43f86a6319df87ad76c409779e7c4dbaaea85a46bd592e27f9
SHA5123052bdef416c9abcb93066ce9a2a4f7e956bb7a6978c1be0e68f06d01ae572c4fbf47065c1384a26d4810f4dce172ac8cc9534223f10403829bd6966cf58bfda
-
Filesize
159B
MD55674db0c1c30da598e7ffcba50057f44
SHA1e9b1258a330801677de88eba3ddf91e8166b1c2b
SHA2560ba464c177c823e5972072c92fd64d62891990dca76fbbea1938a3b143209dbe
SHA512d0228e02fd377de14ca89507907126897969a99a712f33bf9d5642317e670bd8c7cf9390cd5ec39b50a5947bfd67ef2d0b5b2b6629ef7c5c9c29ab87fd80698d
-
Filesize
652B
MD53fdf59c6cc932ccfb273ee77a5338509
SHA1dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f
SHA256d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4
SHA512e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD527fdb1beb89b56345e585d480be3026b
SHA12626e41ca27668518d01c04e1579f77027ff31a1
SHA256ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2
SHA512bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a
-
Filesize
1KB
MD54d9d245058609d83f6256f0ee87930cb
SHA15e0f37247a8db6c07db14595269f5a1d227a95df
SHA2562d64bd1b0e306594a1fbd5c72145c9dddcf2265f7bb353f296c2911d91c7131c
SHA512fe73ed1b788f88f0efc9e346223f3639bd7ba2b079f12a51676e975e55486cecd15fe09b2c86b4446c6621bb96058385cac2a34a96a578d1174f1e372684402f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82