Analysis Overview
SHA256
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d
Threat Level: Known bad
The file ca7205724f31290cdef29a7e0f0743d0.bin was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-21 01:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 01:24
Reported
2023-03-21 01:27
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1424 wrote to memory of 468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 1424 wrote to memory of 468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 1424 wrote to memory of 468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 468 wrote to memory of 1500 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 468 wrote to memory of 1500 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 468 wrote to memory of 1500 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ca7205724f31290cdef29a7e0f0743d0.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}
Network
Files
memory/1424-58-0x000000001B0C0000-0x000000001B3A2000-memory.dmp
memory/1424-59-0x0000000002020000-0x0000000002028000-memory.dmp
memory/1424-60-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/1424-61-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/1424-62-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/1424-63-0x00000000025C0000-0x0000000002640000-memory.dmp
C:\ProgramData\Document\BT.vbs
| MD5 | f7da689911a44bf28a2908f1522267f6 |
| SHA1 | 8a07c961848dcbc095e22edeab099ef3f36ab2b6 |
| SHA256 | 60e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834 |
| SHA512 | 8dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 066bbfb429fcd13827c5742f31c6b4f1 |
| SHA1 | e0d2a4e7de3ec6fec146cc762ce18330e366bd65 |
| SHA256 | 537e7bdd396f377d9741b091141f349ad64eaebdcda0a46b5f71ae9b8cf33ac9 |
| SHA512 | d7a846d841a55e511298655fbe4e3c890840e16e5d51b7cad2205d6bf83c77423f8f9db63c5cbb48a0053c6a271ebb5425ad815d46a8a20c61a3a2897dcc35f2 |
memory/1500-76-0x000000001B000000-0x000000001B2E2000-memory.dmp
memory/1500-78-0x0000000002490000-0x0000000002498000-memory.dmp
memory/1500-79-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/1500-80-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/1500-77-0x0000000002620000-0x00000000026A0000-memory.dmp
memory/1500-81-0x000000000262B000-0x0000000002662000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 01:24
Reported
2023-03-21 01:27
Platform
win10v2004-20230220-en
Max time kernel
80s
Max time network
150s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3816 set thread context of 4444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ca7205724f31290cdef29a7e0f0743d0.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "
C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xxxprofxxx.dnsdojo.com | udp |
| NL | 185.252.178.121:5126 | xxxprofxxx.dnsdojo.com | tcp |
| US | 8.8.8.8:53 | 121.178.252.185.in-addr.arpa | udp |
| NL | 52.178.17.2:443 | tcp | |
| US | 8.248.3.254:80 | tcp | |
| US | 8.248.3.254:80 | tcp | |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.248.3.254:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1utw3l1t.hln.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4252-142-0x0000027981E20000-0x0000027981E42000-memory.dmp
memory/4252-143-0x000002799A490000-0x000002799A4A0000-memory.dmp
memory/4252-144-0x000002799A490000-0x000002799A4A0000-memory.dmp
memory/4252-145-0x000002799A490000-0x000002799A4A0000-memory.dmp
C:\ProgramData\Document\BT.vbs
| MD5 | f7da689911a44bf28a2908f1522267f6 |
| SHA1 | 8a07c961848dcbc095e22edeab099ef3f36ab2b6 |
| SHA256 | 60e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834 |
| SHA512 | 8dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 27fdb1beb89b56345e585d480be3026b |
| SHA1 | 2626e41ca27668518d01c04e1579f77027ff31a1 |
| SHA256 | ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2 |
| SHA512 | bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a |
memory/3804-167-0x0000021032570000-0x0000021032580000-memory.dmp
memory/3804-166-0x0000021032570000-0x0000021032580000-memory.dmp
memory/3804-169-0x0000021032570000-0x0000021032580000-memory.dmp
C:\ProgramData\Document\BT.ps1
| MD5 | 8d451fd494230dd4127b275966ba290f |
| SHA1 | 02c3e43b381cfd619cb3291eb493d4bda3f9ab12 |
| SHA256 | c2ffafbfb8579c34128f518f2b263bdfe4de13002d74ba59c880fb2759ca5557 |
| SHA512 | fb74663c62111fccb11e2590dfa5c429c54a68fec0be21ef84540191ffbc56656bfff4429fbe254a0fb8e9b11211130ff8c3ca4edbee25a8a4f149279be9238e |
C:\ProgramData\schtasks\Document.vbs
| MD5 | 3fdf59c6cc932ccfb273ee77a5338509 |
| SHA1 | dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f |
| SHA256 | d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4 |
| SHA512 | e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80 |
C:\ProgramData\Document\Loader.bat
| MD5 | 5674db0c1c30da598e7ffcba50057f44 |
| SHA1 | e9b1258a330801677de88eba3ddf91e8166b1c2b |
| SHA256 | 0ba464c177c823e5972072c92fd64d62891990dca76fbbea1938a3b143209dbe |
| SHA512 | d0228e02fd377de14ca89507907126897969a99a712f33bf9d5642317e670bd8c7cf9390cd5ec39b50a5947bfd67ef2d0b5b2b6629ef7c5c9c29ab87fd80698d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4d9d245058609d83f6256f0ee87930cb |
| SHA1 | 5e0f37247a8db6c07db14595269f5a1d227a95df |
| SHA256 | 2d64bd1b0e306594a1fbd5c72145c9dddcf2265f7bb353f296c2911d91c7131c |
| SHA512 | fe73ed1b788f88f0efc9e346223f3639bd7ba2b079f12a51676e975e55486cecd15fe09b2c86b4446c6621bb96058385cac2a34a96a578d1174f1e372684402f |
C:\ProgramData\Document\Document.ps1
| MD5 | f70b15212eb48b388ce2d17676fcf92f |
| SHA1 | 3fa0b8f34b57e8cef40b9d9a75ad59257341e11a |
| SHA256 | de8557c41394ce43f86a6319df87ad76c409779e7c4dbaaea85a46bd592e27f9 |
| SHA512 | 3052bdef416c9abcb93066ce9a2a4f7e956bb7a6978c1be0e68f06d01ae572c4fbf47065c1384a26d4810f4dce172ac8cc9534223f10403829bd6966cf58bfda |
memory/3816-186-0x0000016FB3420000-0x0000016FB3430000-memory.dmp
memory/3816-187-0x0000016FB3420000-0x0000016FB3430000-memory.dmp
memory/3816-188-0x0000016FB3420000-0x0000016FB3430000-memory.dmp
memory/4444-189-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4444-191-0x0000000005450000-0x0000000005460000-memory.dmp
memory/4444-192-0x0000000005D30000-0x00000000062D4000-memory.dmp
memory/4444-193-0x0000000005970000-0x0000000005A02000-memory.dmp
memory/4444-194-0x0000000005960000-0x000000000596A000-memory.dmp
memory/4444-195-0x00000000064C0000-0x000000000655C000-memory.dmp
memory/4444-196-0x0000000006560000-0x00000000065C6000-memory.dmp
memory/4444-197-0x0000000005450000-0x0000000005460000-memory.dmp