Analysis

  • max time kernel
    122s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2023, 13:26

General

  • Target

    3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1

  • Size

    226KB

  • MD5

    ca7205724f31290cdef29a7e0f0743d0

  • SHA1

    e7dbb3b8bd7a31698f97a21b25cd03e67f8be91f

  • SHA256

    3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d

  • SHA512

    661e18b9d63c8ff1849f7b6ba81b5d44a68fc3e605c207d965a7e4841e244a114881a6f0ca77e1ad18fbef2d881327ea460333e27741521107bf2314e7b65c98

  • SSDEEP

    1536:vNUP7fvRYjFYFWPApqqPDXdkSajySbVeJ+ARXqX3XXSX3XHCyyvL93yVxgQ51kIN:G+/mjLnfhUd3tNTrrD4Qzxu

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

xxxprofxxx.dnsdojo.com:5126

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4240
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4576
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3512
            • C:\Windows\system32\mshta.exe
              mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3316
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'
                7⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2200
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2860

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Document\BT.ps1

          Filesize

          705B

          MD5

          8d451fd494230dd4127b275966ba290f

          SHA1

          02c3e43b381cfd619cb3291eb493d4bda3f9ab12

          SHA256

          c2ffafbfb8579c34128f518f2b263bdfe4de13002d74ba59c880fb2759ca5557

          SHA512

          fb74663c62111fccb11e2590dfa5c429c54a68fec0be21ef84540191ffbc56656bfff4429fbe254a0fb8e9b11211130ff8c3ca4edbee25a8a4f149279be9238e

        • C:\ProgramData\Document\BT.vbs

          Filesize

          433B

          MD5

          f7da689911a44bf28a2908f1522267f6

          SHA1

          8a07c961848dcbc095e22edeab099ef3f36ab2b6

          SHA256

          60e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834

          SHA512

          8dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd

        • C:\ProgramData\Document\Document.ps1

          Filesize

          222KB

          MD5

          f70b15212eb48b388ce2d17676fcf92f

          SHA1

          3fa0b8f34b57e8cef40b9d9a75ad59257341e11a

          SHA256

          de8557c41394ce43f86a6319df87ad76c409779e7c4dbaaea85a46bd592e27f9

          SHA512

          3052bdef416c9abcb93066ce9a2a4f7e956bb7a6978c1be0e68f06d01ae572c4fbf47065c1384a26d4810f4dce172ac8cc9534223f10403829bd6966cf58bfda

        • C:\ProgramData\Document\Loader.bat

          Filesize

          159B

          MD5

          5674db0c1c30da598e7ffcba50057f44

          SHA1

          e9b1258a330801677de88eba3ddf91e8166b1c2b

          SHA256

          0ba464c177c823e5972072c92fd64d62891990dca76fbbea1938a3b143209dbe

          SHA512

          d0228e02fd377de14ca89507907126897969a99a712f33bf9d5642317e670bd8c7cf9390cd5ec39b50a5947bfd67ef2d0b5b2b6629ef7c5c9c29ab87fd80698d

        • C:\ProgramData\schtasks\Document.vbs

          Filesize

          652B

          MD5

          3fdf59c6cc932ccfb273ee77a5338509

          SHA1

          dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f

          SHA256

          d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4

          SHA512

          e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          223bd4ae02766ddc32e6145fd1a29301

          SHA1

          900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

          SHA256

          1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

          SHA512

          648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          5161e9d6b9b677b7af6e5bb11a361b91

          SHA1

          9fe0a04c2bb86467b9aa584c78db4fc7eccfdd42

          SHA256

          addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0

          SHA512

          95b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          4d9d245058609d83f6256f0ee87930cb

          SHA1

          5e0f37247a8db6c07db14595269f5a1d227a95df

          SHA256

          2d64bd1b0e306594a1fbd5c72145c9dddcf2265f7bb353f296c2911d91c7131c

          SHA512

          fe73ed1b788f88f0efc9e346223f3639bd7ba2b079f12a51676e975e55486cecd15fe09b2c86b4446c6621bb96058385cac2a34a96a578d1174f1e372684402f

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbzf0dvd.5dz.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/2200-188-0x00000199B6950000-0x00000199B6960000-memory.dmp

          Filesize

          64KB

        • memory/2200-186-0x00000199B6950000-0x00000199B6960000-memory.dmp

          Filesize

          64KB

        • memory/2200-187-0x00000199B6950000-0x00000199B6960000-memory.dmp

          Filesize

          64KB

        • memory/2860-192-0x00000000054D0000-0x00000000054E0000-memory.dmp

          Filesize

          64KB

        • memory/2860-190-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/2860-198-0x00000000054D0000-0x00000000054E0000-memory.dmp

          Filesize

          64KB

        • memory/2860-197-0x0000000006400000-0x0000000006466000-memory.dmp

          Filesize

          408KB

        • memory/2860-196-0x00000000064A0000-0x000000000653C000-memory.dmp

          Filesize

          624KB

        • memory/2860-195-0x0000000005930000-0x000000000593A000-memory.dmp

          Filesize

          40KB

        • memory/2860-194-0x0000000005940000-0x00000000059D2000-memory.dmp

          Filesize

          584KB

        • memory/2860-193-0x0000000005D10000-0x00000000062B4000-memory.dmp

          Filesize

          5.6MB

        • memory/4240-169-0x000001436A770000-0x000001436A780000-memory.dmp

          Filesize

          64KB

        • memory/4240-167-0x000001436A770000-0x000001436A780000-memory.dmp

          Filesize

          64KB

        • memory/4240-170-0x000001436A770000-0x000001436A780000-memory.dmp

          Filesize

          64KB

        • memory/4396-154-0x000001541C7A0000-0x000001541C9BC000-memory.dmp

          Filesize

          2.1MB

        • memory/4396-133-0x0000015403470000-0x0000015403492000-memory.dmp

          Filesize

          136KB

        • memory/4396-143-0x000001541BA10000-0x000001541BA20000-memory.dmp

          Filesize

          64KB

        • memory/4396-145-0x000001541BA10000-0x000001541BA20000-memory.dmp

          Filesize

          64KB

        • memory/4396-144-0x000001541BA10000-0x000001541BA20000-memory.dmp

          Filesize

          64KB