Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 14:31
Static task
static1
Behavioral task
behavioral1
Sample
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
Resource
win7-20230220-en
General
-
Target
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
-
Size
226KB
-
MD5
ca7205724f31290cdef29a7e0f0743d0
-
SHA1
e7dbb3b8bd7a31698f97a21b25cd03e67f8be91f
-
SHA256
3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d
-
SHA512
661e18b9d63c8ff1849f7b6ba81b5d44a68fc3e605c207d965a7e4841e244a114881a6f0ca77e1ad18fbef2d881327ea460333e27741521107bf2314e7b65c98
-
SSDEEP
1536:vNUP7fvRYjFYFWPApqqPDXdkSajySbVeJ+ARXqX3XXSX3XHCyyvL93yVxgQ51kIN:G+/mjLnfhUd3tNTrrD4Qzxu
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
xxxprofxxx.dnsdojo.com:5126
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4996-189-0x0000000000400000-0x0000000000414000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4680 set thread context of 4996 4680 powershell.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2892 powershell.exe 2892 powershell.exe 1284 powershell.exe 1284 powershell.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 4996 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 4996 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4996 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2892 wrote to memory of 3956 2892 powershell.exe 90 PID 2892 wrote to memory of 3956 2892 powershell.exe 90 PID 3956 wrote to memory of 1284 3956 WScript.exe 91 PID 3956 wrote to memory of 1284 3956 WScript.exe 91 PID 1284 wrote to memory of 2368 1284 powershell.exe 94 PID 1284 wrote to memory of 2368 1284 powershell.exe 94 PID 2368 wrote to memory of 3268 2368 WScript.exe 96 PID 2368 wrote to memory of 3268 2368 WScript.exe 96 PID 3268 wrote to memory of 4344 3268 cmd.exe 99 PID 3268 wrote to memory of 4344 3268 cmd.exe 99 PID 4344 wrote to memory of 4680 4344 mshta.exe 100 PID 4344 wrote to memory of 4680 4344 mshta.exe 100 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102 PID 4680 wrote to memory of 4996 4680 powershell.exe 102
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps11⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705B
MD58d451fd494230dd4127b275966ba290f
SHA102c3e43b381cfd619cb3291eb493d4bda3f9ab12
SHA256c2ffafbfb8579c34128f518f2b263bdfe4de13002d74ba59c880fb2759ca5557
SHA512fb74663c62111fccb11e2590dfa5c429c54a68fec0be21ef84540191ffbc56656bfff4429fbe254a0fb8e9b11211130ff8c3ca4edbee25a8a4f149279be9238e
-
Filesize
433B
MD5f7da689911a44bf28a2908f1522267f6
SHA18a07c961848dcbc095e22edeab099ef3f36ab2b6
SHA25660e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834
SHA5128dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd
-
Filesize
222KB
MD5f70b15212eb48b388ce2d17676fcf92f
SHA13fa0b8f34b57e8cef40b9d9a75ad59257341e11a
SHA256de8557c41394ce43f86a6319df87ad76c409779e7c4dbaaea85a46bd592e27f9
SHA5123052bdef416c9abcb93066ce9a2a4f7e956bb7a6978c1be0e68f06d01ae572c4fbf47065c1384a26d4810f4dce172ac8cc9534223f10403829bd6966cf58bfda
-
Filesize
159B
MD55674db0c1c30da598e7ffcba50057f44
SHA1e9b1258a330801677de88eba3ddf91e8166b1c2b
SHA2560ba464c177c823e5972072c92fd64d62891990dca76fbbea1938a3b143209dbe
SHA512d0228e02fd377de14ca89507907126897969a99a712f33bf9d5642317e670bd8c7cf9390cd5ec39b50a5947bfd67ef2d0b5b2b6629ef7c5c9c29ab87fd80698d
-
Filesize
652B
MD53fdf59c6cc932ccfb273ee77a5338509
SHA1dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f
SHA256d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4
SHA512e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD55161e9d6b9b677b7af6e5bb11a361b91
SHA19fe0a04c2bb86467b9aa584c78db4fc7eccfdd42
SHA256addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0
SHA51295b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749
-
Filesize
1KB
MD5eb4d127b8a6f84a1cee423c5e3e3a51d
SHA1c55263a8ff097067f2393ce2120801a445fd1949
SHA256d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514
SHA51245a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82