Analysis Overview
SHA256
d3184c9b86460714706d3d522c89e5b53d74a386953d3dd9a59c4b7c6a9e10fc
Threat Level: Known bad
The file 3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-21 14:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 14:31
Reported
2023-03-21 14:33
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 992 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 1388 wrote to memory of 992 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 1388 wrote to memory of 992 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 992 wrote to memory of 840 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 992 wrote to memory of 840 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 992 wrote to memory of 840 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}
Network
Files
memory/1388-58-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/1388-59-0x00000000028C0000-0x0000000002940000-memory.dmp
memory/1388-60-0x000000001B320000-0x000000001B602000-memory.dmp
memory/1388-61-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/1388-62-0x00000000028C0000-0x0000000002940000-memory.dmp
C:\ProgramData\Document\BT.vbs
| MD5 | f7da689911a44bf28a2908f1522267f6 |
| SHA1 | 8a07c961848dcbc095e22edeab099ef3f36ab2b6 |
| SHA256 | 60e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834 |
| SHA512 | 8dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a4536c1bbdc25d1a01c842448091ef41 |
| SHA1 | 9ead72cd183bf82737db8fca279003ac287d85a5 |
| SHA256 | 93edadef0c6deb59e065d8a4a7aa01cf2baebe84c5b385180218574c6e55af2a |
| SHA512 | db906977bb434883593fd405701794d322961b567a87520f14b603d19361cd8d85478ac4265922b88edcc51238cac74accc1c44fac9cdd45eeb0f7e28f69aeba |
memory/840-75-0x000000001B0E0000-0x000000001B3C2000-memory.dmp
memory/840-76-0x0000000002510000-0x0000000002518000-memory.dmp
memory/840-77-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/840-78-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/840-79-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/840-80-0x000000000252B000-0x0000000002562000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 14:31
Reported
2023-03-21 14:33
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4680 set thread context of 4996 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "
C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | xxxprofxxx.dnsdojo.com | udp |
| NL | 185.252.178.121:5126 | xxxprofxxx.dnsdojo.com | tcp |
| US | 8.8.8.8:53 | 121.178.252.185.in-addr.arpa | udp |
| US | 52.168.112.67:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
Files
memory/2892-142-0x000001C138A80000-0x000001C138AA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dnisl0qi.ry3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2892-143-0x000001C138AD0000-0x000001C138AE0000-memory.dmp
memory/2892-144-0x000001C138AD0000-0x000001C138AE0000-memory.dmp
memory/2892-145-0x000001C138AD0000-0x000001C138AE0000-memory.dmp
C:\ProgramData\Document\BT.vbs
| MD5 | f7da689911a44bf28a2908f1522267f6 |
| SHA1 | 8a07c961848dcbc095e22edeab099ef3f36ab2b6 |
| SHA256 | 60e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834 |
| SHA512 | 8dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5161e9d6b9b677b7af6e5bb11a361b91 |
| SHA1 | 9fe0a04c2bb86467b9aa584c78db4fc7eccfdd42 |
| SHA256 | addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0 |
| SHA512 | 95b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749 |
C:\ProgramData\Document\BT.ps1
| MD5 | 8d451fd494230dd4127b275966ba290f |
| SHA1 | 02c3e43b381cfd619cb3291eb493d4bda3f9ab12 |
| SHA256 | c2ffafbfb8579c34128f518f2b263bdfe4de13002d74ba59c880fb2759ca5557 |
| SHA512 | fb74663c62111fccb11e2590dfa5c429c54a68fec0be21ef84540191ffbc56656bfff4429fbe254a0fb8e9b11211130ff8c3ca4edbee25a8a4f149279be9238e |
memory/1284-168-0x000002C343C70000-0x000002C343C80000-memory.dmp
memory/1284-169-0x000002C343C70000-0x000002C343C80000-memory.dmp
memory/1284-170-0x000002C343C70000-0x000002C343C80000-memory.dmp
C:\ProgramData\schtasks\Document.vbs
| MD5 | 3fdf59c6cc932ccfb273ee77a5338509 |
| SHA1 | dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f |
| SHA256 | d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4 |
| SHA512 | e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80 |
C:\ProgramData\Document\Loader.bat
| MD5 | 5674db0c1c30da598e7ffcba50057f44 |
| SHA1 | e9b1258a330801677de88eba3ddf91e8166b1c2b |
| SHA256 | 0ba464c177c823e5972072c92fd64d62891990dca76fbbea1938a3b143209dbe |
| SHA512 | d0228e02fd377de14ca89507907126897969a99a712f33bf9d5642317e670bd8c7cf9390cd5ec39b50a5947bfd67ef2d0b5b2b6629ef7c5c9c29ab87fd80698d |
memory/4680-184-0x000001FF239D0000-0x000001FF239E0000-memory.dmp
memory/4680-185-0x000001FF239D0000-0x000001FF239E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb4d127b8a6f84a1cee423c5e3e3a51d |
| SHA1 | c55263a8ff097067f2393ce2120801a445fd1949 |
| SHA256 | d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514 |
| SHA512 | 45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e |
C:\ProgramData\Document\Document.ps1
| MD5 | f70b15212eb48b388ce2d17676fcf92f |
| SHA1 | 3fa0b8f34b57e8cef40b9d9a75ad59257341e11a |
| SHA256 | de8557c41394ce43f86a6319df87ad76c409779e7c4dbaaea85a46bd592e27f9 |
| SHA512 | 3052bdef416c9abcb93066ce9a2a4f7e956bb7a6978c1be0e68f06d01ae572c4fbf47065c1384a26d4810f4dce172ac8cc9534223f10403829bd6966cf58bfda |
memory/4680-188-0x000001FF239D0000-0x000001FF239E0000-memory.dmp
memory/4996-189-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4996-191-0x0000000004DA0000-0x0000000004DB0000-memory.dmp
memory/4996-192-0x0000000005760000-0x0000000005D04000-memory.dmp
memory/4996-193-0x0000000005390000-0x0000000005422000-memory.dmp
memory/4996-194-0x0000000005350000-0x000000000535A000-memory.dmp
memory/4996-197-0x0000000006010000-0x00000000060AC000-memory.dmp
memory/4996-198-0x0000000006350000-0x00000000063B6000-memory.dmp
memory/4996-199-0x0000000004DA0000-0x0000000004DB0000-memory.dmp