Overview

overview

10

Static

static

1

390Z21.ps1

windows7-x64

3

390Z21.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    390Z21.ps1

  • Size

    206KB

  • MD5

    7f42335561e2adb6a744f1dcb02b1505

  • SHA1

    415e34780b8e144c28995e611117d7d0182f3b22

  • SHA256

    c671d25e21e83929c1853e697f29b0e8ed3b69edc6add61d4d8b8bc2018afe14

  • SHA512

    442c90c2f926480beb001ed1ae45bf4f9893988d135367bf51c1a8ab7f27e4a11cbec1a9fea5f6897c1dc15cbc33fa7e0f027199c281107e7c5536a63aa2058c

  • SSDEEP

    3072:RO2MjmUvLcSRr0zELowmGcAK3ApfJo74Pda:RpMjbYYowmGcAK3Apxm1

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

185.81.157.244:6601

Mutex

AsyncMutex_6S181I8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\390Z21.ps1
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$BLNLS='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$BLNLS($T))}
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2400
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3572
            • C:\Windows\system32\mshta.exe
              mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powe"+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+"rshell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:2164
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'
                7⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1236
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                  8⤵
                    PID:1684
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    8⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Document\BT.ps1
      Filesize

      822B

      MD5

      a185048be8e4dcc4af37a21033364350

      SHA1

      6203dd67cf4e9958d52fe7fb8dd34e2364416046

      SHA256

      3311eb6e7226e8e21c3ae7b3f29c9859d0be7b10736cb3883d5c453f59a41583

      SHA512

      75b51d7cadfcd656d92431848809f62e3c902f20ddd36665eec41d92d622b62f4830b04094052df9c7fb8b827b0dad8d4589dbacb1e5c4bee65bbbc794c7d32c

      Download Submit
    • C:\ProgramData\Document\BT.vbs
      Filesize

      482B

      MD5

      d81d9785f8a33a52adbf7761bb81483c

      SHA1

      c7f97c27e4ad633369c9eca1be36335356486727

      SHA256

      cd30619863fb29e056c285521902eda2d820052f5cbc7a5d92ad331eab6460c4

      SHA512

      0c08b68c6b64a57ba4494e20b5c840f3f013aa2873d03aa1d2a017c707614479afe024cfd1cdde17851d0f36cfc34a895eea1e41d4a4118067ec366c19bf41cf

      Download Submit
    • C:\ProgramData\Document\Document.ps1
      Filesize

      202KB

      MD5

      6e7968ef23d12120b090badbb5ab6c68

      SHA1

      a15cf14da3192a7e64fbd0e9ea90ad2c2ab03f18

      SHA256

      05593d5c9e42cc15217ca2db5c27a955aa2cedae87c9471b2181aad36ca8edaa

      SHA512

      8d120fd8859ff68103a35fb342c799045cda3f92a039b844cfab18fd75f7a831afca2b95e68aadf864207b46eb40d8b96d5ba7fb44c2a1cf7d2c947fdcad929c

      Download Submit
    • C:\ProgramData\Document\Loader.bat
      Filesize

      276B

      MD5

      aaff07ba1501352dabd41d75b0e8bb4f

      SHA1

      d55ed9a18b657313801b7da2e2e5d79b1c0ae033

      SHA256

      b74497ce30b1a5e218bdad0bec6bd9ab24f38ab6881fa52c9f651f418bf6dc7a

      SHA512

      5afe35b094429427fd0c8e7194baa497d43c64a4d4a195e5789a145ab0ddc608a29e941f66d9dee2ded3e0253d501676c4632076bf6e5897383fc240a4d0f333

      Download Submit
    • C:\ProgramData\schtasks\Document.vbs
      Filesize

      652B

      MD5

      3fdf59c6cc932ccfb273ee77a5338509

      SHA1

      dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f

      SHA256

      d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4

      SHA512

      e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      223bd4ae02766ddc32e6145fd1a29301

      SHA1

      900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

      SHA256

      1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

      SHA512

      648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      27fdb1beb89b56345e585d480be3026b

      SHA1

      2626e41ca27668518d01c04e1579f77027ff31a1

      SHA256

      ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2

      SHA512

      bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      70595b5937369a2592a524db67e208d3

      SHA1

      d989b934d9388104189f365694e794835aa6f52f

      SHA256

      be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8

      SHA512

      edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olm0lpyo.syo.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/1236-186-0x000001C046290000-0x000001C0462A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1236-187-0x000001C046290000-0x000001C0462A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1484-138-0x000001B9A2040000-0x000001B9A2062000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1484-145-0x000001B985920000-0x000001B985930000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1484-144-0x000001B985920000-0x000001B985930000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1484-143-0x000001B985920000-0x000001B985930000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1936-192-0x0000000005CB0000-0x0000000005D42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1936-188-0x0000000000400000-0x0000000000414000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1936-190-0x00000000056E0000-0x00000000056F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1936-191-0x0000000006070000-0x0000000006614000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1936-193-0x0000000005CA0000-0x0000000005CAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1936-196-0x0000000006D40000-0x0000000006DDC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1936-197-0x0000000006DE0000-0x0000000006E46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1936-198-0x00000000056E0000-0x00000000056F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4984-170-0x000001CE04C20000-0x000001CE04C30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4984-162-0x000001CE04C20000-0x000001CE04C30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4984-156-0x000001CE04C20000-0x000001CE04C30000-memory.dmp
      Filesize

      64KB

      Download