Overview

overview

10

Static

static

1

moos2.ps1

windows7-x64

10

moos2.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-03-2023 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    moos2.ps1

  • Size

    689KB

  • MD5

    5df47d50e52c1cdb011c12bfe2ed1203

  • SHA1

    587b8357692cf1801a4aed650f5965ed5ee7337c

  • SHA256

    d623550382d57e1f3b8a521f00d4f05179da3073ac07d4ccaf4ced2999afc18b

  • SHA512

    096b87351742ab9598b8db72f889d1e75248a4c00e3bf5d4d0bd1ca048b023b9df5d412c3bb4354325f987830e2b795b623f22b766508ef89ccdbf0dd21729e5

  • SSDEEP

    1536:zJ7guVMqP/wdjeE4+vTrDLq4m/R6p0mZEWF7L9nGuWsMwAZJffqWyaUUhmQv/2sy:a

Score
10/10
asyncratcairopersistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Cairo

C2

admincairo.linkpc.net:7707

Mutex

AsyncMutex_move

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Async RAT payload 1 IoCs
    rat
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\moos2.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs"
        3⤵
          PID:4100
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:2428
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:3544
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4412
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:2100

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat
      Filesize

      706B

      MD5

      9999b95750b6f959dd0c3d4c7954f0ee

      SHA1

      22c4a26421cca8e30640ba82e0ef8b15d2a6237e

      SHA256

      9e728f939da712b6b01a3fab1965e4ae4c4f5cb58a25c948d29cf3c8dcc1dab3

      SHA512

      216408cc11036e3e62751962a850f53051e3804fdcc58ccd82b78d94952101bed9cae208e65508b167cfe2a6e71d045bd7daf391f39223c3029a65b2916eef88

      Download Submit
    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1
      Filesize

      3KB

      MD5

      4aa84ac8d8e1cb6f117e22afa522c7db

      SHA1

      7a8b3f44f002409efff5a108be66018547879531

      SHA256

      97cb4dd1f0737cf5628bcf0fe1ab310765ba991b00a5520d53e1b1afef0e874b

      SHA512

      b88a472648e2a9810b1f57a62414055a947549b8645f2bf407404ed69c2b8043b942ef775050791bd482ab0b13ee6192e3b638eef77cd9c4fdec3e08ae306cca

      Download Submit
    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs
      Filesize

      1KB

      MD5

      ffe187f86e83d51950c02f4dbbaa90f8

      SHA1

      b95682b36a27379ccd792d27a16967e881f4646d

      SHA256

      9bf3960d7875ec6f1547a480bc22dd0040d715620377422ca3aef9f0536ea093

      SHA512

      e6bac9e3c25707fef9ea7491bd69428fa2ee322bbc40e9b024fbb217120163dbb1e937f59bfd51e96f887fbc944aba3d3c59e8600900a1443733cd52af7db026

      Download Submit
    • C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1
      Filesize

      680KB

      MD5

      a0a0a7ebc8ad48aaf27cd5bcc77e387c

      SHA1

      3d84c33469f32a6bdc6158e36d5961d41de36600

      SHA256

      ad0d6f8a3e0d461e59b6288f417092e3f9d4f39706f51711d5597708d187117c

      SHA512

      1f74b19ebf00756dcc80c8381cd2a3f920731a69158752620a58b18acf3879f26abbc8e1931adcba2afd25639cf618fb3f9643871460bbbe0897f047e73e660e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      00e7da020005370a518c26d5deb40691

      SHA1

      389b34fdb01997f1de74a5a2be0ff656280c0432

      SHA256

      a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

      SHA512

      9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d336b18e0e02e045650ac4f24c7ecaa7

      SHA1

      87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

      SHA256

      87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

      SHA512

      e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      da5a45340bd140723c660f8c120f1469

      SHA1

      fd225641236193a28d9ec5a07cb1c6f038df9888

      SHA256

      1f800b60f4bce8a0ca60d2b93b47c86429d7a4dc951dcfeeee5fc836da8c2df8

      SHA512

      264521794d1c958ec43feaaa4f04a210347c8f2a525ea933cc600473f62085b1dbd34e90b99c994d4f6f0455fc46c25a4220f4459db7cd84105436a1bc2c5da1

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      235a8eb126d835efb2e253459ab8b089

      SHA1

      293fbf68e6726a5a230c3a42624c01899e35a89f

      SHA256

      5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

      SHA512

      a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lirq13lf.y4r.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/2100-243-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2100-237-0x0000000004F70000-0x0000000004F80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2100-238-0x0000000005970000-0x0000000005F14000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2100-239-0x00000000055B0000-0x0000000005642000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2100-240-0x0000000005590000-0x000000000559A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2100-232-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/2100-241-0x0000000006100000-0x000000000619C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2100-242-0x0000000006060000-0x00000000060C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2268-194-0x0000012BF0BA0000-0x0000012BF0BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2268-196-0x0000012BF0BA0000-0x0000012BF0BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2268-195-0x0000012BF0BA0000-0x0000012BF0BB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2672-150-0x000002722A6C0000-0x000002722A6D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2672-142-0x000002722D560000-0x000002722D582000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2672-144-0x000002722A6C0000-0x000002722A6D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2672-143-0x000002722A6C0000-0x000002722A6D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2672-148-0x000002722A6C0000-0x000002722A6D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2672-149-0x000002722A6C0000-0x000002722A6D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4052-165-0x0000024BFF7C0000-0x0000024BFF7D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4052-164-0x0000024BFF7C0000-0x0000024BFF7D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4052-163-0x0000024BFF7C0000-0x0000024BFF7D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4412-205-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-217-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-219-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-221-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-223-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-225-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-227-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-229-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-231-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-215-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-213-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-211-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-209-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-207-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-203-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-201-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-199-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-198-0x0000029175CD0000-0x0000029175CF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4412-197-0x0000029175D70000-0x0000029175D80000-memory.dmp
      Filesize

      64KB

      Download