Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 05:34
Static task
static1
Behavioral task
behavioral1
Sample
B.ps1
Resource
win7-20230220-en
General
-
Target
B.ps1
-
Size
226KB
-
MD5
fb299e0e8ae35692f1541b2912812184
-
SHA1
4ef1f2589e960b9645a8010920da2b1caacdd350
-
SHA256
e2e4ce0315ef9f241c5d3ab09ccc9de3f8bd71f5388d8a4dd7fadd0a1110f266
-
SHA512
ba36c4ad9721ad46f2cd56a819643ed4d01804d76952638c1f7842d745c10ca0e70be874ad5e6de504627c4210545247b9da9312574fb0fc658fe13032450863
-
SSDEEP
1536:FeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypsc8bIX:gk0t0iInKWQIyjdZaRMXYxr315+3ApA
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
Modyhr.ddnsfree.com:6606
Modyhr.ddnsfree.com:7707
Modyhr.ddnsfree.com:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3672-173-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2288 set thread context of 3672 2288 powershell.exe 99 PID 4968 set thread context of 516 4968 powershell.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1052 powershell.exe 1052 powershell.exe 2288 powershell.exe 2288 powershell.exe 3672 RegSvcs.exe 4968 powershell.exe 4968 powershell.exe 4968 powershell.exe 4968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 3672 RegSvcs.exe Token: SeDebugPrivilege 4968 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3672 RegSvcs.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2816 1052 powershell.exe 90 PID 1052 wrote to memory of 2816 1052 powershell.exe 90 PID 964 wrote to memory of 3288 964 WScript.exe 95 PID 964 wrote to memory of 3288 964 WScript.exe 95 PID 3288 wrote to memory of 2368 3288 cmd.exe 97 PID 3288 wrote to memory of 2368 3288 cmd.exe 97 PID 2368 wrote to memory of 2288 2368 cmd.exe 98 PID 2368 wrote to memory of 2288 2368 cmd.exe 98 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 2288 wrote to memory of 3672 2288 powershell.exe 99 PID 4132 wrote to memory of 2868 4132 WScript.exe 101 PID 4132 wrote to memory of 2868 4132 WScript.exe 101 PID 2868 wrote to memory of 4484 2868 cmd.exe 103 PID 2868 wrote to memory of 4484 2868 cmd.exe 103 PID 4484 wrote to memory of 4968 4484 cmd.exe 104 PID 4484 wrote to memory of 4968 4484 cmd.exe 104 PID 4968 wrote to memory of 3880 4968 powershell.exe 105 PID 4968 wrote to memory of 3880 4968 powershell.exe 105 PID 4968 wrote to memory of 3880 4968 powershell.exe 105 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 PID 4968 wrote to memory of 516 4968 powershell.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn Nothing /tr C:\ProgramData\Nothing\Nothing.vbs2⤵
- Creates scheduled task(s)
PID:2816
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nothing\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3672
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nothing\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:3880
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:516
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"1⤵PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD52135f53fe669b95ef3dfc8159f002f35
SHA1784f7c804a8017298a0444961da570c54e234128
SHA256a012ee5f76492bcf0a72c415f098d0a0e21ea28f3a08e179089ed74ec1051134
SHA5126115083a87f84bbbd28607c407324539c9ae5e6834c6d18404ed516f993ab4f7fedb246c192257183dc429bf2a23b84c81fa52e608a3486666a0ecd001614b92
-
Filesize
225KB
MD5633e2bd5aad471f331d308b70df2cde7
SHA1187f14b57103beffada3b283eeba4f528a466b00
SHA256d1e4eab2f9cb99e6d3fcf39b82bfcf7cdc216cd355570b8305c15877889afcea
SHA5127c36819998154344f6ae6c68b2f72d559fd92a088fd4a96c30b75727310cdcf36b4f42dc57f66a4e438ff1cac1fa121479e7d20630b7ddfdc1ebb520b343fb80
-
Filesize
124B
MD5617f5a86804776b6e4153709d03fd144
SHA12abe924e3ada5b487a9a67ee22e8e1c21a47b516
SHA256b582e1508d3cc895cbb37a547a770a62e1c02ec555265f7bd231c734127b3867
SHA512a40b25239589f3029a837077c639633e966f69c6c4096db1cad526e849fd5a44bef01270dc4f20049829ed8e85f1fae3e6e0b3d4be8c049d7c974df958136842
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD55161e9d6b9b677b7af6e5bb11a361b91
SHA19fe0a04c2bb86467b9aa584c78db4fc7eccfdd42
SHA256addb0aa038e121d21d7b4bd4ba49316c05294a582cb430eb37ce3925324bd3d0
SHA51295b4a85b4240145d35f1f14bc07ee87b597d484935599f898074be16a7bfcc6fdb36e31e5afedac1c83bdbcbf402c40a3573f2b3512ba521f3ad29fd503f7749
-
Filesize
1016B
MD5cb7666e5e5cad13b3a781f3d2eb0d24f
SHA16578ad7f4f59ebd771a1351cc3df7f87d471b033
SHA256cafff50a0d49b0a3770acc5c5d4433f5ad01f1a7d5479484912c8e9664880137
SHA512ffc2b6a5730ef07f907b8c2617388ac2d2abb4cd0035a4baf086eb3a8c62bb5da16259387f3d64e803fbac9e243a611efca12462c2b98449826b10787b740b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82