Analysis
-
max time kernel
110s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
t.ps1
Resource
win7-20230220-en
General
-
Target
t.ps1
-
Size
226KB
-
MD5
2e5964cc837e99181da8fbb1a72459f4
-
SHA1
554eccb95fd042e7b59ae59009e66c02d40bc606
-
SHA256
bf2d33230f6da074a70938e96042a56f340d26b34511ddd254e10a0293f746b6
-
SHA512
5f5a3b257260f752ce6b4be76df05784778bc1173f58bf540e05533ef2258fb57163089636fb8f9e46b0ab5e1677b049b8b75fa7622165d3ed2154e3230bee5c
-
SSDEEP
1536:eeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypscdLNk:1k0t0iInKWQIyj37vB1rsz131513ApG
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
alertgeeks.ddnsfree.com:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2812-173-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3500 set thread context of 2812 3500 powershell.exe 92 PID 2816 set thread context of 4928 2816 powershell.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2172 powershell.exe 2172 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 2812 RegSvcs.exe 2816 powershell.exe 2816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 2812 RegSvcs.exe Token: SeDebugPrivilege 2816 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2812 RegSvcs.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2172 wrote to memory of 660 2172 powershell.exe 84 PID 2172 wrote to memory of 660 2172 powershell.exe 84 PID 224 wrote to memory of 3360 224 WScript.exe 86 PID 224 wrote to memory of 3360 224 WScript.exe 86 PID 3360 wrote to memory of 4028 3360 cmd.exe 88 PID 3360 wrote to memory of 4028 3360 cmd.exe 88 PID 4028 wrote to memory of 3500 4028 cmd.exe 89 PID 4028 wrote to memory of 3500 4028 cmd.exe 89 PID 3500 wrote to memory of 4500 3500 powershell.exe 90 PID 3500 wrote to memory of 4500 3500 powershell.exe 90 PID 3500 wrote to memory of 4500 3500 powershell.exe 90 PID 3500 wrote to memory of 2372 3500 powershell.exe 91 PID 3500 wrote to memory of 2372 3500 powershell.exe 91 PID 3500 wrote to memory of 2372 3500 powershell.exe 91 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 3500 wrote to memory of 2812 3500 powershell.exe 92 PID 5116 wrote to memory of 2960 5116 WScript.exe 94 PID 5116 wrote to memory of 2960 5116 WScript.exe 94 PID 2960 wrote to memory of 4448 2960 cmd.exe 96 PID 2960 wrote to memory of 4448 2960 cmd.exe 96 PID 4448 wrote to memory of 2816 4448 cmd.exe 97 PID 4448 wrote to memory of 2816 4448 cmd.exe 97 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 PID 2816 wrote to memory of 4928 2816 powershell.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn log /tr C:\ProgramData\log\log.vbs2⤵
- Creates scheduled task(s)
PID:660
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\log\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:4500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2812
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\log\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:4928
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD51c0e3a11c13201e27ad546a96ba9b235
SHA1fc8c268814b29dd7355380303ccf915c6a0a46de
SHA25673de662f4a968fe1d94e3e29cfdd0a8f7e79f914cae64eca32ba55595c6b82e3
SHA512cb30385e2813e75a02e99afbd1a7f1f288200140d1dc0e716facb708e21a4dd13581fa580a5b0e81b1c3080d107c10f3e44ab5891123236c7f9f3ba2aa31532a
-
Filesize
225KB
MD545115fc43fe6bfb9015eecb6a682fca1
SHA135d5822da06aa21432025d74fb2b2baaa8dbffe1
SHA256f501fd1cf1abab6ab840e26c5032b344ebec05c1446b160088469cbdc095303b
SHA5121f4223e9480007b73c97215af1bd60a57d361a72be6f32c787c1760024c94aa4824d313391351e7bf8dcf9cbe8a0e4e9aa14a71864a08153c5584e680ca8dedc
-
Filesize
120B
MD56be0eb96c776c22e099d7643281026f5
SHA10f4934d51d6b7dd2a82cfe2d574c1994fe0aa67b
SHA2563e8f8fc88258f73995eaa6ce64e5093709b1386171512161e5f0ab81c9424503
SHA512d0c4113016953135bd1cbb6d7504918b10e503467699bd342acd4981bccebc77a1cb054c56b82ef06847cff43da4d6266f4a281ec734e75244aeac8f510e999b
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5d096831023867930e62e6d8b3d4d8ca6
SHA1404a1e73dc1590f1c8b9327c396591567dac7365
SHA256167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b
SHA51231333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75
-
Filesize
1016B
MD5057ccf7a1f19c38ef3f263ffd15da0c7
SHA1b904c41bd154b66e9468a3317b2a7163e3c86612
SHA25639b9b26264cf959750910a29c95f291af8206eb54b9ce82189c496153bd7a872
SHA51256ee6c6d56d4bf3f355a748ed7ffe2374d28e51660dc31d418b79a895e6f2a5b6de47e30d15ba9f7844e6d2cdf383183e46179bfff014c1522643729c9cc1942
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82