Analysis Overview
SHA256
bf2d33230f6da074a70938e96042a56f340d26b34511ddd254e10a0293f746b6
Threat Level: Known bad
The file t.png was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-01 05:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-01 05:07
Reported
2023-05-01 05:09
Platform
win7-20230220-en
Max time kernel
106s
Max time network
33s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.ps1
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn log /tr C:\ProgramData\log\log.vbs
C:\Windows\system32\taskeng.exe
taskeng.exe {CB380C0F-6EDA-44DA-B82F-FF6E4A6BDCDE} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\log\1.bat" "
C:\Windows\system32\cmd.exe
CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\log\1.bat" "
C:\Windows\system32\cmd.exe
CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
Network
Files
memory/1676-58-0x000000001B320000-0x000000001B602000-memory.dmp
memory/1676-59-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/1676-60-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/1676-61-0x00000000028A0000-0x0000000002920000-memory.dmp
memory/1676-62-0x00000000028A0000-0x0000000002920000-memory.dmp
C:\ProgramData\log\log.vbs
| MD5 | 6be0eb96c776c22e099d7643281026f5 |
| SHA1 | 0f4934d51d6b7dd2a82cfe2d574c1994fe0aa67b |
| SHA256 | 3e8f8fc88258f73995eaa6ce64e5093709b1386171512161e5f0ab81c9424503 |
| SHA512 | d0c4113016953135bd1cbb6d7504918b10e503467699bd342acd4981bccebc77a1cb054c56b82ef06847cff43da4d6266f4a281ec734e75244aeac8f510e999b |
C:\ProgramData\log\1.bat
| MD5 | 1c0e3a11c13201e27ad546a96ba9b235 |
| SHA1 | fc8c268814b29dd7355380303ccf915c6a0a46de |
| SHA256 | 73de662f4a968fe1d94e3e29cfdd0a8f7e79f914cae64eca32ba55595c6b82e3 |
| SHA512 | cb30385e2813e75a02e99afbd1a7f1f288200140d1dc0e716facb708e21a4dd13581fa580a5b0e81b1c3080d107c10f3e44ab5891123236c7f9f3ba2aa31532a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 812c5dfc890226509dac774c05d379a7 |
| SHA1 | c7439fc84a0c5da6b762d153cb2a16e7e69b0abc |
| SHA256 | 39236eaf7107912160047b44b82776e228d32c9ffcc6476f622cc816a0c03c6c |
| SHA512 | 4a3041fb4ea9db175f2d4593c64fec58fbdcc7f33bf3de6efe0a81d637928ffcd22141bb3e6515678766479173b446776844bf46d822e40b302c0a8362a243c9 |
memory/1272-75-0x000000001B120000-0x000000001B402000-memory.dmp
memory/1272-76-0x0000000001E60000-0x0000000001E68000-memory.dmp
C:\ProgramData\log\log.ps1
| MD5 | 45115fc43fe6bfb9015eecb6a682fca1 |
| SHA1 | 35d5822da06aa21432025d74fb2b2baaa8dbffe1 |
| SHA256 | f501fd1cf1abab6ab840e26c5032b344ebec05c1446b160088469cbdc095303b |
| SHA512 | 1f4223e9480007b73c97215af1bd60a57d361a72be6f32c787c1760024c94aa4824d313391351e7bf8dcf9cbe8a0e4e9aa14a71864a08153c5584e680ca8dedc |
memory/1272-78-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1272-79-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1272-80-0x00000000024D0000-0x0000000002550000-memory.dmp
memory/1272-81-0x00000000024D0000-0x0000000002550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a74761d326dcdc75d2e89632247723e2 |
| SHA1 | b4225ab523876b444d09e6a04ee5f8d25802b89e |
| SHA256 | 0a4fbe52401d4f409a380d4bbefba55eb81d20cfe76fdcf90f0a9e4f6678d625 |
| SHA512 | 7ee2e0e3b1560019da051dde660044c95a0526426268f5443e1a45884b485a01819e91d637c1c23d946df98405d4e0c854d5f53708ecf833c3362df2bed2c1ec |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1NYQN7KJQUH8THQC22T.temp
| MD5 | a74761d326dcdc75d2e89632247723e2 |
| SHA1 | b4225ab523876b444d09e6a04ee5f8d25802b89e |
| SHA256 | 0a4fbe52401d4f409a380d4bbefba55eb81d20cfe76fdcf90f0a9e4f6678d625 |
| SHA512 | 7ee2e0e3b1560019da051dde660044c95a0526426268f5443e1a45884b485a01819e91d637c1c23d946df98405d4e0c854d5f53708ecf833c3362df2bed2c1ec |
memory/1924-87-0x0000000002694000-0x0000000002697000-memory.dmp
memory/1924-88-0x000000000269B000-0x00000000026D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-01 05:07
Reported
2023-05-01 05:09
Platform
win10v2004-20230220-en
Max time kernel
110s
Max time network
145s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3500 set thread context of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2816 set thread context of 4928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.ps1
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn log /tr C:\ProgramData\log\log.vbs
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\log\1.bat" "
C:\Windows\system32\cmd.exe
CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\log\1.bat" "
C:\Windows\system32\cmd.exe
CMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.25.24.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alertgeeks.ddnsfree.com | udp |
| TR | 194.55.224.72:8808 | alertgeeks.ddnsfree.com | tcp |
| US | 8.8.8.8:53 | 72.224.55.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 13.107.4.50:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/2172-138-0x00000259F71E0000-0x00000259F7202000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4sowso4j.bak.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2172-143-0x00000259F44E0000-0x00000259F44F0000-memory.dmp
memory/2172-144-0x00000259F44E0000-0x00000259F44F0000-memory.dmp
memory/2172-145-0x00000259F44E0000-0x00000259F44F0000-memory.dmp
memory/2172-150-0x00000259F44E0000-0x00000259F44F0000-memory.dmp
memory/2172-151-0x00000259F44E0000-0x00000259F44F0000-memory.dmp
memory/2172-152-0x00000259F44E0000-0x00000259F44F0000-memory.dmp
C:\ProgramData\log\log.vbs
| MD5 | 6be0eb96c776c22e099d7643281026f5 |
| SHA1 | 0f4934d51d6b7dd2a82cfe2d574c1994fe0aa67b |
| SHA256 | 3e8f8fc88258f73995eaa6ce64e5093709b1386171512161e5f0ab81c9424503 |
| SHA512 | d0c4113016953135bd1cbb6d7504918b10e503467699bd342acd4981bccebc77a1cb054c56b82ef06847cff43da4d6266f4a281ec734e75244aeac8f510e999b |
C:\ProgramData\log\1.bat
| MD5 | 1c0e3a11c13201e27ad546a96ba9b235 |
| SHA1 | fc8c268814b29dd7355380303ccf915c6a0a46de |
| SHA256 | 73de662f4a968fe1d94e3e29cfdd0a8f7e79f914cae64eca32ba55595c6b82e3 |
| SHA512 | cb30385e2813e75a02e99afbd1a7f1f288200140d1dc0e716facb708e21a4dd13581fa580a5b0e81b1c3080d107c10f3e44ab5891123236c7f9f3ba2aa31532a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d096831023867930e62e6d8b3d4d8ca6 |
| SHA1 | 404a1e73dc1590f1c8b9327c396591567dac7365 |
| SHA256 | 167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b |
| SHA512 | 31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75 |
C:\ProgramData\log\log.ps1
| MD5 | 45115fc43fe6bfb9015eecb6a682fca1 |
| SHA1 | 35d5822da06aa21432025d74fb2b2baaa8dbffe1 |
| SHA256 | f501fd1cf1abab6ab840e26c5032b344ebec05c1446b160088469cbdc095303b |
| SHA512 | 1f4223e9480007b73c97215af1bd60a57d361a72be6f32c787c1760024c94aa4824d313391351e7bf8dcf9cbe8a0e4e9aa14a71864a08153c5584e680ca8dedc |
memory/3500-170-0x0000016979980000-0x0000016979990000-memory.dmp
memory/3500-171-0x0000016979980000-0x0000016979990000-memory.dmp
memory/3500-172-0x0000016979980000-0x0000016979990000-memory.dmp
memory/2812-173-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2812-175-0x0000000001720000-0x0000000001730000-memory.dmp
memory/2812-176-0x0000000006010000-0x00000000065B4000-memory.dmp
memory/2812-177-0x0000000005C50000-0x0000000005CE2000-memory.dmp
memory/2812-178-0x0000000005C30000-0x0000000005C3A000-memory.dmp
memory/2812-179-0x0000000005DE0000-0x0000000005E7C000-memory.dmp
memory/2812-180-0x0000000005F80000-0x0000000005FE6000-memory.dmp
memory/2812-181-0x0000000001720000-0x0000000001730000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 057ccf7a1f19c38ef3f263ffd15da0c7 |
| SHA1 | b904c41bd154b66e9468a3317b2a7163e3c86612 |
| SHA256 | 39b9b26264cf959750910a29c95f291af8206eb54b9ce82189c496153bd7a872 |
| SHA512 | 56ee6c6d56d4bf3f355a748ed7ffe2374d28e51660dc31d418b79a895e6f2a5b6de47e30d15ba9f7844e6d2cdf383183e46179bfff014c1522643729c9cc1942 |
memory/2816-192-0x00000265B8B60000-0x00000265B8B70000-memory.dmp
memory/2816-193-0x00000265B8B60000-0x00000265B8B70000-memory.dmp
memory/2816-194-0x00000265B8B60000-0x00000265B8B70000-memory.dmp
memory/4928-197-0x0000000005650000-0x0000000005660000-memory.dmp