Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
t.ps1
Resource
win7-20230220-en
General
-
Target
t.ps1
-
Size
256KB
-
MD5
ec3fb005182c03e31ad5f652fcaf433a
-
SHA1
1d1533e4c07dc0f21235e2011f1e99e263aa1114
-
SHA256
6e39cc4bf7d911b9b6b47d0ca860df4b405386a8232943cd9e4a7f03d2027c0c
-
SHA512
8ce1740ff066dae5edeffd56fe79e597a66ecce8e4fc83563c2e772461a4e5978aa44db531f74fad38db0a1e0aae0d4d9bf53cba3b43daa77f45b43be2e8fb78
-
SSDEEP
6144:dhMHd8wF9VtLr3EXGpI5cGIE+QI33INenAZYn+FphxVC4werLfEM2QI6ii4jqJrB:0Ht9VtLr3EXGpI5cGIp3INenAZQ+Fphx
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
ghoss.freeddns.org:6606
ghoss.freeddns.org:7707
ghoss.freeddns.org:8808
AsyncMutex_6SI68OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3148-172-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5000 set thread context of 3148 5000 powershell.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4680 powershell.exe 4680 powershell.exe 5000 powershell.exe 5000 powershell.exe 3148 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 3148 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3148 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4680 wrote to memory of 1160 4680 powershell.exe 88 PID 4680 wrote to memory of 1160 4680 powershell.exe 88 PID 4588 wrote to memory of 1276 4588 WScript.exe 94 PID 4588 wrote to memory of 1276 4588 WScript.exe 94 PID 1276 wrote to memory of 3596 1276 cmd.exe 96 PID 1276 wrote to memory of 3596 1276 cmd.exe 96 PID 3596 wrote to memory of 5000 3596 cmd.exe 97 PID 3596 wrote to memory of 5000 3596 cmd.exe 97 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 PID 5000 wrote to memory of 3148 5000 powershell.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn PDF /tr C:\ProgramData\PDF\PDF.vbs2⤵
- Creates scheduled task(s)
PID:1160
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\PDF\PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\PDF\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\cmd.exeCMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3148
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5a7f20549327da521bf176b6faa76e623
SHA1b9b22202b9d3d43ffa6cbf2f3f81dc7f5b06c605
SHA256a2099940d9f7f9a0a603a5a36ef2b24eef49f2cb428539949a6d75261faaba46
SHA5125cac6f996aa1bb4dd11a39d3001da243c6f020bc1a3d86a36ec773d45e479514b006e3b3d8782b1eaab628d0fefdb987495308b9c88f38667f875179771f4823
-
Filesize
255KB
MD5ee39cd0d14321044da4e3e548392983c
SHA14f04ebde6c0d04a5837bc81d062d7b14f7738168
SHA25686f1d81d4d4f866442b384394e35d1a8058bbe843cc0d8896b1655d3ab3cf886
SHA512bd2817d4ef8367a0c2f7dfc838aef559c16a703d95f887b053da3bde95f4ab709cbbfde2b22c829d9dccb52abb8a708868a0f327031eeae9584764d3fc3a7ad4
-
Filesize
120B
MD530e4773314799aa0e1fd7761cae6e609
SHA1d1b5a371a7555e99a7602ae6ee8028ac0f0462c4
SHA256dc592583d072f325b7a0a54d53499f32ef95c731344cc10400f0bb03e7db4720
SHA512fcbeca634cb6fe2d0ea4f726f09b4a35917615467a562e9d73cd235cd337bb797fb6a996f0569e83f4f858c0226b84fbd2d0721bea47d1039e5ffe6ebca0bb8d
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5bd84a249acecea9fba0df3d01b8305c0
SHA1c7161dbd390d2d64925a9f987b1e41f42eca1d4d
SHA256aea560ffda4a850a53cda513f0b5b50322563d52690fe5b07764615638d8e160
SHA512d8897507207440daada3ff7ff33976bac8281dea68424174c799bd4b68e0358bab395246c0f1d4c13328d7f478b218ab9e1be8959b32f28a1eeba199c746f676
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82