Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
t.png.ps1
Resource
win7-20230220-en
General
-
Target
t.png.ps1
-
Size
226KB
-
MD5
2e5964cc837e99181da8fbb1a72459f4
-
SHA1
554eccb95fd042e7b59ae59009e66c02d40bc606
-
SHA256
bf2d33230f6da074a70938e96042a56f340d26b34511ddd254e10a0293f746b6
-
SHA512
5f5a3b257260f752ce6b4be76df05784778bc1173f58bf540e05533ef2258fb57163089636fb8f9e46b0ab5e1677b049b8b75fa7622165d3ed2154e3230bee5c
-
SSDEEP
1536:eeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypscdLNk:1k0t0iInKWQIyj37vB1rsz131513ApG
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
alertgeeks.ddnsfree.com:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/5056-173-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3984 set thread context of 5056 3984 powershell.exe 99 PID 4168 set thread context of 640 4168 powershell.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3196 powershell.exe 3196 powershell.exe 3984 powershell.exe 3984 powershell.exe 5056 RegSvcs.exe 4168 powershell.exe 4168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 5056 RegSvcs.exe Token: SeDebugPrivilege 4168 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5056 RegSvcs.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3196 wrote to memory of 4656 3196 powershell.exe 90 PID 3196 wrote to memory of 4656 3196 powershell.exe 90 PID 4148 wrote to memory of 4048 4148 WScript.exe 95 PID 4148 wrote to memory of 4048 4148 WScript.exe 95 PID 4048 wrote to memory of 4180 4048 cmd.exe 97 PID 4048 wrote to memory of 4180 4048 cmd.exe 97 PID 4180 wrote to memory of 3984 4180 cmd.exe 98 PID 4180 wrote to memory of 3984 4180 cmd.exe 98 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 3984 wrote to memory of 5056 3984 powershell.exe 99 PID 4976 wrote to memory of 5052 4976 WScript.exe 101 PID 4976 wrote to memory of 5052 4976 WScript.exe 101 PID 5052 wrote to memory of 4040 5052 cmd.exe 103 PID 5052 wrote to memory of 4040 5052 cmd.exe 103 PID 4040 wrote to memory of 4168 4040 cmd.exe 104 PID 4040 wrote to memory of 4168 4040 cmd.exe 104 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 PID 4168 wrote to memory of 640 4168 powershell.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.png.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn log /tr C:\ProgramData\log\log.vbs2⤵
- Creates scheduled task(s)
PID:4656
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\log\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5056
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\log\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:640
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD51c0e3a11c13201e27ad546a96ba9b235
SHA1fc8c268814b29dd7355380303ccf915c6a0a46de
SHA25673de662f4a968fe1d94e3e29cfdd0a8f7e79f914cae64eca32ba55595c6b82e3
SHA512cb30385e2813e75a02e99afbd1a7f1f288200140d1dc0e716facb708e21a4dd13581fa580a5b0e81b1c3080d107c10f3e44ab5891123236c7f9f3ba2aa31532a
-
Filesize
225KB
MD545115fc43fe6bfb9015eecb6a682fca1
SHA135d5822da06aa21432025d74fb2b2baaa8dbffe1
SHA256f501fd1cf1abab6ab840e26c5032b344ebec05c1446b160088469cbdc095303b
SHA5121f4223e9480007b73c97215af1bd60a57d361a72be6f32c787c1760024c94aa4824d313391351e7bf8dcf9cbe8a0e4e9aa14a71864a08153c5584e680ca8dedc
-
Filesize
120B
MD56be0eb96c776c22e099d7643281026f5
SHA10f4934d51d6b7dd2a82cfe2d574c1994fe0aa67b
SHA2563e8f8fc88258f73995eaa6ce64e5093709b1386171512161e5f0ab81c9424503
SHA512d0c4113016953135bd1cbb6d7504918b10e503467699bd342acd4981bccebc77a1cb054c56b82ef06847cff43da4d6266f4a281ec734e75244aeac8f510e999b
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5d096831023867930e62e6d8b3d4d8ca6
SHA1404a1e73dc1590f1c8b9327c396591567dac7365
SHA256167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b
SHA51231333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75
-
Filesize
1016B
MD54feb08d678114967a3064e2bf6515706
SHA1f617b3f4f9d3e4d80d0bad2231c1fec79b6ec8d3
SHA25615af4b9b55a562a5791b65421f0b2562d8b4a72d87d43c630dd667cb9dcf0ef5
SHA512c1f7b9bd49aabd5e33564f1b3de01b9db6627f923fe95322775328012fbfbe29c9da907cdfe4a8641575002ea7699dcc92947362906e30269a46db752d463738
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82