Analysis
-
max time kernel
130s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
B.PNG.ps1
Resource
win7-20230220-en
General
-
Target
B.PNG.ps1
-
Size
226KB
-
MD5
fb299e0e8ae35692f1541b2912812184
-
SHA1
4ef1f2589e960b9645a8010920da2b1caacdd350
-
SHA256
e2e4ce0315ef9f241c5d3ab09ccc9de3f8bd71f5388d8a4dd7fadd0a1110f266
-
SHA512
ba36c4ad9721ad46f2cd56a819643ed4d01804d76952638c1f7842d745c10ca0e70be874ad5e6de504627c4210545247b9da9312574fb0fc658fe13032450863
-
SSDEEP
1536:FeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypsc8bIX:gk0t0iInKWQIyjdZaRMXYxr315+3ApA
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Default
Modyhr.ddnsfree.com:6606
Modyhr.ddnsfree.com:7707
Modyhr.ddnsfree.com:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3372-173-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5056 set thread context of 3372 5056 powershell.exe 97 PID 3908 set thread context of 1800 3908 powershell.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4656 powershell.exe 4656 powershell.exe 5056 powershell.exe 5056 powershell.exe 5056 powershell.exe 5056 powershell.exe 3372 RegSvcs.exe 3908 powershell.exe 3908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 5056 powershell.exe Token: SeDebugPrivilege 3372 RegSvcs.exe Token: SeDebugPrivilege 3908 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3372 RegSvcs.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4656 wrote to memory of 408 4656 powershell.exe 89 PID 4656 wrote to memory of 408 4656 powershell.exe 89 PID 4700 wrote to memory of 4084 4700 WScript.exe 92 PID 4700 wrote to memory of 4084 4700 WScript.exe 92 PID 4084 wrote to memory of 1472 4084 cmd.exe 94 PID 4084 wrote to memory of 1472 4084 cmd.exe 94 PID 1472 wrote to memory of 5056 1472 cmd.exe 95 PID 1472 wrote to memory of 5056 1472 cmd.exe 95 PID 5056 wrote to memory of 1952 5056 powershell.exe 96 PID 5056 wrote to memory of 1952 5056 powershell.exe 96 PID 5056 wrote to memory of 1952 5056 powershell.exe 96 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 5056 wrote to memory of 3372 5056 powershell.exe 97 PID 964 wrote to memory of 4952 964 WScript.exe 99 PID 964 wrote to memory of 4952 964 WScript.exe 99 PID 4952 wrote to memory of 4588 4952 cmd.exe 101 PID 4952 wrote to memory of 4588 4952 cmd.exe 101 PID 4588 wrote to memory of 3908 4588 cmd.exe 102 PID 4588 wrote to memory of 3908 4588 cmd.exe 102 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 PID 3908 wrote to memory of 1800 3908 powershell.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.PNG.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn Nothing /tr C:\ProgramData\Nothing\Nothing.vbs2⤵
- Creates scheduled task(s)
PID:408
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nothing\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3372
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nothing\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"3⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:1800
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD52135f53fe669b95ef3dfc8159f002f35
SHA1784f7c804a8017298a0444961da570c54e234128
SHA256a012ee5f76492bcf0a72c415f098d0a0e21ea28f3a08e179089ed74ec1051134
SHA5126115083a87f84bbbd28607c407324539c9ae5e6834c6d18404ed516f993ab4f7fedb246c192257183dc429bf2a23b84c81fa52e608a3486666a0ecd001614b92
-
Filesize
225KB
MD5633e2bd5aad471f331d308b70df2cde7
SHA1187f14b57103beffada3b283eeba4f528a466b00
SHA256d1e4eab2f9cb99e6d3fcf39b82bfcf7cdc216cd355570b8305c15877889afcea
SHA5127c36819998154344f6ae6c68b2f72d559fd92a088fd4a96c30b75727310cdcf36b4f42dc57f66a4e438ff1cac1fa121479e7d20630b7ddfdc1ebb520b343fb80
-
Filesize
124B
MD5617f5a86804776b6e4153709d03fd144
SHA12abe924e3ada5b487a9a67ee22e8e1c21a47b516
SHA256b582e1508d3cc895cbb37a547a770a62e1c02ec555265f7bd231c734127b3867
SHA512a40b25239589f3029a837077c639633e966f69c6c4096db1cad526e849fd5a44bef01270dc4f20049829ed8e85f1fae3e6e0b3d4be8c049d7c974df958136842
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD53003448ee73abf14d5c8011a37c40600
SHA1b88e9cdbae2e27a25f0858fc0b6d79533fb160d8
SHA256ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a
SHA5120fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a
-
Filesize
1016B
MD5cb7666e5e5cad13b3a781f3d2eb0d24f
SHA16578ad7f4f59ebd771a1351cc3df7f87d471b033
SHA256cafff50a0d49b0a3770acc5c5d4433f5ad01f1a7d5479484912c8e9664880137
SHA512ffc2b6a5730ef07f907b8c2617388ac2d2abb4cd0035a4baf086eb3a8c62bb5da16259387f3d64e803fbac9e243a611efca12462c2b98449826b10787b740b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82