Overview

overview

10

Static

static

1

fa9fe798ce...bd.ps1

windows7-x64

10

fa9fe798ce...bd.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2023, 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa9fe798ce4705a1ccbb22f8cb813c84e4abce585413eb7e26f0934443e75dbd.ps1

  • Size

    689KB

  • MD5

    e26e685d51988b2ae00c8e7a4ef256db

  • SHA1

    ba09428d9fdaadcd92a578d12a48dcb61d331856

  • SHA256

    fa9fe798ce4705a1ccbb22f8cb813c84e4abce585413eb7e26f0934443e75dbd

  • SHA512

    dc362252519f2637577e4b6fa3bc7df69cfa937fe9eaa78d078bfd24d4ea5b887f90319d1ae918b10c3ec081bcb35a7d436a173cae712d4d6e2f4f8f8af65eef

  • SSDEEP

    1536:or/BsVwGJ9iOowdWIa/aEgRJWb+pifHNutiQ3JlqmbNNnLRS2EFurYdq7PbAeVh/:N

Score
10/10
asyncratmay_1persistencerat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

May_1

C2

3llah23.run.place:8808

Mutex

AsyncMutex_6SI850OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Async RAT payload 1 IoCs
    rat
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fa9fe798ce4705a1ccbb22f8cb813c84e4abce585413eb7e26f0934443e75dbd.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.vbs"
        3⤵
          PID:2924
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4128
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:972
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:1348
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\TIOLAMAQZCXELAASSIUYRE.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\TIOLAMAQZCXELAASSIUYRE.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
                PID:4092
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                5⤵
                  PID:1188
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:3952

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\TIOLAMAQZCXELAASSIUYRE.ps1
          Filesize

          680KB

          MD5

          913fe9d33cd6ef2c4ebc889f4049fcb1

          SHA1

          81e4d4e544826c094d6495bd480d12a560c97383

          SHA256

          85f77b983b441d538d075e87735e258404bc13f6675926d0c1c31536174b4247

          SHA512

          90ab84610401dc35145a4a20e874d67a7bac4a3b10148a282c9ec6721de9540f1fa23429bcd875adeae76bc13b5525ae237149589afeaacb4493191ecb5fa483

          Download Submit

        • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.bat
          Filesize

          707B

          MD5

          71b7d7741aba59c5a096986dd27a085c

          SHA1

          9f7f17aae92e12885f7e5ed0ae2102765f07ae0f

          SHA256

          3e3b898765a75dbda0e4c37940d37afb415f9355ebe1ec3ca0b507f29b1a3b61

          SHA512

          49bbe38d0c8baf47f14cb9f8377374da4f49c0427b95f96c30662f04838742bd1076b464b881723ffe45f5430ce0cb0826a5b51fe80182658608cdb160c70006

          Download Submit

        • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.ps1
          Filesize

          3KB

          MD5

          ab20632280fe70bb33581771ef8fe878

          SHA1

          aad5a8e65a1f303eb9c74801a3a6eef1f3b35845

          SHA256

          890aef85a88c0e67d232ff49486bec704ba08388ff38bfa46dc82c174c67e06f

          SHA512

          828f12ccc30a2bfd741570bae849f0f44b88b0b7c00ff969690fec43f072615a42243726b6096918dfec249abd1d74e3878d31bac6ab8558f97858a74f9d8c69

          Download Submit

        • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.vbs
          Filesize

          1KB

          MD5

          9e5180857489aa1194c07ae92b511f41

          SHA1

          25dc65d65d7a5bbfcdc296f159cd873ea4f892db

          SHA256

          87b4be8edf48f7c11a1798c345f2835cc873d467f839a380acdea6755ec30721

          SHA512

          7a0c633fc8722f64a42aef2b679bbb00b771e3689a2daece3cf463729ec2fd0c292f7dc44d9599313ceefd667ddcd7d59becaca32d4cedf953f4fccd97f39977

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          00e7da020005370a518c26d5deb40691

          SHA1

          389b34fdb01997f1de74a5a2be0ff656280c0432

          SHA256

          a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

          SHA512

          9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          71444def27770d9071039d005d0323b7

          SHA1

          cef8654e95495786ac9347494f4417819373427e

          SHA256

          8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

          SHA512

          a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          f87b0558f50792e4684d92fb3d271c24

          SHA1

          e745842dfeec7403c04a660ad6a2f2231ba605bb

          SHA256

          61d84320415c97ff5d41de5030ba8b8b77c04295d2137f95de9e947a954a8192

          SHA512

          56275978bc50ff36bd9ace519adc25d204955983ba0394ced54f9a70d063c4445e591df6e697b536a1abce8cd4795b80e572f17ae31063c97926cff4553d51a2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          a6c9d692ed2826ecb12c09356e69cc09

          SHA1

          def728a6138cf083d8a7c61337f3c9dade41a37f

          SHA256

          a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

          SHA512

          2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3tutj3i.mwk.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/540-145-0x00000226F6270000-0x00000226F6280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/540-150-0x00000226F6270000-0x00000226F6280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/540-149-0x00000226F6270000-0x00000226F6280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/540-133-0x00000226F63D0000-0x00000226F63F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/540-148-0x00000226F6270000-0x00000226F6280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/540-144-0x00000226F6270000-0x00000226F6280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/540-143-0x00000226F6270000-0x00000226F6280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1724-233-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-225-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-234-0x0000029EEB3E0000-0x0000029EEB3E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1724-197-0x0000029EEB440000-0x0000029EEB450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1724-199-0x0000029EEB440000-0x0000029EEB450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1724-198-0x0000029EEB440000-0x0000029EEB450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1724-200-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-201-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-203-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-205-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-207-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-209-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-211-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-213-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-215-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-217-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-219-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-221-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-223-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-231-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-227-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1724-229-0x0000029EEB3C0000-0x0000029EEB3E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3952-240-0x0000000001300000-0x0000000001310000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3952-241-0x0000000005990000-0x0000000005F34000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3952-248-0x0000000001300000-0x0000000001310000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3952-235-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3952-247-0x0000000006F50000-0x0000000006F6E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3952-246-0x0000000006EB0000-0x0000000006F26000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3952-245-0x0000000006180000-0x00000000061E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3952-244-0x00000000058C0000-0x000000000595C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3952-242-0x00000000055C0000-0x0000000005652000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3952-243-0x00000000055A0000-0x00000000055AA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4668-176-0x00000254E96D0000-0x00000254E96E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4668-174-0x00000254E96D0000-0x00000254E96E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4668-175-0x00000254E96D0000-0x00000254E96E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4788-178-0x000001FAEE0F0000-0x000001FAEE100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4788-177-0x000001FAEE0F0000-0x000001FAEE100000-memory.dmp

          Filesize

          64KB

          Download