Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
16112023_1001_T2.jpg.ps1
Resource
win7-20231020-en
General
-
Target
16112023_1001_T2.jpg.ps1
-
Size
327KB
-
MD5
36d751d4b6588d6915fe1e79fd99eb51
-
SHA1
e601561d27298ee6431b620d693dcc78c7034aa1
-
SHA256
47f11e01187fdda999732db919d3cb2b37a114411328f6544871234456f8966b
-
SHA512
5c0de7d5d168a0e7ce98f14c8bba9bb0e2549d8635d17d8221ac64e5bbcb7b27f001e1e4dc14d53ac199a00c181a3a655224f5fb0a793e5f1292528b8eb3eeff
-
SSDEEP
3072:Pi/NYZjEZCRta6vQN62i5d7jDUisDCyXMhnau+dKEQNhXigT5ncPkGByPpwRNXTQ:gyv
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
RxR*
rxrr.duckdns.org:6606
rxrr.duckdns.org:7707
rxrr.duckdns.org:8808
AsyncMutex_86734khgs1
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/1268-37-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat behavioral2/memory/1268-41-0x0000000004F60000-0x0000000004F70000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3576 set thread context of 1268 3576 powershell.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3696 powershell.exe 3696 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 3576 powershell.exe 1268 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeDebugPrivilege 1268 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1268 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4020 4964 WScript.exe 110 PID 4964 wrote to memory of 4020 4964 WScript.exe 110 PID 4020 wrote to memory of 3576 4020 cmd.exe 111 PID 4020 wrote to memory of 3576 4020 cmd.exe 111 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 PID 3576 wrote to memory of 1268 3576 powershell.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_1001_T2.jpg.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\libraries.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD538e01d05f1a3c204a4b66f6503a154b4
SHA11f13df998e49ba099b8142117047ca78c7728826
SHA256098383f853295ab4ca31292fc72f149c4d737544f973232a84f48ba060076610
SHA512d4cf12cc636128328bca08bfefdb5cbd3d7e3fa0b9ab8de99734a9af67c18224146000e2a5b79ad3fcfbcef27290e93fcd8f9c0979c8dd95e47e123b479cbed5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD5440e905a6fcf6bcc0ffe763896e21044
SHA189bf89ca871095dd7431147a4e0c993bfdba897e
SHA256aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834
SHA512f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd
-
Filesize
326KB
MD5d253b8760d01942b6f0cf89884d8ce6f
SHA1f5c10af0337c62aaf7403fb88cfe5671ef317d56
SHA2561c2e5ff87905fd9a30d3498c37374bcb9944caaf229dd8d9d85ffa25d3ab3ae4
SHA51277049aaa93bcba3a101b0f93571b3b633c2b98876655e63ba427219eb20fe7256f500edad9b840494ccddb5ca55f9baa8eec36020f099887fec86e4feadb8782
-
Filesize
691B
MD5882c260115cfacc236251d065cc23c4c
SHA1cee58dd936e493370224db57ca49c4d6c0cbfeff
SHA2561d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a
SHA512d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641