Analysis
-
max time kernel
151s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
18-04-2024 11:10
General
-
Target
big.ps1
-
Size
11.2MB
-
MD5
cbf8ae11065184964e7ee9533836c668
-
SHA1
34047bde03d2615d876d21106538e27132c81ae6
-
SHA256
791722d558475d9ed6219a5b22c6cb2df2a18928a5cc5b7b341f59fc024093c9
-
SHA512
a5e9b59a00327f0da6006f43edff006caf26271f7d25a1bcc094bc9d94db9da63fc6fbe26183a1745acf6e2fe86b1f600725c7f3677a06bcc7d12e216e764b40
-
SSDEEP
49152:/H+uozbw6H4JCHhy2rc70OvlOXFSP7gVf:2
Malware Config
Extracted
asyncrat
Default
91.92.252.234:3232
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Async RAT payload 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\big.ps12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
-
C:\Windows\System32\chcp.comchcp 650014⤵
-
C:\Windows\System32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\System32\findstr.exefindstr All4⤵
-
C:\Windows\System32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
-
C:\Windows\System32\chcp.comchcp 650014⤵
-
C:\Windows\System32\netsh.exenetsh wlan show networks mode=bssid4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\820ab7b6e8b795fe41ed18441a171bde\Admin@NCRNVAGW_en-US\Browsers\Mozilla\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\820ab7b6e8b795fe41ed18441a171bde\Admin@NCRNVAGW_en-US\System\Process.txtFilesize
1KB
MD52ca81236e5413454c1824b651865bc9d
SHA1c7091ac6435d5bc95ff626caece5697a63ee182c
SHA2566eb611111082ad6cdf5fedac1110c001d31e01da922c055dd556b11b457085d5
SHA512f0438af72857885901532724a153fde1beeff0d2090afaa24a6df64a3fc1b5690a7fe885a30dc85d1412c452338b92f328ca0cbd9a96b75d6a99eb88e214330a
-
C:\Users\Admin\AppData\Local\820ab7b6e8b795fe41ed18441a171bde\Admin@NCRNVAGW_en-US\System\Process.txtFilesize
4KB
MD5122d692f25490286c16af82e63760456
SHA1fa3ff1ab1e75343f6d8efd658eab2976cdf3e889
SHA256c48a871064a193e0d159cd3f9eb5117c72af18524d39600253990dda7566cf8c
SHA512c8243364a55201b75caf8186ba3738a1df5830de0df75c4ff0991d5404873b9f1a3caa8054cb212f920523d05bf90c0125be3c10324535169b68b0d0ba37f1b2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xu5rx2a.211.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4348-14-0x0000014BB2B80000-0x0000014BB2BDA000-memory.dmpFilesize
360KB
-
memory/4348-13-0x0000014BCB190000-0x0000014BCB1A0000-memory.dmpFilesize
64KB
-
memory/4348-11-0x0000014BCB190000-0x0000014BCB1A0000-memory.dmpFilesize
64KB
-
memory/4348-15-0x0000014BDB890000-0x0000014BDB8EB000-memory.dmpFilesize
364KB
-
memory/4348-12-0x0000014BCB190000-0x0000014BCB1A0000-memory.dmpFilesize
64KB
-
memory/4348-19-0x00007FFDE7BA0000-0x00007FFDE8661000-memory.dmpFilesize
10.8MB
-
memory/4348-10-0x00007FFDE7BA0000-0x00007FFDE8661000-memory.dmpFilesize
10.8MB
-
memory/4348-20-0x0000014BDB890000-0x0000014BDB8EB000-memory.dmpFilesize
364KB
-
memory/4348-5-0x0000014BCB3B0000-0x0000014BCB3D2000-memory.dmpFilesize
136KB
-
memory/4444-26-0x00000185531A0000-0x0000018553328000-memory.dmpFilesize
1.5MB
-
memory/4444-171-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-25-0x0000018553120000-0x0000018553196000-memory.dmpFilesize
472KB
-
memory/4444-23-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-27-0x0000018552CE0000-0x0000018552CFE000-memory.dmpFilesize
120KB
-
memory/4444-32-0x000001853A3F0000-0x000001853A3FA000-memory.dmpFilesize
40KB
-
memory/4444-34-0x00007FFDE7BA0000-0x00007FFDE8661000-memory.dmpFilesize
10.8MB
-
memory/4444-22-0x00007FFDE7BA0000-0x00007FFDE8661000-memory.dmpFilesize
10.8MB
-
memory/4444-21-0x000001853A340000-0x000001853A356000-memory.dmpFilesize
88KB
-
memory/4444-24-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-172-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-173-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-174-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-181-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-182-0x00007FFE05D90000-0x00007FFE05F85000-memory.dmpFilesize
2.0MB
-
memory/4444-187-0x0000018553790000-0x000001855380A000-memory.dmpFilesize
488KB
-
memory/4444-16-0x0000018538800000-0x0000018538816000-memory.dmpFilesize
88KB
-
memory/4444-222-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-223-0x0000018552D50000-0x0000018552D60000-memory.dmpFilesize
64KB
-
memory/4444-224-0x00007FFE05D90000-0x00007FFE05F85000-memory.dmpFilesize
2.0MB