Malware Analysis Report

2024-10-23 19:28

Sample ID 240629-r7d36szcpa
Target 02c22994e069512f7218bebf1b99eca33cc1e00eecf0885716eb869d5e8399a9.zip
SHA256 6d68a4cf8b83ffa6cd2a09048eda8dfa6b3faf838aafa0ee554bb96dd8ae98e5
Tags
execution asyncrat elsa3eed rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d68a4cf8b83ffa6cd2a09048eda8dfa6b3faf838aafa0ee554bb96dd8ae98e5

Threat Level: Known bad

The file 02c22994e069512f7218bebf1b99eca33cc1e00eecf0885716eb869d5e8399a9.zip was found to be: Known bad.

Malicious Activity Summary

execution asyncrat elsa3eed rat

AsyncRat

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 14:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 14:49

Reported

2024-06-29 14:52

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\02c22994e069512f7218bebf1b99eca33cc1e00eecf0885716eb869d5e8399a9.ps1

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\02c22994e069512f7218bebf1b99eca33cc1e00eecf0885716eb869d5e8399a9.ps1

Network

N/A

Files

memory/2936-4-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

memory/2936-5-0x000000001B500000-0x000000001B7E2000-memory.dmp

memory/2936-6-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-8-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-7-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2936-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-9-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-12-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-13-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

memory/2936-14-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-15-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

memory/2936-16-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 14:49

Reported

2024-06-29 14:52

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

150s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\02c22994e069512f7218bebf1b99eca33cc1e00eecf0885716eb869d5e8399a9.ps1

Signatures

AsyncRat

rat asyncrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1196 set thread context of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 3688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 3688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1196 wrote to memory of 4016 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\02c22994e069512f7218bebf1b99eca33cc1e00eecf0885716eb869d5e8399a9.ps1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 workhard.servegame.org udp
US 193.26.115.78:7077 workhard.servegame.org tcp
US 8.8.8.8:53 78.115.26.193.in-addr.arpa udp
US 193.26.115.78:7077 workhard.servegame.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 193.26.115.78:7077 workhard.servegame.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1196-0-0x00007FFD41B23000-0x00007FFD41B25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxitsjao.l3k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1196-6-0x00000247AA150000-0x00000247AA172000-memory.dmp

memory/1196-11-0x00007FFD41B20000-0x00007FFD425E1000-memory.dmp

memory/1196-12-0x00007FFD41B20000-0x00007FFD425E1000-memory.dmp

memory/1196-13-0x00000247AA140000-0x00000247AA14C000-memory.dmp

memory/4016-14-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1196-17-0x00007FFD41B20000-0x00007FFD425E1000-memory.dmp

memory/4016-18-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/4016-19-0x0000000074D90000-0x0000000075540000-memory.dmp

memory/4016-20-0x0000000004DB0000-0x0000000004E16000-memory.dmp

memory/4016-21-0x0000000005270000-0x000000000530C000-memory.dmp

memory/4016-22-0x0000000005AC0000-0x0000000006064000-memory.dmp

memory/4016-23-0x0000000005800000-0x0000000005892000-memory.dmp

memory/4016-24-0x00000000059A0000-0x00000000059AA000-memory.dmp

memory/4016-27-0x0000000006E90000-0x0000000006F06000-memory.dmp

memory/4016-28-0x0000000006F10000-0x0000000006FCC000-memory.dmp

memory/4016-29-0x0000000007010000-0x000000000702E000-memory.dmp

memory/4016-30-0x00000000070D0000-0x00000000070DA000-memory.dmp

memory/4016-31-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/4016-32-0x0000000074D90000-0x0000000075540000-memory.dmp