Overview

overview

10

Static

static

10

Shellbag analyzer.exe

windows10-1703-x64

10

Shellbag analyzer.exe

windows10-2004-x64

Analysis

  • max time kernel
    315s
  • max time network
    322s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 18:08

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Shellbag analyzer.exe

  • Size

    247KB

  • MD5

    e5dc76743d789ff02bc6f747804fd327

  • SHA1

    b96c2778e123656266782da48f8b9a84918c8fc2

  • SHA256

    24e23f8bcdde00e6158591a10b0e195d525315fd4cabc0de541ac27f9c17f8bc

  • SHA512

    dc6fa31d3b12bf2786b76bbf74c7d2ef13e5f2a0b09082e693b004fad2efa67eef90cac7586ec43c64705dedcb57cebfd11c865b16706aac2452318842db700d

  • SSDEEP

    6144:iPEGPMVOrVbjlnwF9kfK8rpClz0KBb6o589GHWHWujiSPbp:iPEU9lhgBuj/PV

Score
10/10
asyncratdefaultbootkitdiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Attributes
  • delay

    1

  • install

    true

  • install_file

    update.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/hntWwyYn

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shellbag analyzer.exe
    "C:\Users\Admin\AppData\Local\Temp\Shellbag analyzer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3628
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4736
      • C:\Users\Admin\AppData\Roaming\update.exe
        "C:\Users\Admin\AppData\Roaming\update.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe"'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2020
            • C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe
              "C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe"
              6⤵
              • UAC bypass
              • Windows security bypass
              • Event Triggered Execution: Image File Execution Options Injection
              • Checks computer location settings
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Writes to the Master Boot Record (MBR)
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3380
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe" /rl HIGHEST /f
                7⤵
                  PID:4428
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe'"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5100
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:1152

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        d8b9a260789a22d72263ef3bb119108c

        SHA1

        376a9bd48726f422679f2cd65003442c0b6f6dd5

        SHA256

        d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

        SHA512

        550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\GoldenEye.exe
        Filesize

        444KB

        MD5

        b9fc6e3e01054e805e0d9c06057e9ea6

        SHA1

        02d5867cc43677fcb636faa6dbd87b83dbabe2e7

        SHA256

        91efbbac5cbe753836ee1d898fed959cc7974b84f057a22251fe10fbfd3d426c

        SHA512

        6b1fe8d2e678dae1402584d67c2fb03472d678d72182ee130f24701ac709886ae2db91916ee45c87df9e3444310315eb14cd2a0607b222f130882d00b8f1c365

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f13txzp1.yzn.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp6457.tmp.bat
        Filesize

        150B

        MD5

        72f6d22a009f24b1df1794523b8a9b82

        SHA1

        0faa0edf2ba05cb3dc04265812521ef04a26cd25

        SHA256

        4c1303ae88c8f4bbe889b75cad22af9e8500f0ef5910be6ad1d6cf4a2c59ea08

        SHA512

        0d192907ef4acb42482c791ebab9b7503dd473a78b459742bb8958ca3d1f58e03cac4b8df8c419b4addbd57d1736bec25699a77d47fe4ca8f08c484d3cc5aaa2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
        Filesize

        8B

        MD5

        cf759e4c5f14fe3eec41b87ed756cea8

        SHA1

        c27c796bb3c2fac929359563676f4ba1ffada1f5

        SHA256

        c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

        SHA512

        c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\update.exe
        Filesize

        247KB

        MD5

        e5dc76743d789ff02bc6f747804fd327

        SHA1

        b96c2778e123656266782da48f8b9a84918c8fc2

        SHA256

        24e23f8bcdde00e6158591a10b0e195d525315fd4cabc0de541ac27f9c17f8bc

        SHA512

        dc6fa31d3b12bf2786b76bbf74c7d2ef13e5f2a0b09082e693b004fad2efa67eef90cac7586ec43c64705dedcb57cebfd11c865b16706aac2452318842db700d

        Download Submit

      • memory/1532-15-0x000000001AE50000-0x000000001AE60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1532-16-0x000000001C300000-0x000000001C31E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1532-17-0x000000001B0A0000-0x000000001B0AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1532-14-0x000000001C380000-0x000000001C3F6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2020-24-0x000002C85A620000-0x000002C85A642000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2332-1-0x0000000000870000-0x00000000008B4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2332-8-0x00007FFD00300000-0x00007FFD00DC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2332-0-0x00007FFD00303000-0x00007FFD00305000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2332-3-0x00007FFD00300000-0x00007FFD00DC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3380-127-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-236-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-87-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-108-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-33-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-152-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-171-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-192-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-211-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-68-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-255-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-276-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-295-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-320-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-339-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-360-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3380-366-0x0000000000400000-0x0000000000597000-memory.dmp

        Filesize

        1.6MB

        Download