Analysis Overview
SHA256
0205d376e489e7a6238b4a0fcd5c4d14c89b7becb6d1ad9ee1e3c9eed4ba057e
Threat Level: Known bad
The file script.ps1 was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-17 15:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 15:45
Reported
2024-09-17 15:47
Platform
win7-20240729-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
Files
memory/2240-4-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp
memory/2240-5-0x000000001B880000-0x000000001BB62000-memory.dmp
memory/2240-6-0x0000000001EC0000-0x0000000001EC8000-memory.dmp
memory/2240-7-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2240-8-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2240-9-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2240-10-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp
memory/2240-11-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-17 15:45
Reported
2024-09-17 15:47
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f
C:\Windows\system32\cmd.exe
cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www1.coulmandental.com | udp |
| US | 34.192.83.212:443 | www1.coulmandental.com | tcp |
| US | 8.8.8.8:53 | 212.83.192.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 88.119.175.153:6606 | tcp | |
| US | 8.8.8.8:53 | 153.175.119.88.in-addr.arpa | udp |
| US | 88.119.175.153:7707 | tcp |
Files
memory/2672-0-0x00007FFF12E83000-0x00007FFF12E85000-memory.dmp
memory/2672-1-0x0000016256190000-0x00000162561B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzikvrmg.pwt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2672-11-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-12-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-13-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-14-0x00007FFF12E83000-0x00007FFF12E85000-memory.dmp
memory/2672-15-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-16-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-17-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-18-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
memory/2672-24-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp
C:\ProgramData\Cloud\cloud.vbs
| MD5 | 7079642a22a106d0ed6f227cc70899ae |
| SHA1 | 60dd57af3518c0ea4104379ad233b5982b231283 |
| SHA256 | b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724 |
| SHA512 | ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80 |
C:\ProgramData\Cloud\cloud.bat
| MD5 | b8bdfc7895feaaacba3711d17be6778a |
| SHA1 | fa0bc12827b348fe540a13683897deb207650df7 |
| SHA256 | e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3 |
| SHA512 | ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8d089c855358969266a3275f0ec4f955 |
| SHA1 | 5ce30b598cfa0c2008541b1b549673401971dc3d |
| SHA256 | e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734 |
| SHA512 | f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 42b7ab0c240de015a6a2f37b29c597f6 |
| SHA1 | 455080ab90806f5e652ac531bea9eeeab71d4a15 |
| SHA256 | 23662fb60d285043bfb6005ebdefee2251916e5d370e809a0a162c1cd56e2f38 |
| SHA512 | 26b123c53670f62d56396eec12ace802a352838f54b11b172a214196ac71fc16b132c2fc10b1e6f15fde31ca122acb9339f74f0b7dc1879daf4a816a3d6f835f |
C:\ProgramData\Cloud\cloud.ps1
| MD5 | d93d9d8d63201a2e547d4e1dde62d6d7 |
| SHA1 | 5a2273543ad08d5f749c9c7ee60e0b703548b8e7 |
| SHA256 | f5811cd347fc2f2d538625c468ae7ecbd8d0c18db495b9d3701204f7a13a527e |
| SHA512 | 59de80b3ce3e5406a8e1f2544fabb50a7d95b037143652fc0084b8bfe864337e0d4ab3cd14ef3c8249944bdccf9e27dce3471d955fac278ff45a68d32320e699 |
memory/4172-39-0x00000226A0C90000-0x00000226A0C9E000-memory.dmp
memory/3776-40-0x0000000000740000-0x0000000000758000-memory.dmp
memory/3776-42-0x0000000004E80000-0x0000000004E96000-memory.dmp
memory/3776-43-0x00000000057A0000-0x0000000005D44000-memory.dmp
memory/3776-44-0x0000000005390000-0x0000000005422000-memory.dmp
memory/3776-45-0x0000000005430000-0x000000000543A000-memory.dmp
memory/3776-46-0x0000000006090000-0x000000000612C000-memory.dmp
memory/3776-47-0x0000000006130000-0x0000000006196000-memory.dmp