Malware Analysis Report

2024-11-30 19:24

Sample ID 240917-s612zs1dlm
Target script.ps1
SHA256 0205d376e489e7a6238b4a0fcd5c4d14c89b7becb6d1ad9ee1e3c9eed4ba057e
Tags
execution asyncrat le's do it agilenet discovery persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0205d376e489e7a6238b4a0fcd5c4d14c89b7becb6d1ad9ee1e3c9eed4ba057e

Threat Level: Known bad

The file script.ps1 was found to be: Known bad.

Malicious Activity Summary

execution asyncrat le's do it agilenet discovery persistence privilege_escalation rat

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 15:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 15:45

Reported

2024-09-17 15:47

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 34.192.83.212:443 www1.coulmandental.com tcp

Files

memory/2240-4-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

memory/2240-5-0x000000001B880000-0x000000001BB62000-memory.dmp

memory/2240-6-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2240-7-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2240-8-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2240-9-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2240-10-0x000007FEF5F0E000-0x000007FEF5F0F000-memory.dmp

memory/2240-11-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 15:45

Reported

2024-09-17 15:47

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

148s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\RedroCrypt.dll" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 2672 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\schtasks.exe
PID 3636 wrote to memory of 2016 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3636 wrote to memory of 2016 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2016 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2016 wrote to memory of 2140 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2016 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2016 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2016 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4172 wrote to memory of 3776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 4172 wrote to memory of 3776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 4172 wrote to memory of 3776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
PID 4172 wrote to memory of 3776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn "Cloud OneDrive" /tr C:\ProgramData\Cloud\cloud.vbs

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\ProgramData\Cloud\cloud.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\Cloud\cloud.bat

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f

C:\Windows\system32\reg.exe

REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\RedroCrypt.dll /f

C:\Windows\system32\cmd.exe

cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Cloud\cloud.ps1"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www1.coulmandental.com udp
US 34.192.83.212:443 www1.coulmandental.com tcp
US 8.8.8.8:53 212.83.192.34.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 88.119.175.153:6606 tcp
US 8.8.8.8:53 153.175.119.88.in-addr.arpa udp
US 88.119.175.153:7707 tcp

Files

memory/2672-0-0x00007FFF12E83000-0x00007FFF12E85000-memory.dmp

memory/2672-1-0x0000016256190000-0x00000162561B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzikvrmg.pwt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2672-11-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-12-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-13-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-14-0x00007FFF12E83000-0x00007FFF12E85000-memory.dmp

memory/2672-15-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-16-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-17-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-18-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

memory/2672-24-0x00007FFF12E80000-0x00007FFF13941000-memory.dmp

C:\ProgramData\Cloud\cloud.vbs

MD5 7079642a22a106d0ed6f227cc70899ae
SHA1 60dd57af3518c0ea4104379ad233b5982b231283
SHA256 b098e1055dc3dd3156236ee515e5dfbefd746d84578197f2309968625b831724
SHA512 ca1e9e201785fa611520ee2585208fb0684fd338ff1ab1d515523e03677ac4ac1ca5353fdc17bcba4c6c39aa37f9be182c5f7187b8dd9520c8604a001bd69f80

C:\ProgramData\Cloud\cloud.bat

MD5 b8bdfc7895feaaacba3711d17be6778a
SHA1 fa0bc12827b348fe540a13683897deb207650df7
SHA256 e209153dda335fec8fa021f1022c4f9fe041cb527c2b9068eb9ec911429f20a3
SHA512 ea91a8262eacba0bcd6f692b5141124d7fedc98507ad6ab71ade565b347fe328780221f6972cc5c98a9471662474bf8c93e1219d241ff5f90579f7f8e8dd5156

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8d089c855358969266a3275f0ec4f955
SHA1 5ce30b598cfa0c2008541b1b549673401971dc3d
SHA256 e198883dc78657f44bae11e2de5f56bc0f41eb6440f73cd3d65c30878b858734
SHA512 f240dcfc7adcca3140cdc2f8f387ac2053a7fd6e5e474a4008cf38d03506f99e361a5d6e970480ab1155ad00531b9d9095ed2a502ad09e7e442cdf7bcf932320

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42b7ab0c240de015a6a2f37b29c597f6
SHA1 455080ab90806f5e652ac531bea9eeeab71d4a15
SHA256 23662fb60d285043bfb6005ebdefee2251916e5d370e809a0a162c1cd56e2f38
SHA512 26b123c53670f62d56396eec12ace802a352838f54b11b172a214196ac71fc16b132c2fc10b1e6f15fde31ca122acb9339f74f0b7dc1879daf4a816a3d6f835f

C:\ProgramData\Cloud\cloud.ps1

MD5 d93d9d8d63201a2e547d4e1dde62d6d7
SHA1 5a2273543ad08d5f749c9c7ee60e0b703548b8e7
SHA256 f5811cd347fc2f2d538625c468ae7ecbd8d0c18db495b9d3701204f7a13a527e
SHA512 59de80b3ce3e5406a8e1f2544fabb50a7d95b037143652fc0084b8bfe864337e0d4ab3cd14ef3c8249944bdccf9e27dce3471d955fac278ff45a68d32320e699

memory/4172-39-0x00000226A0C90000-0x00000226A0C9E000-memory.dmp

memory/3776-40-0x0000000000740000-0x0000000000758000-memory.dmp

memory/3776-42-0x0000000004E80000-0x0000000004E96000-memory.dmp

memory/3776-43-0x00000000057A0000-0x0000000005D44000-memory.dmp

memory/3776-44-0x0000000005390000-0x0000000005422000-memory.dmp

memory/3776-45-0x0000000005430000-0x000000000543A000-memory.dmp

memory/3776-46-0x0000000006090000-0x000000000612C000-memory.dmp

memory/3776-47-0x0000000006130000-0x0000000006196000-memory.dmp