Overview

overview

10

Static

static

1

path.ps1

windows7-x64

8

path.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    path.ps1

  • Size

    645B

  • MD5

    c8663c0dac27dabd209055ed1a8263b2

  • SHA1

    ad5d2dc5d44e4f93cfa2eee100f87397de515eae

  • SHA256

    3c7a7468940f46f5d152d8f28cd0b1380825deb8ce42bdddf2ea3f7270972790

  • SHA512

    1b5eb9d74de64f39ad70673882547195a672dbb235d958adc40d3829ba5e18b5c0900ea7537244ea74fe019209a3d946ab1fe4cd457b1854a514a3adeab406c3

Score
10/10
asyncratexecutionrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\path.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Public\kkgno5j1.bat
      "C:\Users\Public\kkgno5j1.bat"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\Admin\AppData/Roaming/8MWq.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{44C048C0-8C04-4C04-C8C4-44888048C8C4}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
      • C:\Windows\system32\regsvr32.exe
        "regsvr32" /s /i:INSTALL C:\Users\Admin\AppData/Roaming/8MWq.ini
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:2836
    • C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2736
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x534 0x544
    1⤵
      PID:3316
    • C:\Windows\system32\regsvr32.EXE
      C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData/Roaming/8MWq.ini
      1⤵
      • Loads dropped DLL
      PID:1080
    • C:\Windows\system32\regsvr32.EXE
      C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData/Roaming/8MWq.ini
      1⤵
      • Loads dropped DLL
      PID:4352

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      fee026663fcb662152188784794028ee

      SHA1

      3c02a26a9cb16648fad85c6477b68ced3cb0cb45

      SHA256

      dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

      SHA512

      7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ac902dcb52cf1e5b64743d0ed0635dbd

      SHA1

      f88a91c878f35374a7f7264de1594f3e1a4492b8

      SHA256

      3b31733ba1fbf536fd9c7c1641dc7b6f956b299838524955d9209f2d33fe5b24

      SHA512

      13fa35c6ff7857ab8051ab4e618e119de197d85b0bf8fa53eae70fe4e12003ff554c63d1618ffee1b19da8183172a37f0f686a9664012e3c1241f0b648bef13e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ceuudn3c.40q.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe
      Filesize

      4.7MB

      MD5

      e9679980aa73cfc7cf00f3da7949c661

      SHA1

      53ba9e3a3a10ae0e72df4b3632d8d4135eb540b6

      SHA256

      d7bd224b2ef0014c679046c917becfface5f5aba2fbdb7dd3c17fe964c3cee97

      SHA512

      002aac023e1bbe3bbbf153ebc5462970aa98c84badea6bc1b8d333c98a5ed91540928b8848a9928607e12c0a1296a12424b2c2b0753e23afeb537249f04db8bc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\8MWq.ini
      Filesize

      552KB

      MD5

      3215cd0c5b1a3c9fa3507e56d987372e

      SHA1

      b0ebbccae5b02e287eafceac9d7d69785928c0df

      SHA256

      8e5abd89e9823c6be5c6d149f15434fb84760a008f2034a0d17f8c0094f738cf

      SHA512

      ab32f2e6c72f46afa16edf7dd4f7f2df684751f94b7e2b81452e2af7ceae29888ff93ce55bd0007df4168f7f42588ebcdc553c1c724962aa37603ec1b7ad2cf0

      Download Submit

    • C:\Users\Public\kkgno5j1.bat
      Filesize

      794KB

      MD5

      95a6d287978fa62ad30f26bae7aec73b

      SHA1

      759461ef978d1fc7d8a0571980b0065b51a61531

      SHA256

      48980f70da16b59927768b0e3a4d56c8c98e129f05f7f26b81847ffede708428

      SHA512

      4b2c702d64893804a803e4414ef22d4eaa8fbb95678d1b9011a46dd5c94fb7d1945cfe49a67dc345f6260f7ee23f4ca6601a60634e977b6b84ca9d02072c6003

      Download Submit

    • memory/2736-194-0x0000000000400000-0x000000000097B000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2736-187-0x0000000000400000-0x000000000097B000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2736-191-0x0000000000400000-0x000000000097B000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2736-197-0x0000000000400000-0x000000000097B000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2736-200-0x0000000000400000-0x000000000097B000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2748-29-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2748-30-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2748-31-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2748-37-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2836-185-0x000000001BAA0000-0x000000001BAE8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2836-188-0x00007FFCBC420000-0x00007FFCBC4B1000-memory.dmp

      Filesize

      580KB

      Download

    • memory/2944-18-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2944-179-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2944-19-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2944-0-0x00007FFCC1A63000-0x00007FFCC1A65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2944-12-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2944-11-0x00007FFCC1A60000-0x00007FFCC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2944-1-0x0000021549E30000-0x0000021549E52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4832-186-0x00007FF6B7ED0000-0x00007FF6B7F9E000-memory.dmp

      Filesize

      824KB

      Download