Overview

overview

10

Static

static

1

ea6776496b...da.ps1

windows7-x64

3

ea6776496b...da.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea6776496baaaa60c2825e976eeec430330246f54ad0d09ba0b05f64c19eb9da.ps1

  • Size

    440KB

  • MD5

    014f46936a5c013b91321a8278cea9b9

  • SHA1

    2be8ba3d4305a4abac91939e7baff191b0fe9173

  • SHA256

    ea6776496baaaa60c2825e976eeec430330246f54ad0d09ba0b05f64c19eb9da

  • SHA512

    93192da9d97f1d63d3e4e6287af0c1dd2b793af9b0b019d39116a384a1008a03d62daadfdcfbdeffa098581e630a39fb5145bd45020d90bf55955c284b96e781

  • SSDEEP

    1536:wUdAHeDN4NDabDzuCO4dfk2/o8wKhqydCZFy07GOQnAW9xrH8LtndfP9wRpnRvLQ:woF0tUVK7muzD5P6qAhTiNXY9E

Score
10/10
asyncratmado-marcodiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

MADO-Marco

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/yWgaKKwH

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ea6776496baaaa60c2825e976eeec430330246f54ad0d09ba0b05f64c19eb9da.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1244
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:796
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    f41839a3fe2888c8b3050197bc9a0a05

    SHA1

    0798941aaf7a53a11ea9ed589752890aee069729

    SHA256

    224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

    SHA512

    2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5a5d36097cd718a22566b74e85169830

    SHA1

    8f6f081ad9805c2cf6e0aa758bc2ecd09b43f7da

    SHA256

    8a35c57140b26bc959e419da91fc28b51aa2d692ddc60db87c740ed3d460b1d1

    SHA512

    11f4598791abf655485fed63ee1aba1ba244fca247693e4de9f6420a8d81b0eb965e6ae011b472f00fd3070d44f35ac7350dea1366c310e811cb16fbfc76dfa1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnh430kv.rzx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Public\Music\TvMusic.music
    Filesize

    436KB

    MD5

    8bb7707b59cfc368db57d7c4920afc06

    SHA1

    e632082dec19c627afb2f2ed8f7e9418739e4d7e

    SHA256

    4a81d32d170e24d97baa57977ba8a2c3a792bb0c9b61e9d121bbef0baf8bb8f9

    SHA512

    ff4b336d986359f582342ade28ffa030288ffe4ad77914a6f1a8ea4bf63c6e0fdf3b44d09baa7557db2d9bd5ebedd3808ebc01fd279ade602d1c4a0581f485ae

    Download Submit

  • C:\Users\Public\Music\TvMusic.vbs
    Filesize

    229B

    MD5

    66a1516e1d1e821084441211567d2e87

    SHA1

    0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

    SHA256

    d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

    SHA512

    1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

    Download Submit

  • memory/796-30-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/796-38-0x0000000005EE0000-0x0000000005F46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/796-37-0x0000000006420000-0x00000000069C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/796-36-0x0000000005A70000-0x0000000005B0C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1244-33-0x00007FF91EF03000-0x00007FF91EF05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1244-0-0x00007FF91EF03000-0x00007FF91EF05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1244-17-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-12-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-39-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-40-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-41-0x000002767F7B0000-0x000002767F972000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1244-42-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-43-0x000002761B240000-0x000002761B768000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1244-11-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-10-0x000002767F5B0000-0x000002767F5D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1244-47-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1712-29-0x000002304DC90000-0x000002304DC9C000-memory.dmp

    Filesize

    48KB

    Download