Overview

overview

10

Static

static

1

0969731d32...b2.ps1

windows7-x64

3

0969731d32...b2.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0969731d32678ac6f0be0896d03b2eb382d2dcd54645e55c621ea6152ebce8b2.ps1

  • Size

    440KB

  • MD5

    93bfb747191ea031f60faf9b15e7d43b

  • SHA1

    4fa4a763f1c7f4436b869eb2959542e0d966bb88

  • SHA256

    0969731d32678ac6f0be0896d03b2eb382d2dcd54645e55c621ea6152ebce8b2

  • SHA512

    b34e3dbdb6bcd089dc9df23d22344f0644ffdbebe79e8ae99ff13e07cfacf93df64ca3a77b1341fd4f02a485965630c129634a66446952c27a25a09c421bd281

  • SSDEEP

    1536:wUdAHeDN4NDabDzuCO4dfk2EJdMFXa/3qYrYUF1rGs4UPDc+dl3Cz6nKd35rmDex:w/XrXFWHlFHhfu88C

Score
10/10
asyncratnew-encryptdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

New-Encrypt

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/M1nmWeTA

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0969731d32678ac6f0be0896d03b2eb382d2dcd54645e55c621ea6152ebce8b2.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2756
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3376
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4544
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\TvMusic.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $usefont='ReadAllText';$resberrys='C:\Users\Public\Music\TvMusic.music';IEx([IO.File]::$usefont($resberrys))
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:3088
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:3820
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2828

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        f41839a3fe2888c8b3050197bc9a0a05

        SHA1

        0798941aaf7a53a11ea9ed589752890aee069729

        SHA256

        224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

        SHA512

        2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        9bb49da19215c64f6b00468e04d68d57

        SHA1

        2a674ef233db152541b5a3e01ffd8d2477babdaf

        SHA256

        e7add962b0f5b3798fc22df547b06506a5b647f7ac65c84b27184cbb8cb48f01

        SHA512

        09bd1b16c4d5dbce809593d1d2f5458d678496f610c7e5accd6475b3d0be3fd195711b0a40904ed974e5d1663856b38f9ffe5f67adfcdb3afb6c098310da711c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        75ceacfce03c5a5e09954f2aa55b1e3b

        SHA1

        70c5515e12678a043e3c624d91f070181bb70a31

        SHA256

        b72ed6a01752483eab4544a27801dc5e5d9f7d8295a9c3d39bcb5cd51319dace

        SHA512

        cb2d700bdf3713cc24cfc70f188e5a5a78292d65e240400fbaf1beafd86dd9cb6b6aa67c0a38aafb9e9509511c72ced1bc0dec872cb1ba3cb3b99dbf3c5f5629

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ouq51mb.v0b.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Public\Music\TvMusic.music
        Filesize

        436KB

        MD5

        699160a16bdf0536e0fa69adcbab1e19

        SHA1

        ae8a6be22f05e119e7031edc79fb4a21f1268500

        SHA256

        4e7889d60aa6df54e7b646e8ba30befa9bba6ddfca3ac1a5894429e0caa86295

        SHA512

        bf2b94320790d54a3c30a57a34877f5d5d55e918943f1180fef50901b86b61e1bd48dd8c7af0a1a82de7f0b0e2af7b65dc6471fc616846c4260811c2ddc5c145

        Download Submit

      • C:\Users\Public\Music\TvMusic.vbs
        Filesize

        229B

        MD5

        66a1516e1d1e821084441211567d2e87

        SHA1

        0e688c9a93ad2cc162ef48ca75e0148e69d95ab1

        SHA256

        d57293641ff05fea6af21fb73a4064eca49e5979f2395305bdea2a00a5de6717

        SHA512

        1b77505b03a4a9c2c9437fbb94e828f34ed5b74187a258443af778b9450dc346e7027267e4ad6d33ff96c4036d936eba9dee05efbe136678bec6d0f7b68ecf12

        Download Submit

      • memory/2756-33-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2756-41-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2756-11-0x000001DB29B70000-0x000001DB29B92000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2756-46-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2756-0-0x00007FFD9EAD3000-0x00007FFD9EAD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2756-34-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2756-10-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2756-12-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2756-42-0x000001DB2A870000-0x000001DB2AD98000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2756-40-0x000001DB2A170000-0x000001DB2A332000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2756-17-0x00007FFD9EAD0000-0x00007FFD9F591000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3376-39-0x00000000062C0000-0x0000000006326000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3376-38-0x0000000006800000-0x0000000006DA4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3376-37-0x0000000005F80000-0x000000000601C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3376-30-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4060-29-0x0000027B49A10000-0x0000027B49A1C000-memory.dmp

        Filesize

        48KB

        Download