Overview

overview

10

Static

static

1

job.ps1

windows7-x64

10

job.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    job.ps1

  • Size

    30.6MB

  • MD5

    f01f7141f5dcb2161ee0701949f91e70

  • SHA1

    28d2427ee1cd5f4c2a17f020bfaea95daece07d6

  • SHA256

    68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d

  • SHA512

    6cd177e2d4b385365eb9f549d2f869f1a40483e1c8a4fe0655146c7ca28090cdf14ac9c2a8a1cb7c385f6f824fe2da422b1714cb2ca851a0d1a18cb3be2a31e1

  • SSDEEP

    49152:/0p9Wz0S8ygXipUpxf2H21a1RFvpB8ciXBXsdO6QKUP+Vzfcw3S6T3G4n/1kbC9z:5

Score
10/10
asyncratstormkittyvenomratdiscoveryexecutionpersistenceratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 3 IoCs
  • Stormkitty family
    stormkitty
  • VenomRAT 3 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\job.ps1
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2132
    • C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe
      "C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    8cdddd0a051c53d9e3bf4b28273f04bc

    SHA1

    11b5279d64dd614d3613899cfc8840a7fa12165c

    SHA256

    d07a494c835c2a6d0f5ef9fb721050c7751358101f0422e4fce1af0680f21baf

    SHA512

    b7b38f84c803e2b0e16c7a76b159ca415ea1465e1c9612c04b65f476855396ccc4b259019f604c9abe843a227e030008d61b06c8ce8bcf99abe0ce7659e66011

    Download Submit

  • C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf
    Filesize

    91KB

    MD5

    897417cce1edbd4222c6c8c5e0f1f7c8

    SHA1

    c52b4982eecbcc5e5491fac2aaf4d2fbbda1335c

    SHA256

    28b4bdc732553037551c304fe459634011011be7dcc4ed81979d4a07647e7cc8

    SHA512

    63b484dfc9ecaa485c666ec463113e1a5fa608283e993a1761d1ed905634602090339e68ea9e87616ed7c3a645538ba0d9e50427e62a4b646558bc57122cd4e5

    Download Submit

  • C:\Users\Public\Downloads\ChromeServices\concrt140e.dll
    Filesize

    3.0MB

    MD5

    aab7a3b67b71bf0439627158323b502e

    SHA1

    db7eae4731c4749d21c6cc54a364bcf20c04934c

    SHA256

    39c9693c36f38a1b691eb3584c18f8550c08eb6a983c46cd46b476c8126ce8cc

    SHA512

    543fbb82d5e73c3df0dd19f4b71a2c19b78b3250192be5c1191a0c4d53348ca84fd975dbc938226b67a1aab9dcdeb2aa16eb8c39982215aef2bb6f857f2cf162

    Download Submit

  • C:\Users\Public\Downloads\ChromeServices\libpsl-5.dll
    Filesize

    2.8MB

    MD5

    ebcf17abb78a21d5f3904c00a60e1e0a

    SHA1

    ec6525d3de6ebd4eedb8193707f24aba232581d7

    SHA256

    1099a52ceec00e3db7f704c5f0cea8c23af02490ade25243b7c90f1e870c2614

    SHA512

    5b965213f03406a22d9ffcfd18a716fee8851ca366960b888631f695fc74daf9dc33276004f00ef6df5ec5513a7409446d1104dbb3c872e614efbf2cdbd04fbd

    Download Submit

  • \Users\Public\Downloads\ChromeServices\ChromeServices.exe
    Filesize

    67KB

    MD5

    d82b8f0cb601039af7c1968b0c92d09f

    SHA1

    b0105f082e10791e6703abbc064904be073dc79b

    SHA256

    962c0f879de9a12a78ea81536e7223ec7a7c8a9d5828871b6fdd26e649401755

    SHA512

    be063f8590951e8d4b6f1e69cac57a95d90d3ab96576545afe4141979d376c322047d0b73169140b22ef6d24a7e9c5b4fe09771a4fedfd36ce544befafa65e33

    Download Submit

  • memory/1392-54-0x000000013FC50000-0x000000013FC64000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2092-10-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-6-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2092-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2092-7-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-45-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-9-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-4-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2092-50-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-8-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2504-53-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2504-52-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2504-51-0x0000000000400000-0x0000000000704000-memory.dmp

    Filesize

    3.0MB

    Download