Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
2.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
2.ps1
Resource
win10v2004-20241007-en
General
-
Target
1.ps1
-
Size
257KB
-
MD5
fa9de551f6fd38a4b04e3207e08e846c
-
SHA1
2ef8eb4e82ce9f52e5fa61e04fec1f9b92230903
-
SHA256
f8dae9c1f9c629a6811c6b2fc648b8f952a0331a1d5c04005808b4daeeae93fb
-
SHA512
ed8024a8279f3ac1a4d4b3be7214b9ec0d429a7228ea126e298034c4952e0ce048f7c83d4e0aab0760701653a0a77aea82cd94ae5b59161cae811a93c212c3ce
-
SSDEEP
6144:JRQRmeIR/ENCsOFAjL3vTV8MG0NsPSSzQw6ACnfRFG5jS:zXiL7XvLw6Ak6W
Malware Config
Extracted
asyncrat
0.5.7B
29/7
vvat22.con-ip.com:7707
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 4616 pOwErshEll.exe 86 -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 2912 powershell.exe 4724 powershell.exe 3908 powershell.exe 2748 pOwErshEll.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2912 set thread context of 2440 2912 powershell.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2604 reg.exe 2744 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4724 powershell.exe 4724 powershell.exe 3908 powershell.exe 3908 powershell.exe 2748 pOwErshEll.exe 2748 pOwErshEll.exe 2912 powershell.exe 2912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeIncreaseQuotaPrivilege 3908 powershell.exe Token: SeSecurityPrivilege 3908 powershell.exe Token: SeTakeOwnershipPrivilege 3908 powershell.exe Token: SeLoadDriverPrivilege 3908 powershell.exe Token: SeSystemProfilePrivilege 3908 powershell.exe Token: SeSystemtimePrivilege 3908 powershell.exe Token: SeProfSingleProcessPrivilege 3908 powershell.exe Token: SeIncBasePriorityPrivilege 3908 powershell.exe Token: SeCreatePagefilePrivilege 3908 powershell.exe Token: SeBackupPrivilege 3908 powershell.exe Token: SeRestorePrivilege 3908 powershell.exe Token: SeShutdownPrivilege 3908 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeSystemEnvironmentPrivilege 3908 powershell.exe Token: SeRemoteShutdownPrivilege 3908 powershell.exe Token: SeUndockPrivilege 3908 powershell.exe Token: SeManageVolumePrivilege 3908 powershell.exe Token: 33 3908 powershell.exe Token: 34 3908 powershell.exe Token: 35 3908 powershell.exe Token: 36 3908 powershell.exe Token: SeDebugPrivilege 2748 pOwErshEll.exe Token: SeIncreaseQuotaPrivilege 3908 powershell.exe Token: SeSecurityPrivilege 3908 powershell.exe Token: SeTakeOwnershipPrivilege 3908 powershell.exe Token: SeLoadDriverPrivilege 3908 powershell.exe Token: SeSystemProfilePrivilege 3908 powershell.exe Token: SeSystemtimePrivilege 3908 powershell.exe Token: SeProfSingleProcessPrivilege 3908 powershell.exe Token: SeIncBasePriorityPrivilege 3908 powershell.exe Token: SeCreatePagefilePrivilege 3908 powershell.exe Token: SeBackupPrivilege 3908 powershell.exe Token: SeRestorePrivilege 3908 powershell.exe Token: SeShutdownPrivilege 3908 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeSystemEnvironmentPrivilege 3908 powershell.exe Token: SeRemoteShutdownPrivilege 3908 powershell.exe Token: SeUndockPrivilege 3908 powershell.exe Token: SeManageVolumePrivilege 3908 powershell.exe Token: 33 3908 powershell.exe Token: 34 3908 powershell.exe Token: 35 3908 powershell.exe Token: 36 3908 powershell.exe Token: SeIncreaseQuotaPrivilege 3908 powershell.exe Token: SeSecurityPrivilege 3908 powershell.exe Token: SeTakeOwnershipPrivilege 3908 powershell.exe Token: SeLoadDriverPrivilege 3908 powershell.exe Token: SeSystemProfilePrivilege 3908 powershell.exe Token: SeSystemtimePrivilege 3908 powershell.exe Token: SeProfSingleProcessPrivilege 3908 powershell.exe Token: SeIncBasePriorityPrivilege 3908 powershell.exe Token: SeCreatePagefilePrivilege 3908 powershell.exe Token: SeBackupPrivilege 3908 powershell.exe Token: SeRestorePrivilege 3908 powershell.exe Token: SeShutdownPrivilege 3908 powershell.exe Token: SeDebugPrivilege 3908 powershell.exe Token: SeSystemEnvironmentPrivilege 3908 powershell.exe Token: SeRemoteShutdownPrivilege 3908 powershell.exe Token: SeUndockPrivilege 3908 powershell.exe Token: SeManageVolumePrivilege 3908 powershell.exe Token: 33 3908 powershell.exe Token: 34 3908 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4724 wrote to memory of 3908 4724 powershell.exe 84 PID 4724 wrote to memory of 3908 4724 powershell.exe 84 PID 3908 wrote to memory of 2240 3908 powershell.exe 85 PID 3908 wrote to memory of 2240 3908 powershell.exe 85 PID 2748 wrote to memory of 3904 2748 pOwErshEll.exe 90 PID 2748 wrote to memory of 3904 2748 pOwErshEll.exe 90 PID 3904 wrote to memory of 2604 3904 cmd.exe 91 PID 3904 wrote to memory of 2604 3904 cmd.exe 91 PID 3904 wrote to memory of 2744 3904 cmd.exe 92 PID 3904 wrote to memory of 2744 3904 cmd.exe 92 PID 3904 wrote to memory of 1788 3904 cmd.exe 93 PID 3904 wrote to memory of 1788 3904 cmd.exe 93 PID 1788 wrote to memory of 2912 1788 cmd.exe 94 PID 1788 wrote to memory of 2912 1788 cmd.exe 94 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95 PID 2912 wrote to memory of 2440 2912 powershell.exe 95
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.vbs"3⤵PID:2240
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\pOwErshEll.exepOwErshEll -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
PID:2604
-
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Modifies registry class
- Modifies registry key
PID:2744
-
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1'"3⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD52a885e95eed0618751d77924d91343e8
SHA1569268f7fcb9e4106811fa961abc343c06ae31f2
SHA2567df6b8f4fd39e4503a96e5971a1d4a568f7e4d4ad789c8d822191a79f9453a6a
SHA5125c439ae8deedf7a3339920c540c0a1b4d04c603978844553184c3db9fda4550888f94bfe7df0a89a00261795900a78f902a8a06ce7db0305551d268d2cbe64dc
-
Filesize
693B
MD5fe1271b4137a989c4d9021e549a70d3d
SHA1b70151e479298f4d70392d6b51e21c36fddc4374
SHA256e1690ba66bce1265e73be22baf3b29ec96054f3a766698baac27202aede8abb6
SHA512e933cfd3a510035664b849080aa2c2e1c12918b024a0ffef772563b518bc911f8c9bdca224ded560678519198ebfd3e06e5515e4c4aecd3617dc4c199f626ad7
-
Filesize
3KB
MD5339453f9cb54562220aba7f8fcae040c
SHA1d868eefada015f4892a88e7205e09ddd9da647a4
SHA256f5b34b456329ccdeeca89791a6807d270e2d805af5b11a24bb6c227635453a45
SHA51275ae607f2bf4e677ef5a68882e6bae9aa3810044190191d008911dd1790f8a7f486f1ae686482d523b8e65bd2372451bebf63fe508c60a5afed74923e0e46b96
-
Filesize
1KB
MD54d123e5a4ac35d53aa15d7d577807309
SHA1d689facafa48e00f7882cc10cb8266e4c8359fc5
SHA256556c63a874e38c562ff8e252aa1b4718c62692058005e56b69e04670ecee3a11
SHA51206de0adae18cd2fcb8cebc4ec23fda28aa1b28d1a8c74d72bf7bb56ead29dc3736d486fbd3dd864a2c8b895a207a4c4f3f5cf1c1e7d825048a0a7d26d6106988
-
Filesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
Filesize
1KB
MD52d74f3420d97c3324b6032942f3a9fa7
SHA195af9f165ffc370c5d654a39d959a8c4231122b9
SHA2568937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d
SHA5123c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82