Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 13:40

General

  • Target

    fe3945266e7dfdc99e44bc02c024925710957c7123f71e8b81f97403849cc272.ps1

  • Size

    121KB

  • MD5

    1073f4f0b62cc79342a1eb72a4c4da50

  • SHA1

    0ee22d55eafa3068b009253a35344fed4e0b9088

  • SHA256

    fe3945266e7dfdc99e44bc02c024925710957c7123f71e8b81f97403849cc272

  • SHA512

    c0280b4f08b8d878e4bb66427ed6985474fb5ed44eed6c87329c8f4a157515bc7b265275751a818da430d9203237c4dc4b1e2b58e7f78c23e79b578974ba9e72

  • SSDEEP

    3072:1yZ/nst2lwqWa84XadqQ8we/+P3fkdYkBa:4Nxwe/+P3feYkBa

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

crazydns.linkpc.net:5900

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fe3945266e7dfdc99e44bc02c024925710957c7123f71e8b81f97403849cc272.ps1
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Task.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "MicrosoftSystemUpdateHandler" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftSystemHandler.vbs"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1868
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15qt4ris\15qt4ris.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B67.tmp" "c:\Users\Admin\AppData\Local\Temp\15qt4ris\CSCF61292A5F3914A5FAA1A6D78F0EE8F2C.TMP"
        3⤵
          PID:2764
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:656
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MicrosoftSystemHandler.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\fe3945266e7dfdc99e44bc02c024925710957c7123f71e8b81f97403849cc272.ps1
        2⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Task.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\system32\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "MicrosoftSystemUpdateHandler" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftSystemHandler.vbs"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1752
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\szxknjak\szxknjak.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3932
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1633.tmp" "c:\Users\Admin\AppData\Local\Temp\szxknjak\CSC1BC91E9B8B2D41DBA0DBD1736D8795F1.TMP"
            4⤵
              PID:2744
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1692
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MicrosoftSystemHandler.vbs"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\fe3945266e7dfdc99e44bc02c024925710957c7123f71e8b81f97403849cc272.ps1
          2⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Task.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3292
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "MicrosoftSystemUpdateHandler" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftSystemHandler.vbs"
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:384
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrb1l0ls\rrb1l0ls.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC7C.tmp" "c:\Users\Admin\AppData\Local\Temp\rrb1l0ls\CSC17ACFD0A6922486681C917669BB7D57.TMP"
              4⤵
                PID:4872
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          85df31411080f87203ed45b0dab4f336

          SHA1

          5bf5b44ce38fa21c305c1a375da9e6ad84f48892

          SHA256

          e15527444c709b53eca9bc57890b4f6340fce53de1b5b0302a547f18da5974e5

          SHA512

          963cf413d03add219bc832009f2ae5de426a4fae0633f02dfe90db4754f375e8bbe06d967bb6cbca59d1c41476126f1c78d2073adb5ba39ca420adafa3b0944c

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

          Filesize

          425B

          MD5

          4eaca4566b22b01cd3bc115b9b0b2196

          SHA1

          e743e0792c19f71740416e7b3c061d9f1336bf94

          SHA256

          34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

          SHA512

          bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          35d43a86efeabd48c2d43ebe5aa16281

          SHA1

          48079c8bc8d7242dccc67078d921d559466e6345

          SHA256

          ee13a5599b424791ec02418ff525f410fb5e2c5602119b17b06067364b1109ec

          SHA512

          fc0ff5893184d4d630c23b00b38308d2365c0729a938c02cdce2c859f491ea96d648a9edac4e3fa2ddef559ea6412ea338222563881601dcc8731214816e7dff

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          e9755b2809ce6bde36606beadafe2cb3

          SHA1

          d2bf7e2d524fa76fcaad6380ba85ee52280a7020

          SHA256

          32bf974a71410401cf4df6a698c76afda6487e468794b8c1ae6673b8c68ccda9

          SHA512

          20856d2ca08bab3497a0c7090ac46a4497cedf98ad42ab3b755f2c4df3314b7858385cc4e0a3c05f36d473dbb6e6c82904fec0d2cef5f33b1bd526eff6d75178

        • C:\Users\Admin\AppData\Local\Temp\15qt4ris\15qt4ris.dll

          Filesize

          11KB

          MD5

          45c6a709cdb70d0958a3680d98ad91b8

          SHA1

          4c4e69787ca1b666138b6f5ab0bb487264bbd32f

          SHA256

          557a1dda3a4cfdcad645b6cd9a2eb7beee8de7b1d01fd8aa50556d02c5c0bce4

          SHA512

          27fd5de940b740b8ee9a04405ad54474c85dfe2639835e157553ac2159255c737b383f3f42986dcea0c3a7fa3c1a6b7e49c74bdae63ba647cd4b6198fce2b05b

        • C:\Users\Admin\AppData\Local\Temp\RES1633.tmp

          Filesize

          1KB

          MD5

          a61182bd85ae4e0dec3ac707745cc95e

          SHA1

          f77a6138901aa90f3bf863489009cbd59651afc3

          SHA256

          b0fb3e4a658454d7eb0b0f1788b032efebf7da09aafb52e48d8aba9c2b535647

          SHA512

          5524aee55e5948fbf061f44b8b5737b7d880cd68037f68d995303cdbe49d5aefd3a765a058f90c52d49556525deac0b67a4923d2984162d901802919640c81c3

        • C:\Users\Admin\AppData\Local\Temp\RES8B67.tmp

          Filesize

          1KB

          MD5

          5d9e8eb72c2b3ff57cc463f882f87882

          SHA1

          c0dcceb3482b86ba2dddd8753ae0b4a3378717c7

          SHA256

          da8405f7a74ae8243e62b33bfbc6c094e94d71044bee308c0a9215f0c3fe8f6b

          SHA512

          00fd69db9caccff49f33afac4578eb501b4ed03e1961e25c63cb84335ced1a2d6885df6ffedc8f30d367b5055cbc7c482470f7792a9e6b6aef386c9e6ca32a43

        • C:\Users\Admin\AppData\Local\Temp\RESFC7C.tmp

          Filesize

          1KB

          MD5

          993e0900299e46feca002f99a6bfb1db

          SHA1

          0d9cb9ace1c57d87b6b8ce72419c258c9d02c6fd

          SHA256

          5634efcc807fca12d3d7d0a9b2222496437326e80f2e54efed447fa04179b207

          SHA512

          1da73c3f8844309467ed4d502b658edc9bb5d94e7a54028c6e9eff8546d8eb491d01867c140ff5ea0e4b71d484e1a09b4afd590e66200bc48e8dab3fa61e1ff2

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdvyjds2.1kj.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\rrb1l0ls\rrb1l0ls.dll

          Filesize

          11KB

          MD5

          6bc3750217321256570f8ad700573eb9

          SHA1

          7781b11b19f8e9d8b909b9ca973bd284b234f6b3

          SHA256

          3f31d99913660dcecb0daf8b05c854f310967a09efe111adbc42508d77b22487

          SHA512

          98027d0c226b710da10ad2d95bc778755e95c6df7912ece8abdd60571cb9dbcc0afb6b5bddc695e47742ecd7dc42448bd9e35e7f8c6acc8571cb7f45f1788f23

        • C:\Users\Admin\AppData\Local\Temp\szxknjak\szxknjak.dll

          Filesize

          11KB

          MD5

          72cf7092b4ff29be7ff1ae337b8b4a57

          SHA1

          bc9c0bd92edb6b1c21629b5d891b65354b5eb25d

          SHA256

          5951bc7d29a284b8b2dfe2667e29d5f661ca875183d688196d0a90cb2b5dbe75

          SHA512

          8a77575fb8c72cec908c179f5b2dc5533c3ac3d5a7f6c7f39be226e3a1cdf131150be64060bb58642df41c606596a80986bed2ae8c6e115dad10e7534d5f4af0

        • C:\Users\Admin\AppData\Roaming\MicrosoftSystemHandler.vbs

          Filesize

          209B

          MD5

          a7104d0e75cf5f1febad1aca4815e08b

          SHA1

          e9b49ba0039979bfe34343275f56d7d97243b9ad

          SHA256

          1f3665886d32551942985859b65d7585aa4ceafeada8689376e029d6e358ea87

          SHA512

          b4a07028a6f28080ba6075c804f05f785e566313626922564620fb3774b1c63a8d43ae90ea1559efb22ed56564dc0c87dfd89db74fe91564a9e098b1e45a8274

        • C:\Users\Admin\AppData\Roaming\Task.bat

          Filesize

          172B

          MD5

          cd73f03b6f85e70ee34606b9c0912e87

          SHA1

          b7c3ac016fc7887b7254cc5f25ef54225764a7d9

          SHA256

          c30f309c2af8869c2392d9e33e42876688db700bd83c9270567d11fbd0b3da3a

          SHA512

          0fd27e46dcbf82b98dc188377d75fa073c082a2f86740d51856e55a79d5f16d52f2a663832c96d7f3677bfc375cd40d85818ecfc339cb882cdf41f49fe909173

        • \??\c:\Users\Admin\AppData\Local\Temp\15qt4ris\15qt4ris.0.cs

          Filesize

          14KB

          MD5

          5b28648a4e188b0ebdf2d5edcda61624

          SHA1

          faf0ba6c2ef8d8184881eda8a276796449969e1c

          SHA256

          e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1

          SHA512

          972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937

        • \??\c:\Users\Admin\AppData\Local\Temp\15qt4ris\15qt4ris.cmdline

          Filesize

          327B

          MD5

          b6660c89e15e22b69acc43b22f20bcf1

          SHA1

          cbcc921eb01c38322be9fd8adeca7da23080c61e

          SHA256

          8f0c959aa3fb061d0c33e49608f09e14304d75fd7e05a1c41106db50229ef6c8

          SHA512

          f101d9efee31fbd659464dc3144f77e1b488ea44663a28d07e0053363ff7d93db4af0351bc41802c6e9da292a74dd7f7ad22428ea5c2b734a63bdc45682ff6ff

        • \??\c:\Users\Admin\AppData\Local\Temp\15qt4ris\CSCF61292A5F3914A5FAA1A6D78F0EE8F2C.TMP

          Filesize

          652B

          MD5

          70bf6f0954ca0b497828ebe7819880f8

          SHA1

          d8ae1541bc94879ef8c7fca2d7cdfc051b5eef04

          SHA256

          ce7d08d9b7a0e557621c4c16f63b28c35495d7dfc6a5a5b9ba4b8a28d6750e91

          SHA512

          ca6aeedcbfa73c9197ab1f441cc4e9f8ba11b53a36709c17b01c197fa86ee9bb7d5c3f80636619ec6c19a8ebca0a6a003b9c0b7bd00c9bf591dc453c8b646dff

        • \??\c:\Users\Admin\AppData\Local\Temp\rrb1l0ls\CSC17ACFD0A6922486681C917669BB7D57.TMP

          Filesize

          652B

          MD5

          43c2c40e354ad52d90364cfc23aa229a

          SHA1

          f0f5cf4cde8499301a2aaa0724b5ed26a9278024

          SHA256

          86d66a1373d49ef41f8206cfeb2e1a17d7fb6218e990308881d9bfdfe6227706

          SHA512

          a4c2d8216098388e53650ba3beaa084934a1f76140280bcc83d3fec184c2b53acbc57dd64ff03c8a671f9d7994887c5418f34cc62d77bc3c5b52083ff53f7bde

        • \??\c:\Users\Admin\AppData\Local\Temp\rrb1l0ls\rrb1l0ls.cmdline

          Filesize

          327B

          MD5

          1de465ae0ef55f8f9141345b32bafb7c

          SHA1

          ac361ecb1e81938652fde65f2670142e47f22716

          SHA256

          a42a03b589a1d1d19fdd23f5f5d6490a7d041f3ae61b8a96f4311728a97bdb63

          SHA512

          71af2c5089f92825326d6e80924f7319686ca3fb7e5fa5c7646f68e45f22e81ff2cd3e8b35ba56571e26bf2737dd17ca5a3c087d9059b9163ba6b28c94b81ae7

        • \??\c:\Users\Admin\AppData\Local\Temp\szxknjak\CSC1BC91E9B8B2D41DBA0DBD1736D8795F1.TMP

          Filesize

          652B

          MD5

          a229e61cc0a689d70f2382eb147072ce

          SHA1

          0687d7d63481c09f9fde570bec4dec7849d0db57

          SHA256

          db872e5fff36b8a7fa1fb1c3ddcc2218a35243daf88f0ef8c2f0083e165bf73e

          SHA512

          09652fd35873188847b39a62b8f65d64e265c36da35122f60a3fb1dbbdd381d92ac0864c95e6419c35e7a016ea6e08821751ce705104a37adcfd75ba139f5abf

        • \??\c:\Users\Admin\AppData\Local\Temp\szxknjak\szxknjak.cmdline

          Filesize

          327B

          MD5

          c6ef8eac77103d685788c7192c73b9a2

          SHA1

          4d4f1c5f3ce4d542723ce6a41df81c4d8bd6bbbf

          SHA256

          bc3771f826304fd1d47280b4a9808a25d582cd3f78f71012c632d297285fa513

          SHA512

          c8715cfe5ab5d760b02d55f44e563a29b1c10c09fa0456590ea6dcf1930b0c537195ca17804436935754b76f2cc8e163195e382a7918b73f6c015006f10d9ba5

        • memory/656-36-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2300-106-0x0000024BB5790000-0x0000024BB579A000-memory.dmp

          Filesize

          40KB

        • memory/3052-71-0x00000150B6BF0000-0x00000150B6BFA000-memory.dmp

          Filesize

          40KB

        • memory/5016-21-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

          Filesize

          10.8MB

        • memory/5016-39-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

          Filesize

          10.8MB

        • memory/5016-34-0x00000179E3E00000-0x00000179E3E0A000-memory.dmp

          Filesize

          40KB

        • memory/5016-0-0x00007FFB290C3000-0x00007FFB290C5000-memory.dmp

          Filesize

          8KB

        • memory/5016-14-0x00000179E4660000-0x00000179E4B88000-memory.dmp

          Filesize

          5.2MB

        • memory/5016-13-0x00000179E40B0000-0x00000179E4126000-memory.dmp

          Filesize

          472KB

        • memory/5016-12-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

          Filesize

          10.8MB

        • memory/5016-11-0x00007FFB290C0000-0x00007FFB29B81000-memory.dmp

          Filesize

          10.8MB

        • memory/5016-10-0x00000179E3C80000-0x00000179E3CA2000-memory.dmp

          Filesize

          136KB