Overview

overview

10

Static

static

1

da58732f8c...5e.ps1

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    200s
  • max time network
    209s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-01-2025 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da58732f8c52ededed023e7d604dd10e295ad436884b990c8f13e6660cc42b5e.ps1

  • Size

    264KB

  • MD5

    3fbc9d18f8e94a0b5b1e39134be7c153

  • SHA1

    be9a946fae242ff3b59ed41e0847338dfc90c58f

  • SHA256

    da58732f8c52ededed023e7d604dd10e295ad436884b990c8f13e6660cc42b5e

  • SHA512

    3909f08fed81bf6ff84c30ba531a098829dbc6ff54718abd79bb191e8d00ae7b8fcc2c0717c47bf1f988ac9cb197cd41283d9f8e78a3cbfbbcde68fcc251762a

  • SSDEEP

    1536:AvT4sMnsXsJk+74w76OwXLCqGO7f3XFPzm+efcYqJznK5Fb5uDSPVZrskXUkRhto:ev

Score
10/10
asyncratcome00001discoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

COME00001

C2

dick2024.ddnsfree.com:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 10 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\da58732f8c52ededed023e7d604dd10e295ad436884b990c8f13e6660cc42b5e.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4492
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4108
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4180
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3124
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /IM RegSvcs.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\VVHUPYEWODP.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\QIJGHURIURNY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\EHUVGUEHUVGsEHUVGeEHUVGrEHUVGs\PEHUVGuEHUVGbEHUVGlEHUVGiEHUVGc\ORFWDFDJWS.ps1'.replace('EHUVG','')"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:8
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:5036
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WindowsHost\VVHUPYEWODP.vbs
      Filesize

      203B

      MD5

      5df4a579cc17f04921e456cb68a3b0c0

      SHA1

      4e93880c909ea818e360d6424c2e58b63e5db7f4

      SHA256

      4f43e3cd8e3d7ab2208c6031d60ad443c26978cbf3ebbee6f9b30a368cf70476

      SHA512

      4f2363c2bb6f34c41ceff62ae0178637a02d6c364728744317f1801b2760b567197e0b82b978887c35c5450f1fe94fbfb67247d7ed5dfe3edabb02658de8681a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      da8edb0f8387d38f5407c0870910646d

      SHA1

      2d1015f762bbc68de0d6f95d06706eda62d53f36

      SHA256

      7ae5611076ad876c513086fb7fc01af05fefa1e9bcfcf2ec4d0e8328cf40b25d

      SHA512

      5206486e14e5a9f1ec181859a8cfd20a7b102851933dde543f15acdb514f427f8dfa2d6703e654207eb4f0ade0e0ff5077ddca5ff7f22ac06a757d8fee7241da

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      2KB

      MD5

      c84f0a311ef9100c3d7366a06c2b7a46

      SHA1

      250861fb8f1222913bf551af259b089e19630521

      SHA256

      177b91a05a5e09b73acef1d7756f265972e04d208bf61b02385f38bed7a221bd

      SHA512

      4bd81d149b6c418a15a767e3fa58d784f311daf875512213b5353989ecbce1134e52e5d00fb6f58e7d58e372ec7b820b73c9e5e6dc46e38c27e84a2e177da04a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzqbuoan.dr4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Public\ORFWDFDJWS.ps1
      Filesize

      249KB

      MD5

      27dc626f052cde7ca5c99e09ba2c3bc5

      SHA1

      2bc44b1968fe3063310aea0ae3e7f56ccd826b1a

      SHA256

      6eebe78eaeed5994a575baa50964ee98edc0fbf03f23620aef0d76910754132f

      SHA512

      18b5cf64f1af721840c2aa09dd3457c5d816881c6522672c9cd33ab4ddf30fb2e51a55400855c251ae23b2aeca4423e52f63dff3647f5fd091e2b97e78167fab

      Download Submit

    • C:\Users\Public\QIJGHURIURNY.bat
      Filesize

      161B

      MD5

      1239b4b2502a859c6ece490ba5b5cee2

      SHA1

      476083fdf24d50b59b9a26b383894ca2f7a6c1f5

      SHA256

      40780ee72765574aa5c5136ae429a2e951b578345ff0e4e4268e12412970eec2

      SHA512

      bf631ee1ee611b3c6839cca1b83787b6d3a7504d3ca8939c40084700c5a7ddbce5f9b333aa7b68821326bf65b161935434f694a1a7dd2ef8a66f5d50842af209

      Download Submit

    • memory/8-34-0x0000024B59060000-0x0000024B5907A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4432-39-0x0000021065BD0000-0x00000210660F8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4432-15-0x00007FFECF2A0000-0x00007FFECF596000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4432-11-0x00007FFECF2A0000-0x00007FFECF596000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4432-40-0x0000021065300000-0x000002106532A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4432-6-0x0000021064CA0000-0x0000021064CC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4432-41-0x0000021065300000-0x0000021065324000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4432-0-0x00007FFECF2A0000-0x00007FFECF596000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4432-47-0x00007FFECF2A0000-0x00007FFECF596000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4432-38-0x00000210654D0000-0x0000021065692000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4636-50-0x0000000005890000-0x000000000589A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4636-35-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4636-48-0x0000000005C70000-0x0000000006216000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4636-49-0x00000000058A0000-0x0000000005932000-memory.dmp

      Filesize

      584KB

      Download