Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-01-2021 17:42
Static task
static1
Behavioral task
behavioral1
Sample
Invoice ID-(4387206).vbs
Resource
win7v20201028
General
-
Target
Invoice ID-(4387206).vbs
-
Size
1KB
-
MD5
83f5dfe54337970c464b58db9d990bbc
-
SHA1
c3da46773165a805307eea544a5c1498bfd96e26
-
SHA256
0089fe3a660c1a3fba7039e03482aed3b0a7d82b72e4c38e4b5da8612fe7247c
-
SHA512
cd2123990037cbf5eebbe818ff0d117dde71b4ed9882aef92b6471bbc71d9ef7ed664dff7798463810debcfcb3a94bbadd25c97013a57ba12da4b2e2f4c5fceb
Malware Config
Extracted
https://ia801507.us.archive.org/34/items/3_20210106/3.txt
Extracted
asyncrat
0.5.7B
clayroot2016.linkpc.net:6666
AsyncMutex_6SI8OkPnk
-
aes_key
Kf16onJhATpNbuJfsFjEdXd4221e8Y7w
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
clayroot2016.linkpc.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6666
-
version
0.5.7B
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/964-16-0x0000000000400000-0x0000000000410000-memory.dmp asyncrat behavioral1/memory/964-17-0x000000000040B5CE-mapping.dmp asyncrat behavioral1/memory/964-18-0x0000000000400000-0x0000000000410000-memory.dmp asyncrat behavioral1/memory/964-19-0x0000000000400000-0x0000000000410000-memory.dmp asyncrat -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 7 1376 powershell.exe 9 1376 powershell.exe 11 1376 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1376 set thread context of 964 1376 powershell.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1376 powershell.exe 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 964 RegSvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid process target process PID 836 wrote to memory of 916 836 WScript.exe WScript.exe PID 836 wrote to memory of 916 836 WScript.exe WScript.exe PID 836 wrote to memory of 916 836 WScript.exe WScript.exe PID 916 wrote to memory of 1376 916 WScript.exe powershell.exe PID 916 wrote to memory of 1376 916 WScript.exe powershell.exe PID 916 wrote to memory of 1376 916 WScript.exe powershell.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe PID 1376 wrote to memory of 964 1376 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice ID-(4387206).vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\OAP\Microsoft.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\Microsoft.ps13⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c0289a1d97492e7a327dd444ee1d4ece
SHA19eb8d29e5172b0c81392759c33e9126965c833fb
SHA256cbe137f2428852944aaa642fefd82f3513c0c34e7331bb64e33d5c4d0d4cabe1
SHA512527c6c77320d2ab4467cb48040509489fcc1f04dd3924fb8ec5cd7e46f3cf5dd40a13d97d5844dfc81e7ccdd83076597b20f2bcd434b72d7f9b4bcd050717f3b
-
C:\Users\Public\Microsoft.ps1MD5
939ee63cf8ac3f8e78f594373f5d030a
SHA15f551c62b88f55c586053305262be35b3d928408
SHA256fc09d030993fb16d785c7287fbdbd9cf7f4f102b81ef5e73148b8b1830e74f17
SHA51268b1a9b5244187d508a182866d1aa8745ee73eb6d2b6c4ab5c954b00e51910f741dd1a0dc3e456c65f984a1fc1ef1e5a2b6da73d77b2b311c41ffd2a32ca6600
-
C:\Users\Public\OAP\Microsoft.vbsMD5
d49fe88c24fa3082693cefa7cab09178
SHA178930a721e3d515b23a4db013919831d60394c6e
SHA256f7c47384a5bda0a0235a0807b22e2ca09b96ab4a488f7538ea9f7bcdfe970c47
SHA5120215756f8f112158fbdf2af9b60d32486e082a59282552e3912deee889994adfeee683fc55431d338a144abe679b20e79652beae1f9c191dd5750c05a028bb86
-
memory/836-3-0x00000000024C0000-0x00000000024C4000-memory.dmpFilesize
16KB
-
memory/916-6-0x00000000025D0000-0x00000000025D4000-memory.dmpFilesize
16KB
-
memory/916-2-0x0000000000000000-mapping.dmp
-
memory/964-17-0x000000000040B5CE-mapping.dmp
-
memory/964-16-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/964-20-0x0000000074510000-0x0000000074BFE000-memory.dmpFilesize
6.9MB
-
memory/964-19-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/964-18-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1376-8-0x00000000025A0000-0x00000000025A1000-memory.dmpFilesize
4KB
-
memory/1376-14-0x000000001C650000-0x000000001C651000-memory.dmpFilesize
4KB
-
memory/1376-15-0x000000001B5F0000-0x000000001B5F3000-memory.dmpFilesize
12KB
-
memory/1376-13-0x000000001C580000-0x000000001C581000-memory.dmpFilesize
4KB
-
memory/1376-7-0x000007FEF5A20000-0x000007FEF640C000-memory.dmpFilesize
9.9MB
-
memory/1376-9-0x000000001AC00000-0x000000001AC01000-memory.dmpFilesize
4KB
-
memory/1376-11-0x000000001A8E0000-0x000000001A8E1000-memory.dmpFilesize
4KB
-
memory/1376-10-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1376-5-0x0000000000000000-mapping.dmp