Analysis
-
max time kernel
26s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-01-2021 17:42
Static task
static1
Behavioral task
behavioral1
Sample
Invoice ID-(4387206).vbs
Resource
win7v20201028
General
-
Target
Invoice ID-(4387206).vbs
-
Size
1KB
-
MD5
83f5dfe54337970c464b58db9d990bbc
-
SHA1
c3da46773165a805307eea544a5c1498bfd96e26
-
SHA256
0089fe3a660c1a3fba7039e03482aed3b0a7d82b72e4c38e4b5da8612fe7247c
-
SHA512
cd2123990037cbf5eebbe818ff0d117dde71b4ed9882aef92b6471bbc71d9ef7ed664dff7798463810debcfcb3a94bbadd25c97013a57ba12da4b2e2f4c5fceb
Malware Config
Extracted
https://ia801507.us.archive.org/34/items/3_20210106/3.txt
Extracted
asyncrat
0.5.7B
clayroot2016.linkpc.net:6666
AsyncMutex_6SI8OkPnk
-
aes_key
Kf16onJhATpNbuJfsFjEdXd4221e8Y7w
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
clayroot2016.linkpc.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6666
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2084-10-0x0000000000400000-0x0000000000410000-memory.dmp asyncrat behavioral2/memory/2084-11-0x000000000040B5CE-mapping.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 10 2176 powershell.exe 13 2176 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2176 set thread context of 2084 2176 powershell.exe RegSvcs.exe -
Modifies registry class 1 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2084 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.exeWScript.exepowershell.exedescription pid process target process PID 1048 wrote to memory of 1192 1048 WScript.exe WScript.exe PID 1048 wrote to memory of 1192 1048 WScript.exe WScript.exe PID 1192 wrote to memory of 2176 1192 WScript.exe powershell.exe PID 1192 wrote to memory of 2176 1192 WScript.exe powershell.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe PID 2176 wrote to memory of 2084 2176 powershell.exe RegSvcs.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice ID-(4387206).vbs"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\OAP\Microsoft.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\Microsoft.ps13⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Microsoft.ps1MD5
939ee63cf8ac3f8e78f594373f5d030a
SHA15f551c62b88f55c586053305262be35b3d928408
SHA256fc09d030993fb16d785c7287fbdbd9cf7f4f102b81ef5e73148b8b1830e74f17
SHA51268b1a9b5244187d508a182866d1aa8745ee73eb6d2b6c4ab5c954b00e51910f741dd1a0dc3e456c65f984a1fc1ef1e5a2b6da73d77b2b311c41ffd2a32ca6600
-
C:\Users\Public\OAP\Microsoft.vbsMD5
d49fe88c24fa3082693cefa7cab09178
SHA178930a721e3d515b23a4db013919831d60394c6e
SHA256f7c47384a5bda0a0235a0807b22e2ca09b96ab4a488f7538ea9f7bcdfe970c47
SHA5120215756f8f112158fbdf2af9b60d32486e082a59282552e3912deee889994adfeee683fc55431d338a144abe679b20e79652beae1f9c191dd5750c05a028bb86
-
memory/1192-2-0x0000000000000000-mapping.dmp
-
memory/2084-11-0x000000000040B5CE-mapping.dmp
-
memory/2084-10-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2084-12-0x0000000073AD0000-0x00000000741BE000-memory.dmpFilesize
6.9MB
-
memory/2084-15-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB
-
memory/2084-16-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/2084-17-0x0000000005D50000-0x0000000005D51000-memory.dmpFilesize
4KB
-
memory/2176-6-0x00000298B5FF0000-0x00000298B5FF1000-memory.dmpFilesize
4KB
-
memory/2176-7-0x00000298D03B0000-0x00000298D03B1000-memory.dmpFilesize
4KB
-
memory/2176-5-0x00007FFA6AFB0000-0x00007FFA6B99C000-memory.dmpFilesize
9.9MB
-
memory/2176-9-0x00000298D0340000-0x00000298D0343000-memory.dmpFilesize
12KB
-
memory/2176-4-0x0000000000000000-mapping.dmp