Analysis
-
max time kernel
66s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 13:29
Static task
static1
Behavioral task
behavioral1
Sample
Invoice ID-(679789789).vbs
Resource
win7v20201028
General
-
Target
Invoice ID-(679789789).vbs
-
Size
790KB
-
MD5
f02bd913e532f0ce5cc24adc82f8d0b3
-
SHA1
49fb5baaa600a5208ba80e18bf89142c3f20b4ab
-
SHA256
ee6aa50f61c71ad0a85d0c60e8cec35c45b949da9e173d79cdcb9c7586ac4e12
-
SHA512
64537b7b8b0fb21f41727c99bf6c8da7edc1f4a161a3d11da726c7e2f5b1cb653827ae6c2eba3dbe4ce2a618f839972c36e0cfc915f012b42b5d6d3d75ad3ea6
Malware Config
Extracted
asyncrat
0.5.7B
ahmed21018.linkpc.net:6666
AsyncMutex_6SI8OkPnk
-
aes_key
HfV4Y9fCgIsC3FKVpoDmniTLvXYcA64a
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
ahmed21018.linkpc.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6666
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-9-0x00000000004D0000-0x00000000004DC000-memory.dmp asyncrat behavioral1/memory/1568-23-0x0000000000530000-0x0000000000550000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
57yhyh.ExEjava updater.exepid process 1224 57yhyh.ExE 1568 java updater.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1112 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 924 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
57yhyh.ExEpid process 1224 57yhyh.ExE 1224 57yhyh.ExE 1224 57yhyh.ExE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
57yhyh.ExEjava updater.exedescription pid process Token: SeDebugPrivilege 1224 57yhyh.ExE Token: SeDebugPrivilege 1568 java updater.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
WScript.exe57yhyh.ExEcmd.execmd.exedescription pid process target process PID 776 wrote to memory of 1224 776 WScript.exe 57yhyh.ExE PID 776 wrote to memory of 1224 776 WScript.exe 57yhyh.ExE PID 776 wrote to memory of 1224 776 WScript.exe 57yhyh.ExE PID 776 wrote to memory of 1224 776 WScript.exe 57yhyh.ExE PID 1224 wrote to memory of 396 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 396 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 396 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 396 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 1112 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 1112 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 1112 1224 57yhyh.ExE cmd.exe PID 1224 wrote to memory of 1112 1224 57yhyh.ExE cmd.exe PID 396 wrote to memory of 2044 396 cmd.exe schtasks.exe PID 396 wrote to memory of 2044 396 cmd.exe schtasks.exe PID 396 wrote to memory of 2044 396 cmd.exe schtasks.exe PID 396 wrote to memory of 2044 396 cmd.exe schtasks.exe PID 1112 wrote to memory of 924 1112 cmd.exe timeout.exe PID 1112 wrote to memory of 924 1112 cmd.exe timeout.exe PID 1112 wrote to memory of 924 1112 cmd.exe timeout.exe PID 1112 wrote to memory of 924 1112 cmd.exe timeout.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe PID 1112 wrote to memory of 1568 1112 cmd.exe java updater.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice ID-(679789789).vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\57yhyh.ExEC:\Users\Admin\AppData\Local\Temp\57yhyh.ExE2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "java updater" /tr '"C:\Users\Admin\AppData\Roaming\java updater.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "java updater" /tr '"C:\Users\Admin\AppData\Roaming\java updater.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4460.tmp.bat""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\java updater.exe"C:\Users\Admin\AppData\Roaming\java updater.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\57yhyh.ExEMD5
cfb2ab64e731d5649ec6c3e10a6d8a68
SHA19b90bd0ff358dc0b593f46f3ce3893676aa72dfb
SHA2564c03ce198ff982b17ffa2da5c94c4715c6ec6e85792669dcd795945b18b8a09f
SHA51230a89d466749e3fb546f8a0343ad063fbc05368d4067dd53f3b5d7d2c7f57c546c6109a636afa2f2f7a35ce7e57bf367812eeb3fad2027d93e262038856fa737
-
C:\Users\Admin\AppData\Local\Temp\57yhyh.ExEMD5
cfb2ab64e731d5649ec6c3e10a6d8a68
SHA19b90bd0ff358dc0b593f46f3ce3893676aa72dfb
SHA2564c03ce198ff982b17ffa2da5c94c4715c6ec6e85792669dcd795945b18b8a09f
SHA51230a89d466749e3fb546f8a0343ad063fbc05368d4067dd53f3b5d7d2c7f57c546c6109a636afa2f2f7a35ce7e57bf367812eeb3fad2027d93e262038856fa737
-
C:\Users\Admin\AppData\Local\Temp\tmp4460.tmp.batMD5
3b955c85a23da0c17953d60fddba0195
SHA1e541bd32b9d017a79a21d9b5958344963f4cde36
SHA25636dd510e4ceeb8938d6909596ee4e474ff7b4652f0036d84f2a4a85ee25bccbd
SHA5121bc5658cf1c22484b3abf56a8c486d7e5fee87daf31310eaf1e5795e4adbfb33a986988a4c05975971b5f120f26463594e8e905af50355235a70dd9c8b4e1e06
-
C:\Users\Admin\AppData\Roaming\java updater.exeMD5
cfb2ab64e731d5649ec6c3e10a6d8a68
SHA19b90bd0ff358dc0b593f46f3ce3893676aa72dfb
SHA2564c03ce198ff982b17ffa2da5c94c4715c6ec6e85792669dcd795945b18b8a09f
SHA51230a89d466749e3fb546f8a0343ad063fbc05368d4067dd53f3b5d7d2c7f57c546c6109a636afa2f2f7a35ce7e57bf367812eeb3fad2027d93e262038856fa737
-
C:\Users\Admin\AppData\Roaming\java updater.exeMD5
cfb2ab64e731d5649ec6c3e10a6d8a68
SHA19b90bd0ff358dc0b593f46f3ce3893676aa72dfb
SHA2564c03ce198ff982b17ffa2da5c94c4715c6ec6e85792669dcd795945b18b8a09f
SHA51230a89d466749e3fb546f8a0343ad063fbc05368d4067dd53f3b5d7d2c7f57c546c6109a636afa2f2f7a35ce7e57bf367812eeb3fad2027d93e262038856fa737
-
\Users\Admin\AppData\Roaming\java updater.exeMD5
cfb2ab64e731d5649ec6c3e10a6d8a68
SHA19b90bd0ff358dc0b593f46f3ce3893676aa72dfb
SHA2564c03ce198ff982b17ffa2da5c94c4715c6ec6e85792669dcd795945b18b8a09f
SHA51230a89d466749e3fb546f8a0343ad063fbc05368d4067dd53f3b5d7d2c7f57c546c6109a636afa2f2f7a35ce7e57bf367812eeb3fad2027d93e262038856fa737
-
memory/396-10-0x0000000000000000-mapping.dmp
-
memory/776-4-0x0000000002830000-0x0000000002834000-memory.dmpFilesize
16KB
-
memory/924-14-0x0000000000000000-mapping.dmp
-
memory/1112-11-0x0000000000000000-mapping.dmp
-
memory/1224-2-0x0000000000000000-mapping.dmp
-
memory/1224-9-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/1224-7-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1224-6-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/1568-17-0x0000000000000000-mapping.dmp
-
memory/1568-19-0x0000000073020000-0x000000007370E000-memory.dmpFilesize
6.9MB
-
memory/1568-20-0x0000000001240000-0x0000000001241000-memory.dmpFilesize
4KB
-
memory/1568-23-0x0000000000530000-0x0000000000550000-memory.dmpFilesize
128KB
-
memory/2044-12-0x0000000000000000-mapping.dmp