Analysis Overview
SHA256
6be765d9b3531f2c2df05dee6254a3154f0764e2d2ca175346b0e9e2027b4c12
Threat Level: Known bad
The file 146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Vjw0rm
Async RAT payload
Executes dropped EXE
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-10 07:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-10 07:55
Reported
2022-10-10 07:56
Platform
win10v2004-20220812-en
Max time kernel
61s
Max time network
67s
Command Line
Signatures
AsyncRat
Vjw0rm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\logs.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\logs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1476 -ip 1476
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1476 -s 848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| JP | 156.146.35.171:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | fresh02.ddns.net | udp |
| VN | 103.74.101.124:2245 | fresh02.ddns.net | tcp |
| JP | 156.146.35.171:5465 | javaautorun.duia.ro | tcp |
| US | 40.77.2.164:443 | tcp | |
| US | 8.238.20.126:80 | tcp | |
| VN | 103.74.101.124:2245 | fresh02.ddns.net | tcp |
| US | 13.89.179.8:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | fp-vs.azureedge.net | udp |
| US | 72.21.81.200:443 | fp-vs.azureedge.net | tcp |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | q-ring.msedge.net | udp |
| US | 13.107.49.254:443 | q-ring.msedge.net | tcp |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.238.20.126:80 | tcp | |
| US | 8.238.20.126:80 | tcp | |
| US | 8.253.208.120:80 | tcp | |
| JP | 156.146.35.171:5465 | javaautorun.duia.ro | tcp |
Files
memory/2232-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js
| MD5 | 91e16cc28847b49a31fa84f5bb95d3e0 |
| SHA1 | 31cbfcc259966c020e0a6af48fe7ab3f1ed8746b |
| SHA256 | 068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19 |
| SHA512 | f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b |
memory/4084-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
| MD5 | 9e320f6163f8d53462d45fbebc282c64 |
| SHA1 | b2e0a591204581e78f0ae85ff42a7ca02542e2ae |
| SHA256 | 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5 |
| SHA512 | 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65 |
C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
| MD5 | 9e320f6163f8d53462d45fbebc282c64 |
| SHA1 | b2e0a591204581e78f0ae85ff42a7ca02542e2ae |
| SHA256 | 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5 |
| SHA512 | 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65 |
memory/4084-137-0x0000000000E90000-0x0000000000EA2000-memory.dmp
memory/4084-138-0x0000000005B60000-0x0000000005BFC000-memory.dmp
memory/5016-139-0x0000000000000000-mapping.dmp
memory/1472-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8050.tmp.bat
| MD5 | 20f2b587ce94a65dd8e85fb394768c52 |
| SHA1 | fe6fbfc21360e11a78a54775c7cbe38da34eff99 |
| SHA256 | d199a8941dc08dc911cfebeec31d37b6dcb2292b2c1869a466ec7109a428d891 |
| SHA512 | 48b84c1e71b76a03196814c5ec5e13acb5fcd3478389849016a430c6bfafa475218f677cd227adc9ca685364b51a181912934e5aaa4bc017eecf0792c2c07963 |
memory/1300-142-0x0000000000000000-mapping.dmp
memory/5040-143-0x0000000000000000-mapping.dmp
memory/1856-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\logs.exe
| MD5 | 9e320f6163f8d53462d45fbebc282c64 |
| SHA1 | b2e0a591204581e78f0ae85ff42a7ca02542e2ae |
| SHA256 | 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5 |
| SHA512 | 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65 |
C:\Users\Admin\AppData\Roaming\logs.exe
| MD5 | 9e320f6163f8d53462d45fbebc282c64 |
| SHA1 | b2e0a591204581e78f0ae85ff42a7ca02542e2ae |
| SHA256 | 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5 |
| SHA512 | 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65 |