Analysis Overview
SHA256
cee54813009042b01b4ebd1afbf99160b0c25465b7530332ba5bb064be6eba63
Threat Level: Known bad
The file REQUEST FOR MV W-MAYFAIR.js was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Vjw0rm
Async RAT payload
Blocklisted process makes network request
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-13 08:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-13 08:54
Reported
2023-01-13 08:57
Platform
win7-20221111-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
AsyncRat
Vjw0rm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR MV W-MAYFAIR.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp14E8.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 84.21.172.33:8808 | tcp | |
| N/A | 84.21.172.33:8808 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/2024-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp
memory/296-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js
| MD5 | 7586d9e4467d26fde97538eab36cf88c |
| SHA1 | d7fcd37e0bc9e790023a38d2d470cd001f81ca92 |
| SHA256 | 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18 |
| SHA512 | 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a |
memory/460-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/460-60-0x0000000000E40000-0x0000000000E52000-memory.dmp
memory/460-62-0x00000000760D1000-0x00000000760D3000-memory.dmp
memory/1832-63-0x0000000000000000-mapping.dmp
memory/316-64-0x0000000000000000-mapping.dmp
memory/544-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp14E8.tmp.bat
| MD5 | 1f60ee76a720ac6e6ab1275e8d9e370b |
| SHA1 | c0f2f19008a7c05ab6e69918bbd3d21305211bce |
| SHA256 | ac025daa5c2452a960ba059005a7c8217323f783cd01f7935528ad03eb58d041 |
| SHA512 | f4833574fd729a51e9d1af17217062e5977204f1110e6a9c6062d65a52e2465806f9876079564657266c733b59ef8f91ba7ffeac8471dd4d0e7025c6d1132adb |
memory/1344-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/1364-70-0x0000000000000000-mapping.dmp
memory/1364-72-0x00000000010E0000-0x00000000010F2000-memory.dmp
memory/1364-74-0x00000000058D0000-0x000000000594E000-memory.dmp
memory/1364-75-0x0000000000670000-0x000000000067A000-memory.dmp
memory/1364-76-0x0000000005AD0000-0x0000000005B60000-memory.dmp
memory/1364-77-0x0000000000BA0000-0x0000000000C00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-13 08:54
Reported
2023-01-13 08:57
Platform
win10v2004-20221111-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
AsyncRat
Vjw0rm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtFYVjAgTz.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Recycle Bin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR MV W-MAYFAIR.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js"
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FD3.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Recycle Bin" /tr '"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
"C:\Users\Admin\AppData\Roaming\Recycle Bin.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 84.21.172.33:6606 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 84.21.172.33:6606 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 20.189.173.11:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.97:5443 | javaautorun.duia.ro | tcp |
Files
memory/4940-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FtFYVjAgTz.js
| MD5 | 7586d9e4467d26fde97538eab36cf88c |
| SHA1 | d7fcd37e0bc9e790023a38d2d470cd001f81ca92 |
| SHA256 | 7aff4cbd997ad6886484076ba71d1c067931d9a1462aa16e9d2fc47b4d5b8f18 |
| SHA512 | 02676bd1e1086eeae9bdec3bce065ac97267c457daf6fbd77a783d7fc81fc6f891518d6fd19dd525e84ebd25e3098614c4bbefa71ded301cd3a7a46ed2a40e0a |
memory/4996-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/4996-137-0x0000000000240000-0x0000000000252000-memory.dmp
memory/4996-138-0x0000000004D10000-0x0000000004DAC000-memory.dmp
memory/1076-139-0x0000000000000000-mapping.dmp
memory/2844-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7FD3.tmp.bat
| MD5 | 7992de01af08d08ca180f7698efd9d6f |
| SHA1 | 110093addb8489a40d547912e58d65d62e126d7d |
| SHA256 | 0d05720a0966d99bdc852f86268a8e88a9b1bcd3a65a1f0ca3eb2f1baad3b6bc |
| SHA512 | 2130256f80836409e1048c1c56a940bca5443eb039d555aea3c779716974fc4e3b83ffd3d53fe79e667198cb5fa41487a0c28f587fdc944c2b21c942a8997eba |
memory/1472-141-0x0000000000000000-mapping.dmp
memory/1792-143-0x0000000000000000-mapping.dmp
memory/5052-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
C:\Users\Admin\AppData\Roaming\Recycle Bin.exe
| MD5 | 1b5be7647628e1de782bb8f33d369dd3 |
| SHA1 | cd6e2f240ea97d03c6c796ab3573f728d6c30d9f |
| SHA256 | fb7bd4fd5348db2f3b763f5215e964892387af9fe83df18455432dc245f7b903 |
| SHA512 | 93de4f650672705d3975ba7dd0d0901c03834117d014f91dc093ac0a26abed7737aa2344dd30bb8fd258220576d09ec15368777597d78bec9f43dfa53f67b155 |
memory/5052-147-0x0000000005B30000-0x00000000060D4000-memory.dmp
memory/5052-148-0x00000000055F0000-0x0000000005656000-memory.dmp
memory/5052-149-0x0000000006960000-0x00000000069D6000-memory.dmp
memory/5052-150-0x0000000006A00000-0x0000000006A1E000-memory.dmp