Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/04/2023, 09:09
Static task
static1
Behavioral task
behavioral1
Sample
Memory.vbs
Resource
win7-20230220-en
General
-
Target
Memory.vbs
-
Size
2.9MB
-
MD5
dc41ef27fd74ade70d62e7bfcbbe2de2
-
SHA1
e8282edf1205c6cfccef3cdf41ea4303a45c5745
-
SHA256
ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47
-
SHA512
ae779c4b20616e92080ba02167b1105d73a001bbf612efadbe7b84be355918f6aa1d582e7ae45478d84d8349651db99efd36b4545a85334e5945382c90875d36
-
SSDEEP
1536:khTJiTSxGdQkVHgnlUTCAmTzZQXEXtXX8XZXDKcZtDRRj7aqDfR/wyihW9Qk2vSj:C6uECAm0wyihW9Qk2vSk8BtaN8wRnX5W
Malware Config
Extracted
asyncrat
0.5.7B
Default
95.214.24.134:1911
95.214.24.134:1912
AsyncMutex_6SI8OkPnk
-
delay
5
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3628-174-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 8 5040 WScript.exe 11 5040 WScript.exe 16 5040 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3628 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 272 set thread context of 3628 272 powershell.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 272 powershell.exe 272 powershell.exe 272 powershell.exe 272 powershell.exe 272 powershell.exe 272 powershell.exe 272 powershell.exe 272 powershell.exe 272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 272 powershell.exe Token: SeDebugPrivilege 3628 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5040 wrote to memory of 4132 5040 WScript.exe 86 PID 5040 wrote to memory of 4132 5040 WScript.exe 86 PID 4132 wrote to memory of 272 4132 cmd.exe 89 PID 4132 wrote to memory of 272 4132 cmd.exe 89 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93 PID 272 wrote to memory of 3628 272 powershell.exe 93
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
276B
MD5cf0d0c9a3f216b899b91781a093e829e
SHA1606998c5c842f4d86e72819e92ef485a1f24bf2a
SHA256a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75
SHA512bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5
-
Filesize
75B
MD50c4f14db483f17cc1842aa6d7762fe00
SHA1582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950
-
Filesize
75B
MD50c4f14db483f17cc1842aa6d7762fe00
SHA1582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950
-
Filesize
205KB
MD55136fb951b17f99d700ee1816764f255
SHA11ffa5721e100a286752da77bd203ac9d76573eec
SHA2564c300f1601a8baa0a9bedf7048f960425ad7e1fe899b0ebded0f5628acdd0743
SHA51229cacc82c91c194a8ca3df15aad8983d57c4bf563b9aec5b74cca0c99c8b42b49ff8ff182c42313ad7aee8d2fe3c2a6819dbcb0bef43eaaa01af53519b986566