Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2023, 10:56
Static task
static1
Behavioral task
behavioral1
Sample
Memory.vbs
Resource
win7-20230220-en
General
-
Target
Memory.vbs
-
Size
2.9MB
-
MD5
dc41ef27fd74ade70d62e7bfcbbe2de2
-
SHA1
e8282edf1205c6cfccef3cdf41ea4303a45c5745
-
SHA256
ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47
-
SHA512
ae779c4b20616e92080ba02167b1105d73a001bbf612efadbe7b84be355918f6aa1d582e7ae45478d84d8349651db99efd36b4545a85334e5945382c90875d36
-
SSDEEP
1536:khTJiTSxGdQkVHgnlUTCAmTzZQXEXtXX8XZXDKcZtDRRj7aqDfR/wyihW9Qk2vSj:C6uECAm0wyihW9Qk2vSk8BtaN8wRnX5W
Malware Config
Extracted
asyncrat
0.5.7B
Default
95.214.24.134:1911
95.214.24.134:1912
AsyncMutex_6SI8OkPnk
-
delay
5
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2156-173-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 7 4416 WScript.exe 11 4416 WScript.exe 13 4416 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2156 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1288 set thread context of 2156 1288 powershell.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 1288 powershell.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2156 RegSvcs.exe Token: SeDebugPrivilege 4444 taskmgr.exe Token: SeSystemProfilePrivilege 4444 taskmgr.exe Token: SeCreateGlobalPrivilege 4444 taskmgr.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe -
Suspicious use of SendNotifyMessage 28 IoCs
pid Process 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe 4444 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3400 4416 WScript.exe 88 PID 4416 wrote to memory of 3400 4416 WScript.exe 88 PID 3400 wrote to memory of 1288 3400 cmd.exe 91 PID 3400 wrote to memory of 1288 3400 cmd.exe 91 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95 PID 1288 wrote to memory of 2156 1288 powershell.exe 95
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd" "2⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD59a9f52c0ba093377d4a76bfc00589330
SHA1aece433ae7c1017b1ec63dc8001d250ae3c50946
SHA256bec35cc343049f713992713fc2129c11170d68113e797be34f362855e4e96e3d
SHA51246c7ed3e501b285a9719d82c7936b75157560b862f0e7863facbd78316d2650e9723435cdfa342705166b02d7b51f89347c5d06aa2ccf071cc0ef0382912a86f
-
Filesize
276B
MD5cf0d0c9a3f216b899b91781a093e829e
SHA1606998c5c842f4d86e72819e92ef485a1f24bf2a
SHA256a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75
SHA512bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5
-
Filesize
75B
MD50c4f14db483f17cc1842aa6d7762fe00
SHA1582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950
-
Filesize
75B
MD50c4f14db483f17cc1842aa6d7762fe00
SHA1582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950
-
Filesize
205KB
MD55136fb951b17f99d700ee1816764f255
SHA11ffa5721e100a286752da77bd203ac9d76573eec
SHA2564c300f1601a8baa0a9bedf7048f960425ad7e1fe899b0ebded0f5628acdd0743
SHA51229cacc82c91c194a8ca3df15aad8983d57c4bf563b9aec5b74cca0c99c8b42b49ff8ff182c42313ad7aee8d2fe3c2a6819dbcb0bef43eaaa01af53519b986566
-
Filesize
276B
MD5cf0d0c9a3f216b899b91781a093e829e
SHA1606998c5c842f4d86e72819e92ef485a1f24bf2a
SHA256a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75
SHA512bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5