Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
23-04-2024 21:16
General
-
Target
lMG_MlaKhlfa1111HD_14546.vbs
-
Size
255KB
-
MD5
b921e66031316c979fac97b7012990ce
-
SHA1
01c4d314a23b6bd8b571b302c3483b7be904309f
-
SHA256
82d21f05aa27eb85e5244cd11a3e60b39093942d19ac86e20b96a280e9579544
-
SHA512
c0085dd5bc5595ff00a091361def95d92c3260a66e2c84c2aa2d54d2a48b3c5249d071e1db240d1ba2a5c26fc7b9d79122d9b0df55a1a4008025813d0839986f
-
SSDEEP
3072:Q03pA03pp03pmAk79DqcPKrB5jzeTMJNHEPenFkCum03pvfpp03pp03pp03pA:wk79DqcyrBJeQJhEPeQr5
Malware Config
Extracted
asyncrat
1.0.7
ADFLYYYY
139.99.133.66:6666
acwwcawwacwvasasa
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
remcos
ADFLY
139.99.133.66:4444
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
asasasas-SEG6JT
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
xenorat
139.99.133.66
Xeno_rat_nd8912d
-
delay
5000
-
install_path
nothingset
-
port
9999
-
startup_name
nothingset
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 15 IoCs
-
Registers COM server for autorun 1 TTPs 24 IoCs
-
Suspicious use of SetThreadContext 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
Modifies registry class 54 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lMG_MlaKhlfa1111HD_14546.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSWOW64\WSCRIPT.EXE"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\lMG_MlaKhlfa1111HD_14546.vbs"2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remc1.vbs"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remc1.vbs"'5⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\remc1.vbs"6⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 808⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 728⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xeno.vbs"' & exit4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xeno.vbs"'5⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xeno.vbs"6⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 808⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 808⤵
- Program crash
-
-
-
-
-
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4688 -ip 46881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1520 -ip 15201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4588 -ip 45881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4868 -ip 48681⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
1KB
MD55315900105942deb090a358a315b06fe
SHA122fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA51277e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6
-
Filesize
15KB
MD52f30c17153324e5b95a8fb9a2136467f
SHA153eaba9255ba3e35c232ee8085fa7a0b077666fa
SHA256be90e3f85ede06ef33b207a95db4075b33c93e50b52a6099d8cc826ddc308d8f
SHA512c89a1cd78eb7a2fd759e61ffbf96d1921f504c45f6c5f6b3dbd2fccc8741ad4cc283f73bbc50030afd79ad4c99ab887a7f07323dbcb076b584a5b1a2301ebad9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13KB
MD5e0b8dfd17b8e7de760b273d18e58b142
SHA1801509fb6783c9e57edc67a72dde3c62080ffbaf
SHA2564ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379
SHA512443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b
-
Filesize
1.1MB
MD5996ce58a48e655f549f5713f0e611f39
SHA1ecec7979eb9d83600ea972ccfd2bb140209e2bbc
SHA256f9dea360c36d495e10a397ae78412f08de99609916592275b73045b7df096dd2
SHA512f992b04057b3e99439c08c249b73ba2afaf6880a6dcf7e6d08413f23d7ce122f087ffd236b75dd2c1f1750123e974ab45569019231a3577d2be227336b6b7eef
-
Filesize
251KB
MD5ec80082e5d40e6c94a4682fd840870c4
SHA11904a6688379fd732ec76932e8fc1eec7896cbac
SHA25674451d6bcb1565ab921e98a30b8bb8f2450d286cba1766ebd204efe3d96a78c9
SHA512d3f6a9e44c0608d41cc6dd9dd17ef31a394c3dae099f0c592ef9763590445e072866c23618c6dfb39843a108321e972b5fa49e6377f6a2e4887df35be2075bc5
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB