Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-02-2023 22:25
General
-
Target
Legion Private Bot.exe
-
Size
640KB
-
MD5
092334866080e7ec50fccc264d869221
-
SHA1
b4b69530c71474507e8ec5a341252e11862986e0
-
SHA256
1080f3cd4328fd1e0597c4aba89bf5004894c938234f2d2ccf282f1416219864
-
SHA512
101eaf97dc6293d7295fccd7883d161c128c780f55d76ba3132685cd92d52d0a417b373d08aa7cdde82f7cf0831776ea959040c7f6fb9568abbf34d365cbc9d9
-
SSDEEP
12288:/QGF2tAu9o+JPYx+5psS5GkwqbT7pllql+WZcYrje23UFDd6S7sQo:/7F2tAu9o+JQ+5psSU12olvraDt7s
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5345460701:AAELDlYM_8yHwfKYHoYl_27JYXLpT-SLsyY/sendMessage?chat_id=689992339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 6 IoCs
-
Async RAT payload 6 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svc host.exe"C:\Users\Admin\AppData\Roaming\svc host.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svc host.exe"C:\Users\Admin\AppData\Roaming\svc host.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All6⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid6⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
memory/900-116-0x0000000000000000-mapping.dmp
-
memory/952-113-0x0000000000000000-mapping.dmp
-
memory/1144-60-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-69-0x00000000003B0000-0x00000000003B8000-memory.dmpFilesize
32KB
-
memory/1144-68-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-66-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-64-0x0000000000471B5E-mapping.dmp
-
memory/1144-63-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-58-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-57-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1248-111-0x0000000000000000-mapping.dmp
-
memory/1280-112-0x0000000000000000-mapping.dmp
-
memory/1496-114-0x0000000000000000-mapping.dmp
-
memory/1520-117-0x0000000000000000-mapping.dmp
-
memory/1552-86-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-104-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-91-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-95-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-85-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-99-0x0000000000403C6E-mapping.dmp
-
memory/1552-97-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-107-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1604-55-0x0000000076DC1000-0x0000000076DC3000-memory.dmpFilesize
8KB
-
memory/1604-56-0x0000000000550000-0x000000000055A000-memory.dmpFilesize
40KB
-
memory/1604-54-0x0000000001090000-0x0000000001136000-memory.dmpFilesize
664KB
-
memory/1796-121-0x0000000000000000-mapping.dmp
-
memory/1820-76-0x0000000000000000-mapping.dmp
-
memory/1820-80-0x0000000000FF0000-0x0000000001042000-memory.dmpFilesize
328KB
-
memory/1912-118-0x0000000000000000-mapping.dmp
-
memory/1944-72-0x0000000000000000-mapping.dmp
-
memory/1944-77-0x0000000000340000-0x000000000036A000-memory.dmpFilesize
168KB
-
memory/2008-90-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-110-0x0000000004A35000-0x0000000004A46000-memory.dmpFilesize
68KB
-
memory/2008-105-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-94-0x000000000043B7EE-mapping.dmp
-
memory/2008-100-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-92-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-89-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-83-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-120-0x0000000004A35000-0x0000000004A46000-memory.dmpFilesize
68KB
-
memory/2008-84-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB