Analysis Overview
SHA256
24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1
Threat Level: Known bad
The file 24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1 was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Stormkitty family
Async RAT payload
StormKitty payload
AsyncRat
StormKitty
Async RAT payload
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-17 04:47
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-17 04:47
Reported
2023-08-17 04:52
Platform
win7-20230712-en
Max time kernel
300s
Max time network
144s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\0d6f21e473bd34e4f437a965c7442805\Admin@UMAXQRGK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe
"C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/2316-54-0x0000000001290000-0x00000000012C2000-memory.dmp
memory/2316-55-0x0000000074070000-0x000000007475E000-memory.dmp
memory/2316-56-0x0000000004DF0000-0x0000000004E30000-memory.dmp
memory/2316-123-0x0000000074070000-0x000000007475E000-memory.dmp
memory/2316-124-0x0000000004DF0000-0x0000000004E30000-memory.dmp
memory/2316-126-0x0000000004DF0000-0x0000000004E30000-memory.dmp
memory/2316-129-0x0000000004DF0000-0x0000000004E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCCDA.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\TarCDE6.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 561baa80add5730d0dd455ae7cdf65fe |
| SHA1 | 15d0e57a1e3e2c4a3052ec459d921a8ec6e9adfc |
| SHA256 | b0431cf133ce0751fdb1cb979adcc5fc9e9d36e752aaa431c0ab51681b8153cc |
| SHA512 | 4085fff8a30b527d247a6cc621366fc57a74ad4d692545a0e13654b625b6592f3bb3a614f3adf7ab8acace9eff56822a7870fe85c7b7a64f057b12e51ccd78e0 |
C:\Users\Admin\AppData\Local\4814445c7194b6d07a9c25ef8b535433\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-17 04:47
Reported
2023-08-17 04:52
Platform
win10-20230703-en
Max time kernel
299s
Max time network
286s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe
"C:\Users\Admin\AppData\Local\Temp\24b53b38f7f87c5b7353d7a98b803b90447d75e3d187c605830bc2ee7ac3c2f1.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/4876-117-0x00000000000B0000-0x00000000000E2000-memory.dmp
memory/4876-118-0x00000000738A0000-0x0000000073F8E000-memory.dmp
memory/4876-119-0x0000000004960000-0x0000000004970000-memory.dmp
memory/4876-120-0x0000000004A70000-0x0000000004AD6000-memory.dmp
memory/4876-198-0x00000000738A0000-0x0000000073F8E000-memory.dmp
memory/4876-221-0x0000000004960000-0x0000000004970000-memory.dmp
C:\Users\Admin\AppData\Local\50f6b6661fb643d60fc15200c2dd0e9d\Admin@GJHWXLHY_en-US\System\Process.txt
| MD5 | 3c1fdc149ddb25e05662e73cc531f8ac |
| SHA1 | 675e9e81acd4aee7144112ea4e836726adc75dc5 |
| SHA256 | a6660657308eadc063d4ff1dc82e699d4060f9f40ecc53b0ada773f3247d8690 |
| SHA512 | c79e41d37953cb7ff59fc6a5320c518d190e5819c935aa9a77a92fc57661a93c4dcf16a9b0ec23e4a1757fce08f11664bb79c959c1c6a9708aad1d5a50013252 |
memory/4876-234-0x0000000004960000-0x0000000004970000-memory.dmp
memory/4876-235-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/4876-236-0x0000000005DB0000-0x00000000062AE000-memory.dmp
memory/4876-240-0x0000000005910000-0x000000000591A000-memory.dmp
C:\Users\Admin\AppData\Local\e4aa1841e109e766a907c82566e769de\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/4876-246-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/4876-270-0x0000000004960000-0x0000000004970000-memory.dmp