Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01/01/2024, 01:31
General
-
Target
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419.exe
-
Size
1.6MB
-
MD5
6dabcc4315aec87869a8f89f0207b9ec
-
SHA1
25796d8f144f0287c0218c7aa448f4f914891fc1
-
SHA256
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
-
SHA512
336ac664d71ec9c4e044b921f4dca64e6283024412c38e4dbdcced21ccc7fef6684213b9a69092dced322a557e05aff7066bbc762856af2bd71d7d4935840a15
-
SSDEEP
24576:q74oSZSYH/O+sIV8aUgibdu5Hrll117UXDpLAZCR1:q74xpRs7aUgibduNRlb0lH
Malware Config
Extracted
xworm
3.1
-
Install_directory
%ProgramData%
-
install_file
SecurityHealthSystray.exe
-
telegram
https://api.telegram.org/bot5370417334:AAEZrEauqhTNZInhZ9_-SaapQJIi0hIvjJU
Extracted
asyncrat
Default
尺vcΕ贼2C伊R开tΗKTتDmF尺
-
c2_url_file
https://fvia.app/ip2.txt
-
delay
5
-
install
false
-
install_folder
%Windows%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419.exe"C:\Users\Admin\AppData\Local\Temp\c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Seting.exe"C:\ProgramData\Seting.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAYwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcgBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAZABuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwB4ACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\ProgramData\WindowsSecurity.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\ship.exe"C:\Users\Admin\AppData\Roaming\ship.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Roaming\Registry Editor.exe"C:\Users\Admin\AppData\Roaming\Registry Editor.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\powershell.vbs"3⤵
- Blocklisted process makes network request
-
-
C:\Users\Admin\AppData\Roaming\Security.exe"C:\Users\Admin\AppData\Roaming\Security.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\ntoskrn.exe"C:\Users\Admin\AppData\Roaming\ntoskrn.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\dow.exe"C:\Users\Admin\AppData\Local\dow.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
-
-
C:\ProgramData\WindowsSecurity.exeC:\ProgramData\WindowsSecurity.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WindowsSecurity.exeC:\ProgramData\WindowsSecurity.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD597752a5b746ebe8343bf72b1d54befb0
SHA162ab9351ed95e5698edfffb52ece340b817d383c
SHA25687983c5c44ada562b2401f55ee5850ed01b4ce065c03ceaf1668504010eb0fa0
SHA512712f034ffcb1c074b487db43d4223c6a8b6eb570993bd42082ba463758f23a849bb8874c9ccaba6a4f24c2f165657e55134376e183f798070ced9aaf7b0a2de5
-
Filesize
91KB
MD5b570b1b72a2873d81f2eae8e0e08b3fd
SHA1c1910dd2ef5722acb6866c2119ed9fb1c74e7cd9
SHA2564cce400bfa7e73b53b4c2d2a35ab5285f5553f517dda648a174fd8275a17bf2a
SHA512eb156f622d7dee5377cacafcefe0a6d2369968827527197bd290f4c58448b92a0e734dbf837f1851f6e4625989249ae90b1560a048f62dc11881fc1834160743
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
60KB
MD56e640664f19b746e370f16c205f349fe
SHA105333fd1455c1a316682b14c3aecfd0591260df0
SHA25691eedf2fdb0d1a5c41b3fc7c9e6d50ba7f09a1456688847d446c5d9295614454
SHA51299437864de9375044d715f90fe24e47457c8af54e5f5ac8eb57943128f717246a78c10dc6ded8a55926eb6c690178138ce14ef9f48552cc62b8505f9190a1e58
-
Filesize
375KB
MD5216ef921adac2bbb51ff6331f61b19e7
SHA190c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d
SHA2565d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce
SHA51233b817fe0b8bcca66173dd293de6a4926b5195a990ee575a378eb4c71610dc68bb3e36b70f4498bd8a2fc9d12283b05a8fd296d2108554105f0e49fdb9e89f0c
-
Filesize
92KB
MD5cb26677c2c8afa055da9ab0cc43fcf97
SHA1dee9ced8652208ffd8023613f0c78ff6519141c7
SHA256af7f49fab62b95d68d20eef55895f1f842f457aa04707530adbfa6fc2a3054c6
SHA5121d2e77d808730ef1451c2b1085475dc513e4613295e7f17ea68bb15394e0b6e5aac6b7325d68e15e47d7cd90bb2d09e0e2194fcbebbee99d4db67a51806384a4
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
6.5MB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
400KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.6MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
108KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
76KB