Analysis
-
max time kernel
119s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:14
Static task
static1
Behavioral task
behavioral1
Sample
2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$TEMP/Reaching.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$TEMP/Reaching.exe
Resource
win10v2004-20240226-en
General
-
Target
2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
-
Size
647KB
-
MD5
4532fe89506406de9ebaa83778d74c8f
-
SHA1
8015b822fc7df8d33ec3416e773f7189e9b74b5f
-
SHA256
2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066
-
SHA512
50706520d3df0669ac2b7a75a6a234cd28deec92e8be98e0e4ce7ef8848952cc07b53e30723bf4668ee3f940714360f6ba705bfe83e2d47f3163c86e407ba36a
-
SSDEEP
12288:w3qcsNKVUdaaPDodw7y1Q3krddMK341VhJ5mhj2ZCm03Pjzkjp:w33uK2daGz+1Q3qdMKoDhJkhWCmQjzAp
Malware Config
Extracted
asyncrat
AWS | 3Losh
NEW_N4
fttuvgt.ddnsfree.com:6969
fttuvgt.ddnsfree.com:6668
fttuvgt.ddnsfree.com:6667
AsyncMutex_xxx342592
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2456 created 1400 2456 Soldiers.pif 21 PID 2456 created 1400 2456 Soldiers.pif 21 -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2456 Soldiers.pif 2092 RegAsm.exe -
Loads dropped DLL 3 IoCs
pid Process 1700 cmd.exe 2456 Soldiers.pif 2092 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2800 tasklist.exe 2772 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2668 PING.EXE -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif 2092 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2772 tasklist.exe Token: SeDebugPrivilege 2800 tasklist.exe Token: SeDebugPrivilege 2092 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2456 Soldiers.pif 2456 Soldiers.pif 2456 Soldiers.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2092 RegAsm.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1700 2196 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe 28 PID 2196 wrote to memory of 1700 2196 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe 28 PID 2196 wrote to memory of 1700 2196 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe 28 PID 2196 wrote to memory of 1700 2196 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe 28 PID 1700 wrote to memory of 2772 1700 cmd.exe 30 PID 1700 wrote to memory of 2772 1700 cmd.exe 30 PID 1700 wrote to memory of 2772 1700 cmd.exe 30 PID 1700 wrote to memory of 2772 1700 cmd.exe 30 PID 1700 wrote to memory of 2244 1700 cmd.exe 31 PID 1700 wrote to memory of 2244 1700 cmd.exe 31 PID 1700 wrote to memory of 2244 1700 cmd.exe 31 PID 1700 wrote to memory of 2244 1700 cmd.exe 31 PID 1700 wrote to memory of 2800 1700 cmd.exe 33 PID 1700 wrote to memory of 2800 1700 cmd.exe 33 PID 1700 wrote to memory of 2800 1700 cmd.exe 33 PID 1700 wrote to memory of 2800 1700 cmd.exe 33 PID 1700 wrote to memory of 2520 1700 cmd.exe 34 PID 1700 wrote to memory of 2520 1700 cmd.exe 34 PID 1700 wrote to memory of 2520 1700 cmd.exe 34 PID 1700 wrote to memory of 2520 1700 cmd.exe 34 PID 1700 wrote to memory of 2796 1700 cmd.exe 35 PID 1700 wrote to memory of 2796 1700 cmd.exe 35 PID 1700 wrote to memory of 2796 1700 cmd.exe 35 PID 1700 wrote to memory of 2796 1700 cmd.exe 35 PID 1700 wrote to memory of 2376 1700 cmd.exe 36 PID 1700 wrote to memory of 2376 1700 cmd.exe 36 PID 1700 wrote to memory of 2376 1700 cmd.exe 36 PID 1700 wrote to memory of 2376 1700 cmd.exe 36 PID 1700 wrote to memory of 2680 1700 cmd.exe 37 PID 1700 wrote to memory of 2680 1700 cmd.exe 37 PID 1700 wrote to memory of 2680 1700 cmd.exe 37 PID 1700 wrote to memory of 2680 1700 cmd.exe 37 PID 1700 wrote to memory of 2456 1700 cmd.exe 38 PID 1700 wrote to memory of 2456 1700 cmd.exe 38 PID 1700 wrote to memory of 2456 1700 cmd.exe 38 PID 1700 wrote to memory of 2456 1700 cmd.exe 38 PID 1700 wrote to memory of 2668 1700 cmd.exe 39 PID 1700 wrote to memory of 2668 1700 cmd.exe 39 PID 1700 wrote to memory of 2668 1700 cmd.exe 39 PID 1700 wrote to memory of 2668 1700 cmd.exe 39 PID 2456 wrote to memory of 2656 2456 Soldiers.pif 40 PID 2456 wrote to memory of 2656 2456 Soldiers.pif 40 PID 2456 wrote to memory of 2656 2456 Soldiers.pif 40 PID 2456 wrote to memory of 2656 2456 Soldiers.pif 40 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42 PID 2456 wrote to memory of 2092 2456 Soldiers.pif 42
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2244
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2520
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 34844⤵PID:2796
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 3484\Soldiers.pif4⤵PID:2376
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Triangle + Ave + Tray 3484\o4⤵PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\3484\Soldiers.pif3484\Soldiers.pif 3484\o4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2668
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit2⤵
- Drops startup file
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\3484\RegAsm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507KB
MD5fc2e0f6ae9c49f4c1f73e1a455bda758
SHA100297b73b0b5152c46e8a5517c10660fa37b1724
SHA256d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2
SHA512c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0
-
Filesize
282KB
MD52af9a11316c5ec31d8429dd37e50b06b
SHA1cee13a90c0ba136825716f2dd1d517ec55bc3777
SHA256a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0
SHA5122e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831
-
Filesize
184KB
MD54a094b9a89ae4c55768e8e012ee4d023
SHA19d625903d40e8563a91171db01549302acb26091
SHA2568948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185
SHA512c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc
-
Filesize
286KB
MD5190d5cc5f06756ecfd8284f7ca962cba
SHA10192bc94f63a4d999848d18b5b3400f53bc266ea
SHA256c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2
SHA512e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad
-
Filesize
26KB
MD51c4cabf20ffeef1a7d9e71d77d5c62fa
SHA1b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656
SHA2568145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0
SHA51239abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b
-
Filesize
292KB
MD5c3a422b148a736804f525f481f289d2d
SHA12cead45c5bdcc21213701bc92f45d2ab3e9e7258
SHA256520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254
SHA512ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50
-
Filesize
41KB
MD50b0c7642bf84588d7fb643e251001b81
SHA14a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd
SHA256047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec
SHA51209b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae
-
Filesize
33KB
MD5ced8fcd39719d599d0f4d9561e6fe507
SHA159eb5f73d676efae575623e546978d42decf6260
SHA2561927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e
SHA512a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0
-
Filesize
89KB
MD5639ac7a58107cc48b3d0f9ea512c4fae
SHA1a34aede82b0042f6e87902fbdd8e4a3ead6746f8
SHA25672d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef
SHA512794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c
-
Filesize
12KB
MD583838b9779309c6deff2ecd321607cea
SHA109e321410d80ea507e8426de23967db9d9478e72
SHA2566718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c
SHA5125076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58
-
Filesize
213KB
MD5530605e3eccc1595d537b0baeabf2b36
SHA16a52cb76c3b5a615895f85e565cb219d5da56416
SHA25686151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1
SHA512e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f