Analysis

  • max time kernel
    169s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:55

General

  • Target

    c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe

  • Size

    980KB

  • MD5

    f5314596dce7444d09432a391bf7f669

  • SHA1

    b1186e0501078a510ad0a4af1bbefc2f7f9dee5c

  • SHA256

    c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be

  • SHA512

    0b45253fcaafbd9b5d4d10e8f7a313a46ea99cff8b9455e884db5f378e41578faab769beaddfb8fee81d72c46131cb7e967fe5e421053902ba190dff800e97f8

  • SSDEEP

    24576:3TbBv5rUEFP5eAsXpp3q1BGa6mXcqIAXiAZfzI6u:RBfP5vCAKLAXiAZs

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6889241853:AAHAa8eUBd5h6tWRG0OvgDx7o1_LKQJi-y8/sendMessage?chat_id=6367688286

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe
    "C:\Users\Admin\AppData\Local\Temp\c6f6a21328d5e291f331c4283fb3d4ed13499a1de87f773734c09ba0ccbd72be.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xikg.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /release
          4⤵
          • Gathers network information
          PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c swbglvlssx.bmp vcpadlxuao.dat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\swbglvlssx.bmp
          swbglvlssx.bmp vcpadlxuao.dat
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3096
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • Drops desktop.ini file(s)
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4916
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3508
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                  PID:3660
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show profile
                  7⤵
                    PID:4516
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr All
                    7⤵
                      PID:2412
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3744
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      7⤵
                        PID:1252
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh wlan show networks mode=bssid
                        7⤵
                          PID:1004
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4620
                  • C:\Windows\SysWOW64\ipconfig.exe
                    ipconfig /renew
                    4⤵
                    • Gathers network information
                    PID:4852

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Execution

            Command and Scripting Interpreter

            1
            T1059

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            4
            T1082

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\03c164f6b151f39fecacc790fef4edc5\msgid.dat
              Filesize

              4B

              MD5

              7c4ede33a62160a19586f6e26eaefacf

              SHA1

              db8770342fdf063d3128150901ea357f68bb9001

              SHA256

              41e32284df1a73272655a26bfe6d4919ed6504972cc47461330a26e90cd9ddc3

              SHA512

              6d7f64fcddff389eb6251671e1c53d761e0d21b0e7a4fe4c872ed60f80f11fa97f18b5799435da306820cbf33dc88d94f0e6a707bcc834051101230f752be974

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\anrpi.3gp
              Filesize

              36KB

              MD5

              406db994bb11c5320a6d2780c8af9419

              SHA1

              10503f33ae662a8eb92dc3198ffc074cc736b24c

              SHA256

              ee4366252ab52d6c079246c14d9407457a91a64065816ac2c26acc2582c41fd2

              SHA512

              1a5e66f74f7112e2e0cdec4d5e997c02656efb0182b1c1aa292437eb711046c3b110a8adb548d603f17d67c764b1aa5f189408050cc6478ad38bcfe238342e72

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwjwmi.lsc
              Filesize

              292KB

              MD5

              042b73b18e96dd8e5848507d7ac60ddc

              SHA1

              cc789c7fca70c7a2cb3666a4c691cfafa74f3cb2

              SHA256

              d5f12fabd9bab67d33cf3e26a325c7f720dc9d58b505605c5b17a2e26b7b7437

              SHA512

              8c9bd44c14960f587abc387fe817be479e02c2b7c503b849d441101f2f248460d0452040f646c1832b19a5690db47b43687250e295835abe7cee4900f0768969

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\swbglvlssx.bmp
              Filesize

              925KB

              MD5

              0adb9b817f1df7807576c2d7068dd931

              SHA1

              4a1b94a9a5113106f40cd8ea724703734d15f118

              SHA256

              98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

              SHA512

              883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcpadlxuao.dat
              Filesize

              93.6MB

              MD5

              aa1915f975679c2099d0a9fdacabfd85

              SHA1

              6fa5f8a05ad8b06b4a4464560c669c1067cb8f4a

              SHA256

              48842b595e9dfa512f008c6d77520c4cfdea84c16336a2f1c5003f1964b0d8da

              SHA512

              67b016129ec10111c81f25f922369eaae486437ad6614f5cfb0339e260d29f2e27010f0ec14addd2d7aa8212bfa783740f9989284ee175524da349a1b198ad9b

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xikg.vbe
              Filesize

              71KB

              MD5

              5ae9f9fdd5c7d683b7f9f2ea276b2fb7

              SHA1

              a71eed0968de9caf7636a1c81322f27588af0546

              SHA256

              b1b3fd9a4ae874afe1ac1af617d6e7210dfe831a9057bbebdf74f3086f5af8b1

              SHA512

              49343720b71d35fd28d0567b751a01e0d504204845930caa0cec3879f95c056703894e0579fd4d7f75c763f382323b66f259c6a3c1959b26b7a0a44316f50f2b

            • C:\Users\Admin\AppData\Local\b9bc7084975ee05e71a887511fd8e822\Admin@GYXYZBUQ_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              e36752f1bb132552c7b7d08eb5b6ff18

              SHA1

              a6a8e2719d5ec3c4d803c369a3cedb301323b1a8

              SHA256

              4d6c7d7f0a60ee48c38737ac83313cc5b0f6868db0f99b28c35d228a31fa737c

              SHA512

              6c245771ee67ffbc8e411fb81a5f7e31c01a7931713e6014e51c3c6a8077d56b7a543ecb17cf48bee80883bf1a94b901475b7b4c4f40c291d157b335bbfa5703

            • memory/4916-171-0x00000000728B0000-0x0000000073060000-memory.dmp
              Filesize

              7.7MB

            • memory/4916-76-0x000000000D0C0000-0x000000000D0D0000-memory.dmp
              Filesize

              64KB

            • memory/4916-104-0x000000000D440000-0x000000000D4A6000-memory.dmp
              Filesize

              408KB

            • memory/4916-75-0x00000000728B0000-0x0000000073060000-memory.dmp
              Filesize

              7.7MB

            • memory/4916-205-0x000000000D0C0000-0x000000000D0D0000-memory.dmp
              Filesize

              64KB

            • memory/4916-74-0x0000000000D70000-0x0000000000DA0000-memory.dmp
              Filesize

              192KB

            • memory/4916-248-0x000000000D0C0000-0x000000000D0D0000-memory.dmp
              Filesize

              64KB

            • memory/4916-250-0x000000000DFB0000-0x000000000E042000-memory.dmp
              Filesize

              584KB

            • memory/4916-251-0x000000000E600000-0x000000000EBA4000-memory.dmp
              Filesize

              5.6MB

            • memory/4916-255-0x000000000E0B0000-0x000000000E0BA000-memory.dmp
              Filesize

              40KB

            • memory/4916-73-0x0000000000D70000-0x0000000001D70000-memory.dmp
              Filesize

              16.0MB

            • memory/4916-261-0x000000000D870000-0x000000000D882000-memory.dmp
              Filesize

              72KB

            • memory/4916-286-0x000000000D0C0000-0x000000000D0D0000-memory.dmp
              Filesize

              64KB