Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe

  • Size

    63KB

  • MD5

    b8d455465260a845db35492fda5a8888

  • SHA1

    287b0ba049ad8f3be802d2224efb86dba72d3221

  • SHA256

    a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282

  • SHA512

    5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a

  • SSDEEP

    768:CuY6LVcsTPq781wC8A+XjuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9rAW6dEYSuEdP:reQPckdSJYUbdh9O8uEdpqKmY7

Score
10/10
asyncratstealeriumdefaultcollectionevasionratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

66.235.168.242:3232

Attributes
  • delay

    1

  • install

    true

  • install_file

    Loaader.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe
    "C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:3720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5285.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:696
      • C:\Users\Admin\AppData\Roaming\Loaader.exe
        "C:\Users\Admin\AppData\Roaming\Loaader.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • UAC bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Windows security modification
        • Accesses Microsoft Outlook profiles
        • Checks whether UAC is enabled
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        • outlook_office_path
        • outlook_win_path
        PID:528
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5108
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:904
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1884
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:4088
            • C:\Windows\system32\netsh.exe
              netsh wlan show profile
              5⤵
                PID:3548
              • C:\Windows\system32\findstr.exe
                findstr All
                5⤵
                  PID:1684
              • C:\Windows\SYSTEM32\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2312
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  5⤵
                    PID:1956
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show networks mode=bssid
                    5⤵
                      PID:3872

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Modify Registry

            4
            T1112

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            3
            T1012

            System Information Discovery

            4
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              77d622bb1a5b250869a3238b9bc1402b

              SHA1

              d47f4003c2554b9dfc4c16f22460b331886b191b

              SHA256

              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

              SHA512

              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrb5vc0a.od5.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\tmp5285.tmp.bat
              Filesize

              151B

              MD5

              fc3951f8e84d41ffe6ffa9125dd9ec0a

              SHA1

              5721dae2ef28e9c3d0e1766d4e78a469a645b378

              SHA256

              9dcf50c00b5b7ce0c3ca4327588ef114e3909147034f2f044271b5b8cefb0926

              SHA512

              f433a9e5740982f61ad45edcc3927bc32b4e9c6c27dfec1efb0ae46e143e5befe01110e0eca9cb2e2a742a3b38841ce626e303f1cd229103659b566fc054e541

              Download Submit
            • C:\Users\Admin\AppData\Local\dec13f7648136b013950c313650eaf39\Admin@BVRKIPTS_en-US\System\Process.txt
              Filesize

              1KB

              MD5

              f4e0cd362bb2a44d6037766556887d1c

              SHA1

              d39acebfc335ba3777a7bf2fbc5cbb37f1298de2

              SHA256

              289400d731b513ad9eb0dacb5cbad7ec3d7632294fe8fd4b6acf688424d19b9e

              SHA512

              f189227f7c8521415ebebe525abe0536ed17a3e27dbf18f3c60dfc0b9d6afe81ff6990e4355aec003016b185d929de724b3e316d765482bb9e312ff5186ab76f

              Download Submit
            • C:\Users\Admin\AppData\Local\dec13f7648136b013950c313650eaf39\Admin@BVRKIPTS_en-US\System\Process.txt
              Filesize

              2KB

              MD5

              241bc9c3cd73370441c67ee521f6c435

              SHA1

              04737f7bbd441a3cc70c8c110ed2dd27a3b168a3

              SHA256

              49165f22e7c4e5d0cb520486708c4c25db9d0c210b66b227fd62ca4fe1dd5f74

              SHA512

              437580357dee5940468aebe59dbdca90538276e70c03ad98ff9ca27eb9211186728f710d87b5985022245c34ddf6c60bdde425e1ec941147ad441291c45947cf

              Download Submit
            • C:\Users\Admin\AppData\Local\dec13f7648136b013950c313650eaf39\Admin@BVRKIPTS_en-US\System\Process.txt
              Filesize

              4KB

              MD5

              055cb94fd91e56f0ebd52625fe8c6650

              SHA1

              df65d5c10889baf49616035800d5a864501b2588

              SHA256

              6fe06e61f037260946d3ac5789cb6fa08e7dc8488addaa6f048d852ad5f19ed6

              SHA512

              01039af9095f0ee17d2dbc077de4c7bff235cc6a9356ec238dca3c9c2ec7202d7e66d57b339f4532edba46bf9622f3a6b0860468c7b91950740515f90a8eeb7f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Loaader.exe
              Filesize

              63KB

              MD5

              b8d455465260a845db35492fda5a8888

              SHA1

              287b0ba049ad8f3be802d2224efb86dba72d3221

              SHA256

              a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282

              SHA512

              5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a

              Download Submit
            • memory/528-49-0x00000000024F0000-0x00000000024FA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/528-17-0x000000001D0A0000-0x000000001D0BE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/528-42-0x000000001D2A0000-0x000000001D352000-memory.dmp
              Filesize

              712KB

              Download
            • memory/528-44-0x000000001D8E0000-0x000000001DA68000-memory.dmp
              Filesize

              1.5MB

              Download
            • memory/528-16-0x000000001D070000-0x000000001D0A4000-memory.dmp
              Filesize

              208KB

              Download
            • memory/528-15-0x000000001D0F0000-0x000000001D166000-memory.dmp
              Filesize

              472KB

              Download
            • memory/528-200-0x000000001CC70000-0x000000001CCEA000-memory.dmp
              Filesize

              488KB

              Download
            • memory/4888-7-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4888-2-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4888-1-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/4888-8-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4888-0-0x00000000009F0000-0x0000000000A06000-memory.dmp
              Filesize

              88KB

              Download
            • memory/5108-23-0x000002C2E73D0000-0x000002C2E73F2000-memory.dmp
              Filesize

              136KB

              Download