asyncrat | 04769a8d5fa808e222187311d377b7033ff366494a7aaaf8044329d22b289175

General

Target

Hotmail checker/Hotmal new checker.exe
Size

1.1MB
MD5

ce94631ddcb5fc30c305ce32e49a05a5
SHA1

f0b656e3a2042d5a58b821962e2b8f0f10fa1ec4
SHA256

900db12322da42a224e4df96487ca1446d456d72580976a5f102e430ecb16ddd
SHA512

966497e841950ca55677f24570b331ba2638e34249edd6385b2332c453166315f5d72467bb83a246124dbeb2bcfb0c4044b22e98b44be4b6181c7a3e8ef8f891
SSDEEP

6144:aSncRlHDubaBBOBIIj6HLLYLCYJqvc1D60Xbywj/c9aqX9bxD/e00sNjT6lmRkss:34kbaNEc9a2/d0Oylmq

Score

10^/10

asyncrat stormkitty default rat spyware stealer vmprotect

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6003478563:AAG3aliPXpD1ZldBFn1R2thp1ARU2PprMtU/sendMessage?chat_id=6052812018

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HOTMAIL CHECKER.EXE	family_stormkitty
behavioral3/memory/2228-15-0x0000000000250000-0x0000000000282000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HOTMAIL CHECKER.EXE	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

HOTMAIL CHECKER.EXEHOTMAL NEW CHECKER.EXE

pid process

2228 HOTMAIL CHECKER.EXE
2380 HOTMAL NEW CHECKER.EXE
Loads dropped DLL 2 IoCs

Processes:

Hotmal new checker.exe

pid process

2184 Hotmal new checker.exe
2184 Hotmal new checker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2184	Hotmal new checker.exe
2184	Hotmal new checker.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HOTMAL NEW CHECKER.EXE	vmprotect
behavioral3/memory/2380-16-0x0000000000F60000-0x0000000001026000-memory.dmp	vmprotect

Drops desktop.ini file(s) 6 IoCs

Processes:

HOTMAIL CHECKER.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\83e3dd33b2692379cf1d14b984d17b7b\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	HOTMAIL CHECKER.EXE
File created	C:\Users\Admin\AppData\Local\83e3dd33b2692379cf1d14b984d17b7b\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	HOTMAIL CHECKER.EXE
File created	C:\Users\Admin\AppData\Local\83e3dd33b2692379cf1d14b984d17b7b\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	HOTMAIL CHECKER.EXE
File opened for modification	C:\Users\Admin\AppData\Local\83e3dd33b2692379cf1d14b984d17b7b\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	HOTMAIL CHECKER.EXE
File created	C:\Users\Admin\AppData\Local\83e3dd33b2692379cf1d14b984d17b7b\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	HOTMAIL CHECKER.EXE
File opened for modification	C:\Users\Admin\AppData\Local\83e3dd33b2692379cf1d14b984d17b7b\Admin@QGTQZTRE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	HOTMAIL CHECKER.EXE

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	icanhazip.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HOTMAIL CHECKER.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	HOTMAIL CHECKER.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	HOTMAIL CHECKER.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1560 schtasks.exe

pid	process
1560	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

HOTMAIL CHECKER.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	HOTMAIL CHECKER.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	HOTMAIL CHECKER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	HOTMAIL CHECKER.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	HOTMAIL CHECKER.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	HOTMAIL CHECKER.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	HOTMAIL CHECKER.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HOTMAIL CHECKER.EXE

pid	process
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE
2228	HOTMAIL CHECKER.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HOTMAIL CHECKER.EXE

description pid process

Token: SeDebugPrivilege 2228 HOTMAIL CHECKER.EXE
Token: SeDebugPrivilege 2228 HOTMAIL CHECKER.EXE

description	pid	process
Token: SeDebugPrivilege	2228	HOTMAIL CHECKER.EXE
Token: SeDebugPrivilege	2228	HOTMAIL CHECKER.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Hotmal new checker.exeHOTMAIL CHECKER.EXEcmd.execmd.exe

description	pid	process	target process
PID 2184 wrote to memory of 2228	2184	Hotmal new checker.exe	HOTMAIL CHECKER.EXE
PID 2184 wrote to memory of 2228	2184	Hotmal new checker.exe	HOTMAIL CHECKER.EXE
PID 2184 wrote to memory of 2228	2184	Hotmal new checker.exe	HOTMAIL CHECKER.EXE
PID 2184 wrote to memory of 2228	2184	Hotmal new checker.exe	HOTMAIL CHECKER.EXE
PID 2184 wrote to memory of 2380	2184	Hotmal new checker.exe	HOTMAL NEW CHECKER.EXE
PID 2184 wrote to memory of 2380	2184	Hotmal new checker.exe	HOTMAL NEW CHECKER.EXE
PID 2184 wrote to memory of 2380	2184	Hotmal new checker.exe	HOTMAL NEW CHECKER.EXE
PID 2184 wrote to memory of 2380	2184	Hotmal new checker.exe	HOTMAL NEW CHECKER.EXE
PID 2228 wrote to memory of 2268	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2228 wrote to memory of 2268	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2228 wrote to memory of 2268	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2228 wrote to memory of 2268	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2268 wrote to memory of 2940	2268	cmd.exe	chcp.com
PID 2268 wrote to memory of 2940	2268	cmd.exe	chcp.com
PID 2268 wrote to memory of 2940	2268	cmd.exe	chcp.com
PID 2268 wrote to memory of 2940	2268	cmd.exe	chcp.com
PID 2268 wrote to memory of 2948	2268	cmd.exe	netsh.exe
PID 2268 wrote to memory of 2948	2268	cmd.exe	netsh.exe
PID 2268 wrote to memory of 2948	2268	cmd.exe	netsh.exe
PID 2268 wrote to memory of 2948	2268	cmd.exe	netsh.exe
PID 2268 wrote to memory of 2932	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2932	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2932	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2932	2268	cmd.exe	findstr.exe
PID 2228 wrote to memory of 2384	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2228 wrote to memory of 2384	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2228 wrote to memory of 2384	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2228 wrote to memory of 2384	2228	HOTMAIL CHECKER.EXE	cmd.exe
PID 2384 wrote to memory of 2296	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2296	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2296	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2296	2384	cmd.exe	chcp.com
PID 2384 wrote to memory of 2828	2384	cmd.exe	netsh.exe
PID 2384 wrote to memory of 2828	2384	cmd.exe	netsh.exe
PID 2384 wrote to memory of 2828	2384	cmd.exe	netsh.exe
PID 2384 wrote to memory of 2828	2384	cmd.exe	netsh.exe
PID 2228 wrote to memory of 1560	2228	HOTMAIL CHECKER.EXE	schtasks.exe
PID 2228 wrote to memory of 1560	2228	HOTMAIL CHECKER.EXE	schtasks.exe
PID 2228 wrote to memory of 1560	2228	HOTMAIL CHECKER.EXE	schtasks.exe
PID 2228 wrote to memory of 1560	2228	HOTMAIL CHECKER.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Hotmail checker\Hotmal new checker.exe
"C:\Users\Admin\AppData\Local\Temp\Hotmail checker\Hotmal new checker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\HOTMAIL CHECKER.EXE
  "C:\Users\Admin\AppData\Local\Temp\HOTMAIL CHECKER.EXE"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\HOTMAIL CHECKER.EXE"
    3⤵
    - Creates scheduled task(s)
    PID:1560
- C:\Users\Admin\AppData\Local\Temp\HOTMAL NEW CHECKER.EXE
  "C:\Users\Admin\AppData\Local\Temp\HOTMAL NEW CHECKER.EXE"
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39b8c0c118ce2076475ca34ef8c7d802

SHA1
c2c7d95575a43470d66506cc0ac2e016441cd9a8

SHA256
76ed4a73d03b9c8a023baabfc743d0dd5c72980fbf768a9f71acf45a996cbcce

SHA512
939ccd233eb70e390ebfa297ba4a762e63fde0ccd0fbab3706350f7fd075d8bfc9e5446a89c8480ac97025a3a176681d30c49248e2f8a9a165d56740f52fb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4B0D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOTMAIL CHECKER.EXE

Filesize
175KB

MD5
faea3894b67011555be2b362c0a6f4ea

SHA1
f9f87162d9570b55e18fe2c1658ef628356677cc

SHA256
6fee9ae08cf4d224f566c7bea2bffbdd43d71eeb7feea02b083527614648263f

SHA512
2e3d57329836adac4178b5ccde4fee8b0df3d43e964272ceb665131afbce1eb67dd2509589827ef50adc34ef96063c4e7fac69e6fbb6514ce3eba361268ea9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOTMAL NEW CHECKER.EXE

Filesize
600KB

MD5
5775f8341b36982f97a1893ea33e5ac1

SHA1
ab0d5b6b372b6dce4e12eb6ee97857b42b2c4ded

SHA256
a7c76e41f7b2e55ab747e9721b1cba2e8c6e1970d74529ab166f3ae065e840fd

SHA512
cbeae0f55d4580069b6cb3c4e1c0b36da0a6094c85d9d4d0a769f5331bc06f96b5f6892d5bb0f86d73f3237b8dd7111d28d10f5ba9e8674cded4f5e53ec7540c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4BFE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\f17fd43e23b9a8946b87b16b56577305\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/2228-15-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2228-13-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/2228-162-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/2380-16-0x0000000000F60000-0x0000000001026000-memory.dmp

Filesize
792KB

Download
memory/2380-17-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-163-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads