Overview

overview

10

Static

static

7

System.exe

windows10-1703-x64

10

System.exe

windows7-x64

10

System.exe

windows10-1703-x64

10

System.exe

windows10-2004-x64

System.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    290s
  • max time network
    254s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/05/2024, 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    System.exe

  • Size

    3.4MB

  • MD5

    fb19368b80bb083a67bea154f2e7f4a6

  • SHA1

    7bb20b8ee40c9f94dd77b8cd35920b1ba651ae86

  • SHA256

    92ab9ed68950db61024eb5c5180f0019281a3bec96cd5a2f7305f450de064d4f

  • SHA512

    9fc041c4404602469314cf29cdae55d720bb26e8b37d774b13f7483a160c7fd0daea8d6274e7113a2c524630bf90d3b04513d04e19fe3f9cb216b44502f7c4f2

  • SSDEEP

    49152:OnT6jNyvZdHzYjd3deChH/GBtNNwxry+3u1IRgQo37xcoMuFVhDb5Xqx:fQZdHod3ACBGBX+HgQvwV56x

Score
10/10
asyncratstormkittydefaultcollectiondiscoveryevasionratspywarestealerthemidatrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.5

Botnet

Default

Mutex

umldzqgmsvrmiibib

Attributes
  • c2_url_file

    https://paste.fo/raw/53957c5e1888

  • delay

    1

  • install

    true

  • install_file

    Registry.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Accesses Microsoft Outlook profiles
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    PID:4420
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Registry" /tr '"C:\Users\Admin\AppData\Roaming\Registry.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:5072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2944
      2⤵
      • Program crash
      PID:4348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE3FE.tmp.dat
    Filesize

    92KB

    MD5

    cae9079afcb4c379869afa5d34181d8a

    SHA1

    188e2435c533dd9633f5fcc09f245ddc1a78db2c

    SHA256

    2be0a96da90da69fbc34b8e7747e89ce57dfc4fb58ed6c79e0fc21cb7c6791b7

    SHA512

    ff7d863ebd1090219f07eaf2ac493f20b6ed11606e7f2c19536d764e730a8bb426fff26dc3890f0503c12329ea4a6c5d8812a0d1b69c19a29fbb8cb8366bd4fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE411.tmp.dat
    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

    Download Submit

  • memory/4420-17-0x00000000012B0000-0x0000000001BD0000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4420-18-0x0000000007AC0000-0x0000000007B36000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4420-6-0x0000000005C70000-0x000000000616E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4420-8-0x0000000006790000-0x0000000006822000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4420-9-0x0000000006770000-0x000000000677A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4420-12-0x0000000006FE0000-0x000000000707C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4420-13-0x0000000006D50000-0x0000000006DB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4420-14-0x00007FF8D8220000-0x00007FF8D83FB000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4420-0-0x00000000012B0000-0x0000000001BD0000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4420-5-0x00000000012B0000-0x0000000001BD0000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4420-19-0x0000000007C40000-0x0000000007D74000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4420-20-0x0000000007D70000-0x0000000007D8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4420-21-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4420-23-0x0000000008060000-0x0000000008182000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4420-47-0x0000000009530000-0x0000000009880000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4420-48-0x0000000007960000-0x00000000079AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4420-4-0x00000000012B0000-0x0000000001BD0000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4420-1-0x00007FF8D8220000-0x00007FF8D83FB000-memory.dmp

    Filesize

    1.9MB

    Download