Resubmissions
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
03-06-2024 16:33
General
-
Target
Flash-USDT-main/Flash USDT v2.exe
-
Size
918KB
-
MD5
e45aa1c8df8c2e551cbb12eb60d45862
-
SHA1
cb00e3e6bd28bbef0899c7e470e82f4e5f5dc13b
-
SHA256
5c9d92a9fc8a5399e2dc146af2c5dfbfdbbf94cd11ea331e9422626026470279
-
SHA512
ea77a19bc7d76c821082d9f2a14b6e818f28b98aaea9f923767d86d96e8db1a64ddcc56d7cfbcce41c06bd195b8afef4ed4f4dfc1e3543df0e5de4b6aa3af069
-
SSDEEP
24576:1Gz1TSpONGTQ9dokTpIG/2KPJ8r6oPNYY:1o1SpONZ9dokTpIG/Y+YN
Malware Config
Extracted
xworm
146.70.34.130:7812
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
Extracted
quasar
2.1.0.0
Office04
146.70.34.130:7812
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
xwXT4WCNnk3vInV5C8eN
-
install_name
Windows Security Health Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Health Service
-
subdirectory
Windows Security Health Service
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe"C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qLSO7q5Q4viY.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\435d2f3cdb74369c71abe038a7701be8\msgid.datFilesize
6B
MD5b765bec9e861d1a2ac741349b2136a6f
SHA1538d1ab6077d4bd6a99d3ad66503edcba8af544b
SHA25694d766578113ef524b3e0806860cd3900ea205c81fb88cb7060aa79fa2f2d584
SHA512576d2e3a6fed184f3bdcf04eddb1c6204fd181a5d8eb17ec8144f677cb342c0d86504546709a7cd7574ec1922b3b574aabdbc010033cbfada23a834c0d425134
-
C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\69196f26a5ea7a72f64d8e6a8540aac4\Admin@OBJIYUIE_en-US\System\Process.txtFilesize
4KB
MD51488ae43365f4187f843ba9808c11e73
SHA142440a9e5e44c2e14febb15bf26197fa2580c7a4
SHA2567efb36d9d4d945c638eadcb3b04355927d88940fa1bdb24f39779d076915aef0
SHA512e80f987c81e9e512f2d667224697c0eede86910b252a6d6131be48c269f54d7256dfad8219710a8d0ab003e6ae37f7f448fba75b5c80648d4fe93b93444663ed
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security Health Service.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxn3bmjz.aer.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD525b97815c0005fc273a7eff8e4306d35
SHA19e23f75f19686261d5a3c9abfc7905bd2b8885bb
SHA25608eb8fb2f947cfa307191716fc503a9e547fa9104e16f16f4e706a64ac19a393
SHA51226e258004e766f3a1542f2a5a12ea3223dec9ac37b79e3ffee8a16326d623e57ab10f92fc9302a46dcc938511dd078b105e81b12a9872892fcbd25f0cca7b856
-
C:\Users\Admin\AppData\Local\Temp\qLSO7q5Q4viY.batFilesize
225B
MD578e78877a0e3282212eecf181e3ec62d
SHA18822e07ab95555fbc6f529850ecde52e8f6278f1
SHA2563e41064b097c55847e0942dd564af6020cc97b3ef053dc5e19ed26712a11db3b
SHA5125f46276c09a315d9a70e2b9508f130ceed6c8ad2fbc0795d92ed2914b4c9c5f3f5b01da51ab913835e8efe63cc356fad61c2072e9258d0695ddd8b806b3e6e06
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exeFilesize
195KB
MD5e7f8c4ea62d6c4ae774f981480c6b232
SHA12dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exeFilesize
534KB
MD5b934a776bf8ad0d2acba5fecd3e8d54a
SHA12c2419eaa05137543fbacd52929b758633543fc2
SHA2569ecdfad064bdd85e9f36f5d6580e4576b495f6b2981f822129fe2f37b69ac405
SHA512c8f06093c6048edbdb92f12263179595c23aa6263aff2c359736c41cbb7548c886d55b7d85dbbd2651df4dfebd4fec88f2f4380d9d59453224ca0483c1cb18f3
-
C:\Users\Admin\AppData\Roaming\service.exeFilesize
68KB
MD5e3959c47fd8eb8989ffcccbedb64f28d
SHA1fb4e8f09c8a395cae695dd7431d2985a949aa89c
SHA256ad93141af1cd287247d5365955f235e7c1b9477d4a32354680f684237a07b145
SHA512c52783c65a929c971667a806f234b086aae6b1db2b09e763cb17c09e31484aef26f5cea4340b01bcb6172679b8a8b11fa4c7ae0eb160eccf271903a3371a990c
-
memory/1132-42-0x0000000005480000-0x0000000005A24000-memory.dmpFilesize
5.6MB
-
memory/1132-41-0x0000000000540000-0x00000000005CC000-memory.dmpFilesize
560KB
-
memory/1132-52-0x0000000005410000-0x0000000005422000-memory.dmpFilesize
72KB
-
memory/1132-53-0x0000000006110000-0x000000000614C000-memory.dmpFilesize
240KB
-
memory/1132-51-0x0000000004ED0000-0x0000000004F36000-memory.dmpFilesize
408KB
-
memory/2376-46-0x0000000005530000-0x000000000553A000-memory.dmpFilesize
40KB
-
memory/2376-44-0x0000000005650000-0x00000000056EC000-memory.dmpFilesize
624KB
-
memory/2376-43-0x00000000055B0000-0x0000000005642000-memory.dmpFilesize
584KB
-
memory/2376-40-0x0000000000CA0000-0x0000000000CD6000-memory.dmpFilesize
216KB
-
memory/2512-96-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmpFilesize
10.8MB
-
memory/2512-286-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmpFilesize
10.8MB
-
memory/2512-33-0x0000000000850000-0x0000000000868000-memory.dmpFilesize
96KB
-
memory/2512-39-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmpFilesize
10.8MB
-
memory/3036-75-0x0000000006BD0000-0x0000000006BDA000-memory.dmpFilesize
40KB
-
memory/3452-1-0x0000000000C10000-0x0000000000CFC000-memory.dmpFilesize
944KB
-
memory/3452-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmpFilesize
8KB
-
memory/3880-73-0x00000000060B0000-0x00000000060FC000-memory.dmpFilesize
304KB
-
memory/3880-99-0x0000000007490000-0x00000000074A4000-memory.dmpFilesize
80KB
-
memory/3880-88-0x0000000006500000-0x000000000651E000-memory.dmpFilesize
120KB
-
memory/3880-89-0x0000000007120000-0x00000000071C3000-memory.dmpFilesize
652KB
-
memory/3880-90-0x0000000007890000-0x0000000007F0A000-memory.dmpFilesize
6.5MB
-
memory/3880-91-0x0000000007250000-0x000000000726A000-memory.dmpFilesize
104KB
-
memory/3880-92-0x00000000072C0000-0x00000000072CA000-memory.dmpFilesize
40KB
-
memory/3880-95-0x00000000074D0000-0x0000000007566000-memory.dmpFilesize
600KB
-
memory/3880-77-0x00000000070E0000-0x0000000007112000-memory.dmpFilesize
200KB
-
memory/3880-97-0x0000000007450000-0x0000000007461000-memory.dmpFilesize
68KB
-
memory/3880-98-0x0000000007480000-0x000000000748E000-memory.dmpFilesize
56KB
-
memory/3880-78-0x0000000070740000-0x000000007078C000-memory.dmpFilesize
304KB
-
memory/3880-100-0x0000000007590000-0x00000000075AA000-memory.dmpFilesize
104KB
-
memory/3880-101-0x0000000007570000-0x0000000007578000-memory.dmpFilesize
32KB
-
memory/3880-72-0x0000000005F20000-0x0000000005F3E000-memory.dmpFilesize
120KB
-
memory/3880-71-0x0000000005A40000-0x0000000005D94000-memory.dmpFilesize
3.3MB
-
memory/3880-58-0x0000000002620000-0x0000000002656000-memory.dmpFilesize
216KB
-
memory/3880-66-0x0000000005860000-0x00000000058C6000-memory.dmpFilesize
408KB
-
memory/3880-59-0x00000000050C0000-0x00000000056E8000-memory.dmpFilesize
6.2MB
-
memory/3880-60-0x0000000005050000-0x0000000005072000-memory.dmpFilesize
136KB
-
memory/4556-261-0x0000000006450000-0x0000000006462000-memory.dmpFilesize
72KB
-
memory/4556-255-0x0000000005F50000-0x0000000005F5A000-memory.dmpFilesize
40KB
-
memory/4556-49-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB