Resubmissions
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
03-06-2024 16:34
General
-
Target
Flash-USDT-main/Flash USDT v2.exe
-
Size
918KB
-
MD5
e45aa1c8df8c2e551cbb12eb60d45862
-
SHA1
cb00e3e6bd28bbef0899c7e470e82f4e5f5dc13b
-
SHA256
5c9d92a9fc8a5399e2dc146af2c5dfbfdbbf94cd11ea331e9422626026470279
-
SHA512
ea77a19bc7d76c821082d9f2a14b6e818f28b98aaea9f923767d86d96e8db1a64ddcc56d7cfbcce41c06bd195b8afef4ed4f4dfc1e3543df0e5de4b6aa3af069
-
SSDEEP
24576:1Gz1TSpONGTQ9dokTpIG/2KPJ8r6oPNYY:1o1SpONZ9dokTpIG/Y+YN
Malware Config
Extracted
quasar
2.1.0.0
Office04
146.70.34.130:7812
VNM_MUTEX_c2q7y2ayYutZ2XaYe7
-
encryption_key
xwXT4WCNnk3vInV5C8eN
-
install_name
Windows Security Health Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Health Service
-
subdirectory
Windows Security Health Service
Extracted
xworm
146.70.34.130:7812
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe"C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aiQisExWw3tE.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\652c9e4991d5bea9a66c45326d30cf2e\msgid.datFilesize
6B
MD5fe01303cdcadd376c78fb1877afaef00
SHA1aba135a54e5d186a0952f71c9e26b826a098adf9
SHA2568dc269406e603bb873c2ca2e0af8a4a4dcd83e31399f3fba8a335416911fe5d3
SHA51276122a89fd658ee4a836a6090f8d1c54f050f8165fbe5f6e708a72afd4b18286c9282f32fcb3a4e2c32e3d10d51ab1ceafd6806b03f47acf0f05bbb5f6cc1fb3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security Health Service.exe.logFilesize
1KB
MD50d57fc33826cdd8ab7f1fd188829748d
SHA140fab51cd74493d07e0c37af6bfee896e9d0cef6
SHA2564ff6a3eca1a0964fa036fcc54b2fa2137de9ade61e8140cee7e3136352445c41
SHA512dd02119b787943e580156d89ea75ad38eff863bf560d4ec33fa4e52202f0b6252e928322f73e3a3e11685fb0cff204af4d67c6818bdf9812d7b458c362965aaa
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4sydbzqp.jqe.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\aiQisExWw3tE.batFilesize
225B
MD5ba2100e7d5454cd8f7773381633d6e99
SHA18a47b8c346612171eb25ff1eeaf6e1ccee2537dc
SHA256d0b396bc24191abcabfde7efd247e80c2718d54bba424797ed77e7f973e564a5
SHA51219e6d0ff2ccbf0e5d146dff7f990d04f156dc25907682704e31de210499632b0ec6c3549ee58f77e5128cfdad7ada9fa6212912ec48524f48056d04cb1ee02f3
-
C:\Users\Admin\AppData\Local\b52d5b9f53350de20616f4e09e77340d\Admin@NGOMEWNG_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\b52d5b9f53350de20616f4e09e77340d\Admin@NGOMEWNG_en-US\System\Process.txtFilesize
4KB
MD5dd756490c5b30bd77bcff64adbe54a08
SHA1043b673c5b1c22960b0622d1f94476a297696970
SHA256f169e050f84df58b4a8274cd53d0cde5c7915e779cf3194aff7a023a2e6f459d
SHA51294a8e76b4763755273ec1e2b53653eb9fc1971b6c26572b97383d0e22399da9704c78261c436227d41debc3fdeca76c5f9bed79eff77f82fa5461b199d0b57e9
-
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exeFilesize
195KB
MD5e7f8c4ea62d6c4ae774f981480c6b232
SHA12dad33c36ad472cee4ca8231c723e92bd7033b7d
SHA256c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b
SHA512f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exeFilesize
534KB
MD5b934a776bf8ad0d2acba5fecd3e8d54a
SHA12c2419eaa05137543fbacd52929b758633543fc2
SHA2569ecdfad064bdd85e9f36f5d6580e4576b495f6b2981f822129fe2f37b69ac405
SHA512c8f06093c6048edbdb92f12263179595c23aa6263aff2c359736c41cbb7548c886d55b7d85dbbd2651df4dfebd4fec88f2f4380d9d59453224ca0483c1cb18f3
-
C:\Users\Admin\AppData\Roaming\service.exeFilesize
68KB
MD5e3959c47fd8eb8989ffcccbedb64f28d
SHA1fb4e8f09c8a395cae695dd7431d2985a949aa89c
SHA256ad93141af1cd287247d5365955f235e7c1b9477d4a32354680f684237a07b145
SHA512c52783c65a929c971667a806f234b086aae6b1db2b09e763cb17c09e31484aef26f5cea4340b01bcb6172679b8a8b11fa4c7ae0eb160eccf271903a3371a990c
-
memory/536-50-0x0000000005910000-0x0000000005976000-memory.dmpFilesize
408KB
-
memory/536-41-0x0000000000E00000-0x0000000000E8C000-memory.dmpFilesize
560KB
-
memory/536-52-0x0000000006A60000-0x0000000006A9C000-memory.dmpFilesize
240KB
-
memory/536-51-0x0000000006530000-0x0000000006542000-memory.dmpFilesize
72KB
-
memory/1212-42-0x0000000005570000-0x0000000005B16000-memory.dmpFilesize
5.6MB
-
memory/1212-46-0x0000000005070000-0x000000000507A000-memory.dmpFilesize
40KB
-
memory/1212-44-0x0000000005290000-0x000000000532C000-memory.dmpFilesize
624KB
-
memory/1212-43-0x00000000050E0000-0x0000000005172000-memory.dmpFilesize
584KB
-
memory/1212-40-0x0000000000720000-0x0000000000756000-memory.dmpFilesize
216KB
-
memory/2900-47-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2900-251-0x0000000006D60000-0x0000000006D72000-memory.dmpFilesize
72KB
-
memory/2900-245-0x00000000060C0000-0x00000000060CA000-memory.dmpFilesize
40KB
-
memory/3084-85-0x0000000006BF0000-0x0000000006BFA000-memory.dmpFilesize
40KB
-
memory/3984-1-0x00007FFF13FF3000-0x00007FFF13FF5000-memory.dmpFilesize
8KB
-
memory/3984-0-0x0000000000120000-0x000000000020C000-memory.dmpFilesize
944KB
-
memory/4444-69-0x0000000005630000-0x0000000005987000-memory.dmpFilesize
3.3MB
-
memory/4444-73-0x0000000070330000-0x000000007037C000-memory.dmpFilesize
304KB
-
memory/4444-82-0x0000000006B00000-0x0000000006B1E000-memory.dmpFilesize
120KB
-
memory/4444-72-0x0000000006100000-0x0000000006134000-memory.dmpFilesize
208KB
-
memory/4444-83-0x0000000006B20000-0x0000000006BC4000-memory.dmpFilesize
656KB
-
memory/4444-71-0x0000000005BA0000-0x0000000005BEC000-memory.dmpFilesize
304KB
-
memory/4444-87-0x0000000006E50000-0x0000000006E6A000-memory.dmpFilesize
104KB
-
memory/4444-86-0x00000000074A0000-0x0000000007B1A000-memory.dmpFilesize
6.5MB
-
memory/4444-88-0x0000000006ED0000-0x0000000006EDA000-memory.dmpFilesize
40KB
-
memory/4444-89-0x00000000070E0000-0x0000000007176000-memory.dmpFilesize
600KB
-
memory/4444-90-0x0000000007060000-0x0000000007071000-memory.dmpFilesize
68KB
-
memory/4444-92-0x0000000007090000-0x000000000709E000-memory.dmpFilesize
56KB
-
memory/4444-93-0x00000000070A0000-0x00000000070B5000-memory.dmpFilesize
84KB
-
memory/4444-96-0x00000000071A0000-0x00000000071BA000-memory.dmpFilesize
104KB
-
memory/4444-97-0x0000000007190000-0x0000000007198000-memory.dmpFilesize
32KB
-
memory/4444-70-0x0000000005B00000-0x0000000005B1E000-memory.dmpFilesize
120KB
-
memory/4444-60-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/4444-59-0x0000000004D60000-0x0000000004D82000-memory.dmpFilesize
136KB
-
memory/4444-58-0x0000000004F20000-0x000000000554A000-memory.dmpFilesize
6.2MB
-
memory/4444-57-0x0000000002300000-0x0000000002336000-memory.dmpFilesize
216KB
-
memory/4576-275-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmpFilesize
10.8MB
-
memory/4576-39-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmpFilesize
10.8MB
-
memory/4576-38-0x0000000000980000-0x0000000000998000-memory.dmpFilesize
96KB