Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2024, 01:08

General

  • Target

    d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe

  • Size

    313KB

  • MD5

    2aeeb429e9290526b96bf4b58b2411ad

  • SHA1

    4b4527fbd51763b51d4acebcf157ba3bd5082ce1

  • SHA256

    d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975

  • SHA512

    8de691347446377838638dd97ab36ad4fbec672be0158451778901bf4ee62b6002f18fe06c7365b952d0650308eb78dadd9d338c91c67b181041807004c242cc

  • SSDEEP

    6144:48XN6W8mmHPtppXPSi9b4qt3GPMVRSbfWraqe9s:FN6qatppXP1t3jcWraq

Malware Config

Extracted

Family

xworm

Version

5.1

C2

119.59.98.116:7812

Mutex

JBMeOx2rIgGrdV0y

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Defender security.exe

  • telegram

    https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

119.59.98.116:7812

Mutex

WindowsDefendersecurityService

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Defender Security Service.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
    "C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:4972
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:4728
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:2612
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3416
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:4940
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:2808
              • C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
                "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
                2⤵
                • Checks computer location settings
                • Drops startup file
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2140
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
                  3⤵
                  • Creates scheduled task(s)
                  PID:3616
              • C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
                "C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"
                2⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3404
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3620
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'
                    4⤵
                    • Creates scheduled task(s)
                    PID:3692
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat""
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1436
                  • C:\Windows\system32\timeout.exe
                    timeout 3
                    4⤵
                    • Delays execution with timeout.exe
                    PID:4484
                  • C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
                    "C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:4036
            • C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
              "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1740
            • C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
              "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2468
            • C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
              "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
              1⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1096

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender security.exe.log

              Filesize

              654B

              MD5

              2ff39f6c7249774be85fd60a8f9a245e

              SHA1

              684ff36b31aedc1e587c8496c02722c6698c1c4e

              SHA256

              e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

              SHA512

              1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

            • C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat

              Filesize

              178B

              MD5

              cd3233af885693391fdec5620c3880c4

              SHA1

              9c4f8a2582c0e29d6104638f1aa71310093757d9

              SHA256

              3a9df5ba36d093a95a94faa569491080b82ad38886c3f7c0a7e631a603383b4a

              SHA512

              95f5b7107e8e885d4dc14332d408c52214704c4aa6c32bad9541c46b39dcbe20426e6197fc1614289e5829efe46433abb4c19f84f39f758f714cab163138e8a9

            • C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\System\Process.txt

              Filesize

              4KB

              MD5

              16b379e5e9278c314460b4ce33724b2d

              SHA1

              958af972b0393f189ece396a948a778b97f9b9da

              SHA256

              6bd26a9e258db86c9b1cab9d369958a5617f21034a85a4cbf7564f488f59e9e9

              SHA512

              de0eae30a8e4797754cb20c5a246cd69cc2920fd535fd3f6e8edc6bd6afc3657984b27ff236624cfeffe02a7ed1c82a9cf0d62f3cfaad18b9a0dc1c6d9cfa356

            • C:\Users\Admin\AppData\Local\cfd2ab89bc4083f7f1abdebfd243735a\msgid.dat

              Filesize

              1B

              MD5

              cfcd208495d565ef66e7dff9f98764da

              SHA1

              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

              SHA256

              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

              SHA512

              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

            • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

              Filesize

              8B

              MD5

              cf759e4c5f14fe3eec41b87ed756cea8

              SHA1

              c27c796bb3c2fac929359563676f4ba1ffada1f5

              SHA256

              c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

              SHA512

              c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

            • C:\Users\Admin\AppData\Roaming\Windows Defender security.exe

              Filesize

              42KB

              MD5

              454abb9d524208fb694e7e70c0fbc56a

              SHA1

              060037a032fa3ccf469d902e12c1523e00040748

              SHA256

              c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298

              SHA512

              dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54

            • C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe

              Filesize

              74KB

              MD5

              c3f58ffd73d3afc5cc08a29dc5a864c8

              SHA1

              aad0a8c93043e3a4f7c422278c9c02a016ed55b7

              SHA256

              27d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2

              SHA512

              4d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7

            • C:\Users\Admin\AppData\Roaming\svchost.exe

              Filesize

              170KB

              MD5

              1d94cbce42232d67fb1e032e1e61d77e

              SHA1

              0f10e767c0cba85a39122b8e040c976de50dc468

              SHA256

              5b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9

              SHA512

              5f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4

            • memory/2140-39-0x0000000000910000-0x0000000000920000-memory.dmp

              Filesize

              64KB

            • memory/2140-34-0x00007FFBBBDC3000-0x00007FFBBBDC5000-memory.dmp

              Filesize

              8KB

            • memory/3404-40-0x0000000000A30000-0x0000000000A48000-memory.dmp

              Filesize

              96KB

            • memory/4344-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

              Filesize

              5.7MB

            • memory/4344-43-0x0000000074EA0000-0x0000000075451000-memory.dmp

              Filesize

              5.7MB

            • memory/4344-2-0x0000000074EA0000-0x0000000075451000-memory.dmp

              Filesize

              5.7MB

            • memory/4344-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

              Filesize

              4KB

            • memory/4496-50-0x0000000005870000-0x00000000058D6000-memory.dmp

              Filesize

              408KB

            • memory/4496-198-0x00000000061E0000-0x0000000006272000-memory.dmp

              Filesize

              584KB

            • memory/4496-199-0x0000000006830000-0x0000000006DD4000-memory.dmp

              Filesize

              5.6MB

            • memory/4496-203-0x0000000006380000-0x000000000638A000-memory.dmp

              Filesize

              40KB

            • memory/4496-206-0x000000007207E000-0x000000007207F000-memory.dmp

              Filesize

              4KB

            • memory/4496-38-0x000000007207E000-0x000000007207F000-memory.dmp

              Filesize

              4KB

            • memory/4496-41-0x0000000000720000-0x0000000000750000-memory.dmp

              Filesize

              192KB