Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14/06/2024, 01:08
General
-
Target
d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
-
Size
313KB
-
MD5
2aeeb429e9290526b96bf4b58b2411ad
-
SHA1
4b4527fbd51763b51d4acebcf157ba3bd5082ce1
-
SHA256
d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975
-
SHA512
8de691347446377838638dd97ab36ad4fbec672be0158451778901bf4ee62b6002f18fe06c7365b952d0650308eb78dadd9d338c91c67b181041807004c242cc
-
SSDEEP
6144:48XN6W8mmHPtppXPSi9b4qt3GPMVRSbfWraqe9s:FN6qatppXP1t3jcWraq
Malware Config
Extracted
xworm
5.1
119.59.98.116:7812
JBMeOx2rIgGrdV0y
-
Install_directory
%AppData%
-
install_file
Windows Defender security.exe
-
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
119.59.98.116:7812
WindowsDefendersecurityService
-
delay
1
-
install
true
-
install_file
Windows Defender Security Service.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
178B
MD5cd3233af885693391fdec5620c3880c4
SHA19c4f8a2582c0e29d6104638f1aa71310093757d9
SHA2563a9df5ba36d093a95a94faa569491080b82ad38886c3f7c0a7e631a603383b4a
SHA51295f5b7107e8e885d4dc14332d408c52214704c4aa6c32bad9541c46b39dcbe20426e6197fc1614289e5829efe46433abb4c19f84f39f758f714cab163138e8a9
-
Filesize
4KB
MD516b379e5e9278c314460b4ce33724b2d
SHA1958af972b0393f189ece396a948a778b97f9b9da
SHA2566bd26a9e258db86c9b1cab9d369958a5617f21034a85a4cbf7564f488f59e9e9
SHA512de0eae30a8e4797754cb20c5a246cd69cc2920fd535fd3f6e8edc6bd6afc3657984b27ff236624cfeffe02a7ed1c82a9cf0d62f3cfaad18b9a0dc1c6d9cfa356
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
42KB
MD5454abb9d524208fb694e7e70c0fbc56a
SHA1060037a032fa3ccf469d902e12c1523e00040748
SHA256c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298
SHA512dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54
-
Filesize
74KB
MD5c3f58ffd73d3afc5cc08a29dc5a864c8
SHA1aad0a8c93043e3a4f7c422278c9c02a016ed55b7
SHA25627d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2
SHA5124d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7
-
Filesize
170KB
MD51d94cbce42232d67fb1e032e1e61d77e
SHA10f10e767c0cba85a39122b8e040c976de50dc468
SHA2565b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9
SHA5125f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB