Analysis Overview
SHA256
d144d29c8cdbdba8377fe263ab9996b562b9925c59588a0b17f132723408293b
Threat Level: Known bad
The file 2aeeb429e9290526b96bf4b58b2411ad.bin was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Stormkitty family
StormKitty payload
Asyncrat family
Detect Xworm Payload
Xworm family
AsyncRat
StormKitty
Xworm
Async RAT payload
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Adds Run key to start application
Looks up geolocation information via web service
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 01:08
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 01:08
Reported
2024-06-14 01:11
Platform
win7-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender security = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender security.exe" | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\taskeng.exe
taskeng.exe {93913E30-578C-467B-A8E6-A34AF4CF5E68} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| TH | 119.59.98.116:7812 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/1928-0-0x0000000074371000-0x0000000074372000-memory.dmp
memory/1928-1-0x0000000074370000-0x000000007491B000-memory.dmp
memory/1928-2-0x0000000074370000-0x000000007491B000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 1d94cbce42232d67fb1e032e1e61d77e |
| SHA1 | 0f10e767c0cba85a39122b8e040c976de50dc468 |
| SHA256 | 5b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9 |
| SHA512 | 5f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4 |
\Users\Admin\AppData\Roaming\Windows Defender security.exe
| MD5 | 454abb9d524208fb694e7e70c0fbc56a |
| SHA1 | 060037a032fa3ccf469d902e12c1523e00040748 |
| SHA256 | c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298 |
| SHA512 | dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54 |
C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
| MD5 | c3f58ffd73d3afc5cc08a29dc5a864c8 |
| SHA1 | aad0a8c93043e3a4f7c422278c9c02a016ed55b7 |
| SHA256 | 27d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2 |
| SHA512 | 4d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7 |
memory/1928-22-0x0000000074370000-0x000000007491B000-memory.dmp
memory/2636-23-0x00000000013D0000-0x0000000001400000-memory.dmp
memory/2760-24-0x0000000000D10000-0x0000000000D28000-memory.dmp
memory/2396-25-0x0000000000BC0000-0x0000000000BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp.bat
| MD5 | 6be7505dc87e5602ce351f5ddc47ec1d |
| SHA1 | 2d3ff0c86ea97b5836de43476332c3e309f137af |
| SHA256 | c99b0a8bf0f1b3e4e0dff452eb4fd633d7c9d3f39a92fab0b2105c5b74c9963b |
| SHA512 | 4a2e9b048fc2860e9097ecc929d46fb302a6df58627c28cf85ddee6cbbabe323e06b84362f04cea3092ac14709b099ff4c1251e6e2ca69925552de679a477860 |
memory/1624-40-0x0000000000AA0000-0x0000000000AB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\3557c6acd3721b97a8f3fb142afad5a5\Admin@JAFTUVRJ_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\Temp\Cab4978.tmp
| MD5 | 2d3dcf90f6c99f47e7593ea250c9e749 |
| SHA1 | 51be82be4a272669983313565b4940d4b1385237 |
| SHA256 | 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4 |
| SHA512 | 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5 |
C:\Users\Admin\AppData\Local\d4f0b8d937cb012cbfc40aeb1b8ca9c0\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 01:08
Reported
2024-06-14 01:11
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender security.lnk | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender security = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender security.exe" | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe
"C:\Users\Admin\AppData\Local\Temp\d242df7f2b38186e3ff903b28119c09883df033ba2519e9b5f19eb0652f78975.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender Security Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender security" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender Security Service.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender security.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| TH | 119.59.98.116:7812 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| TH | 119.59.98.116:7812 | tcp | |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| TH | 119.59.98.116:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/4344-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp
memory/4344-1-0x0000000074EA0000-0x0000000075451000-memory.dmp
memory/4344-2-0x0000000074EA0000-0x0000000075451000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 1d94cbce42232d67fb1e032e1e61d77e |
| SHA1 | 0f10e767c0cba85a39122b8e040c976de50dc468 |
| SHA256 | 5b9f1c1780a2889685343734f81db30b92b7407cc8e476d01cf4f46d37db04a9 |
| SHA512 | 5f8a3c1d35fe009b36c54bed90e8ce44bba86180a409855b10b4693d123f1c323f8c928507d01ba552eff6e387074a07736bb7851dbf1984db0d750107eaeff4 |
C:\Users\Admin\AppData\Roaming\Windows Defender security.exe
| MD5 | 454abb9d524208fb694e7e70c0fbc56a |
| SHA1 | 060037a032fa3ccf469d902e12c1523e00040748 |
| SHA256 | c93c27a171d7a883f34e944d16bb47f0e949eb36181060f923e4d8df8da24298 |
| SHA512 | dd390f87dfb7f80074c92a61ae1ee65193855dc0b7dafe14ae65aedffb92625d6ebb5ea9fac9e452ad0ee4b3bb0d8923a926793c87a4af745f718921688d4b54 |
C:\Users\Admin\AppData\Roaming\Windows Security Service Host.exe
| MD5 | c3f58ffd73d3afc5cc08a29dc5a864c8 |
| SHA1 | aad0a8c93043e3a4f7c422278c9c02a016ed55b7 |
| SHA256 | 27d16a4b6970b62bc05c437177605391f7788a3e602e69da9d1375ace81b4ee2 |
| SHA512 | 4d45d348bbbc2d503eea99c7265e68c6ce87cf8be982ba153c6e8e6c58484476fc4287a91f8cff2eaa3f4ff1de04e02b2b4bcb597326c6963b28967670fc50b7 |
memory/2140-34-0x00007FFBBBDC3000-0x00007FFBBBDC5000-memory.dmp
memory/4496-38-0x000000007207E000-0x000000007207F000-memory.dmp
memory/2140-39-0x0000000000910000-0x0000000000920000-memory.dmp
memory/4496-41-0x0000000000720000-0x0000000000750000-memory.dmp
memory/3404-40-0x0000000000A30000-0x0000000000A48000-memory.dmp
memory/4344-43-0x0000000074EA0000-0x0000000075451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp.bat
| MD5 | cd3233af885693391fdec5620c3880c4 |
| SHA1 | 9c4f8a2582c0e29d6104638f1aa71310093757d9 |
| SHA256 | 3a9df5ba36d093a95a94faa569491080b82ad38886c3f7c0a7e631a603383b4a |
| SHA512 | 95f5b7107e8e885d4dc14332d408c52214704c4aa6c32bad9541c46b39dcbe20426e6197fc1614289e5829efe46433abb4c19f84f39f758f714cab163138e8a9 |
memory/4496-50-0x0000000005870000-0x00000000058D6000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
C:\Users\Admin\AppData\Local\bd0f31557645cf98f12f3f81f5944b53\Admin@SNFVGQLU_en-US\System\Process.txt
| MD5 | 16b379e5e9278c314460b4ce33724b2d |
| SHA1 | 958af972b0393f189ece396a948a778b97f9b9da |
| SHA256 | 6bd26a9e258db86c9b1cab9d369958a5617f21034a85a4cbf7564f488f59e9e9 |
| SHA512 | de0eae30a8e4797754cb20c5a246cd69cc2920fd535fd3f6e8edc6bd6afc3657984b27ff236624cfeffe02a7ed1c82a9cf0d62f3cfaad18b9a0dc1c6d9cfa356 |
memory/4496-198-0x00000000061E0000-0x0000000006272000-memory.dmp
memory/4496-199-0x0000000006830000-0x0000000006DD4000-memory.dmp
memory/4496-203-0x0000000006380000-0x000000000638A000-memory.dmp
memory/4496-206-0x000000007207E000-0x000000007207F000-memory.dmp
C:\Users\Admin\AppData\Local\cfd2ab89bc4083f7f1abdebfd243735a\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender security.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |