Malware Analysis Report

2024-08-06 13:11

Sample ID 240614-vhjtxasgmj
Target ScythDox.exe
SHA256 a160b40dc1a11db87551502bcceab7b4bf8004ca1fc55f4644dcf02641b1844c
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a160b40dc1a11db87551502bcceab7b4bf8004ca1fc55f4644dcf02641b1844c

Threat Level: Known bad

The file ScythDox.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 16:59

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 16:59

Reported

2024-06-14 17:02

Platform

win10-20240611-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScythDox.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\system32\cmd.exe
PID 3560 wrote to memory of 3120 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3560 wrote to memory of 3120 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1876 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1876 wrote to memory of 3140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1876 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Doxxister!.exe
PID 1876 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Doxxister!.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ScythDox.exe

"C:\Users\Admin\AppData\Local\Temp\ScythDox.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Doxxister!" /tr '"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE3E8.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Doxxister!" /tr '"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Doxxister!.exe

"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResolveExpand.m3u"

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 199.232.210.172:80 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp

Files

memory/2356-0-0x00007FF862F13000-0x00007FF862F14000-memory.dmp

memory/2356-1-0x0000000000030000-0x0000000000042000-memory.dmp

memory/2356-2-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

memory/2356-7-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE3E8.tmp.bat

MD5 b86d73436124f5d4c1c0d44eca3225d3
SHA1 dddcd1243a6358a6ddcd630b97e3ea5457d83168
SHA256 13c47c85daaea198e38828157ef12a6d25d6fccacdfeaeebfccdf13816af66a8
SHA512 c030df18823ac21342db5784dc2b935545edb9bc323ec883db3d698847eb17cb4da6100b0ddb9f206adbd8e082e6dd084ac86b118fd2613506c77169261dc1d0

C:\Users\Admin\AppData\Roaming\Doxxister!.exe

MD5 06967a51ed6887c2bce5445e5f9ab039
SHA1 94d4ec13dd59fece5fd933cf1b0749313cb118ac
SHA256 a160b40dc1a11db87551502bcceab7b4bf8004ca1fc55f4644dcf02641b1844c
SHA512 75af9d504ac5b7769d1e54bafe36579cb9ecf07a52b301c35052ccba969e7a1db2140a2b110f755feaf7e45f1e75b55f5ba51314dae475a8c61566ed923091c5

memory/1912-18-0x00007FF876310000-0x00007FF876344000-memory.dmp

memory/1912-17-0x00007FF6616C0000-0x00007FF6617B8000-memory.dmp

memory/1912-26-0x00007FF872490000-0x00007FF8724A1000-memory.dmp

memory/1912-25-0x00007FF8724B0000-0x00007FF8724CD000-memory.dmp

memory/1912-24-0x00007FF8728E0000-0x00007FF8728F1000-memory.dmp

memory/1912-19-0x00007FF8670D0000-0x00007FF867386000-memory.dmp

memory/1912-27-0x00007FF85EC10000-0x00007FF85EE1B000-memory.dmp

memory/1912-22-0x00007FF872A80000-0x00007FF872A91000-memory.dmp

memory/1912-21-0x00007FF872C00000-0x00007FF872C17000-memory.dmp

memory/1912-23-0x00007FF872900000-0x00007FF872917000-memory.dmp

memory/1912-20-0x00007FF8762F0000-0x00007FF876308000-memory.dmp

memory/1912-29-0x00007FF872040000-0x00007FF872081000-memory.dmp

memory/1912-36-0x00007FF867070000-0x00007FF867081000-memory.dmp

memory/1912-35-0x00007FF871F70000-0x00007FF871F8B000-memory.dmp

memory/1912-34-0x00007FF871F90000-0x00007FF871FA1000-memory.dmp

memory/1912-33-0x00007FF871FB0000-0x00007FF871FC1000-memory.dmp

memory/1912-32-0x00007FF871FD0000-0x00007FF871FE1000-memory.dmp

memory/1912-31-0x00007FF871FF0000-0x00007FF872008000-memory.dmp

memory/1912-30-0x00007FF872010000-0x00007FF872031000-memory.dmp

memory/1912-28-0x00007FF85DB60000-0x00007FF85EC10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 16:59

Reported

2024-06-14 17:02

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScythDox.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\System32\cmd.exe
PID 4836 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\System32\cmd.exe
PID 4836 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 6088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3500 wrote to memory of 6088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4788 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4788 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Doxxister!.exe
PID 3500 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Doxxister!.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ScythDox.exe

"C:\Users\Admin\AppData\Local\Temp\ScythDox.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Doxxister!" /tr '"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp493E.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Doxxister!" /tr '"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"'

C:\Users\Admin\AppData\Roaming\Doxxister!.exe

"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp

Files

memory/4836-1-0x00007FFA03793000-0x00007FFA03795000-memory.dmp

memory/4836-0-0x0000000000F90000-0x0000000000FA2000-memory.dmp

memory/4836-2-0x00007FFA03790000-0x00007FFA04251000-memory.dmp

memory/4836-7-0x00007FFA03790000-0x00007FFA04251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp493E.tmp.bat

MD5 3dec635fcdd64a5defb62c6504c5071a
SHA1 b6879ad8de3ed7f72080a0238e29d1d19193ae22
SHA256 dbd41b6ac7316f1d3ffff2d4410dc509e2155998a5dbd8f4ec14b62db9569730
SHA512 1d33555735562343dac62b1bec69402267a71bcdd0eece27143785a0c921d40eda78290f834e4a2d08007f8de07b176277e0e0f4d31cd6d0c0292109e9462bbc

C:\Users\Admin\AppData\Roaming\Doxxister!.exe

MD5 06967a51ed6887c2bce5445e5f9ab039
SHA1 94d4ec13dd59fece5fd933cf1b0749313cb118ac
SHA256 a160b40dc1a11db87551502bcceab7b4bf8004ca1fc55f4644dcf02641b1844c
SHA512 75af9d504ac5b7769d1e54bafe36579cb9ecf07a52b301c35052ccba969e7a1db2140a2b110f755feaf7e45f1e75b55f5ba51314dae475a8c61566ed923091c5

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 16:59

Reported

2024-06-14 17:01

Platform

win11-20240508-en

Max time kernel

56s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScythDox.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Doxxister!.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\System32\cmd.exe
PID 4796 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\System32\cmd.exe
PID 4796 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\ScythDox.exe C:\Windows\system32\cmd.exe
PID 4184 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4184 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 904 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 904 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 904 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Doxxister!.exe
PID 904 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Doxxister!.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ScythDox.exe

"C:\Users\Admin\AppData\Local\Temp\ScythDox.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Doxxister!" /tr '"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7C83.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Doxxister!" /tr '"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Doxxister!.exe

"C:\Users\Admin\AppData\Roaming\Doxxister!.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39bd055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
GB 104.86.110.113:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4796-1-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/4796-0-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

memory/4796-2-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C83.tmp.bat

MD5 c38084dc221d2a6ea67a86839d05f29f
SHA1 0198e4f96c99e2f91b77447166f54e6c670aeca0
SHA256 7eef8667ed4ea238bef93b7ef924872f653a922416003563b365361a46cffc58
SHA512 a020be627cd42586c853de76d4e6d40e78e82770dd61564c50d9b516e08df39400785a8c18c09ee404faed956e295e120f82b58bab1573183374fd66ae969cac

memory/4796-8-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

C:\Users\Admin\AppData\Roaming\Doxxister!.exe

MD5 06967a51ed6887c2bce5445e5f9ab039
SHA1 94d4ec13dd59fece5fd933cf1b0749313cb118ac
SHA256 a160b40dc1a11db87551502bcceab7b4bf8004ca1fc55f4644dcf02641b1844c
SHA512 75af9d504ac5b7769d1e54bafe36579cb9ecf07a52b301c35052ccba969e7a1db2140a2b110f755feaf7e45f1e75b55f5ba51314dae475a8c61566ed923091c5