Analysis Overview
SHA256
6a455e9b962aa68ed3b1261574b2f341137109b103c01f7efc53946ffd8eeefe
Threat Level: Known bad
The file 3db6a404d2c91a867cefab626a3485b0.exe was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
AsyncRat
Nirsoft
NirSoft WebBrowserPassView
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 09:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 09:56
Reported
2024-06-15 09:59
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
149s
Command Line
Signatures
AsyncRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2592 set thread context of 4984 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe
"C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\KADISJDSIZABNMKJ.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.ps1'"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -executionPolicy Bypass -Command C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.bat""
C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\GGZPYVAZZZWBKGUJBRBTVK.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\GGZPYVAZZZWBKGUJBRBTVK.ps1'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| JP | 198.13.56.225:80 | 198.13.56.225 | tcp |
| US | 8.8.8.8:53 | 225.56.13.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mioromidlsr.camdvr.org | udp |
| GB | 51.77.113.177:222 | mioromidlsr.camdvr.org | tcp |
| US | 8.8.8.8:53 | 177.113.77.51.in-addr.arpa | udp |
| GB | 51.77.113.177:6606 | mioromidlsr.camdvr.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/2064-1-0x0000000000AF0000-0x0000000000B06000-memory.dmp
memory/2064-0-0x00007FFD3BCA3000-0x00007FFD3BCA5000-memory.dmp
memory/2064-2-0x00007FFD3BCA0000-0x00007FFD3C761000-memory.dmp
memory/3740-9-0x000001F015B10000-0x000001F015B32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aktltklk.kcs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3740-14-0x00007FFD3BCA0000-0x00007FFD3C761000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KADISJDSIZABNMKJ.ps1
| MD5 | c9ff5c2e88a5ca99988dac9cf645f02b |
| SHA1 | ed23e9eba0cc5a8f3c1bb702cfc1b925e4d7c636 |
| SHA256 | dff2b6d56cfe8aac5ad70646e3557eb4358b8ec88548efa1dd35c6fba95c0801 |
| SHA512 | 6c962cb55594e766d966a9af5bdfe3c34da2244667da7342326758857eaf111d5bc4b529ef7e827a257035c666d43147896ebc5099d3b29774cb0ae65b9f867c |
memory/3740-16-0x00007FFD3BCA0000-0x00007FFD3C761000-memory.dmp
memory/3740-17-0x00007FFD3BCA0000-0x00007FFD3C761000-memory.dmp
C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.ps1
| MD5 | 3c5ab7c2cfe8e322d562ad6190aa82cf |
| SHA1 | 99e690ae20d633adb48e31af589288ad65a717d0 |
| SHA256 | d6875ebd7746e63696ed1939ba253bf2f377e74e58ac8a0d8d8ed82089c0dfb4 |
| SHA512 | 37f1cc7b476d7eca1ca89b7c6f80bb084d622493e7881d9cb0693895804cf564143005ebc8ad3de1179fd955f2f49e5e5becfd2ca729e2509a64d86b2b1c5fff |
C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.vbs
| MD5 | b527ba1325dcc3abdcf6d28eda3b5a97 |
| SHA1 | ef240638a5991726d78008401b674d9e88a189e4 |
| SHA256 | bed6421e91c451c8d670823b76252cf517ffbcd805149b76ca3b0ef624be31c5 |
| SHA512 | 20859b362dacedcdd2af440b8f95f63f9817067fcd08a2b0cbfa563ca604c98b34ab66480ce315524f067ac9c738600a136b2248be84e072b902db55946d932d |
C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\SAWBLXTBFBTABRIXEUHKCX.bat
| MD5 | f2d0210c1b2ae01d056b97067490789f |
| SHA1 | 7ee96e543c6fe0d7b653beaba5e28477dc43b3bd |
| SHA256 | e48269fe800ca2bd49ec52d97493962699b3faad050fcce80e53859aef624231 |
| SHA512 | 2666094ef68d4c738d1c19b83e942c85f4f6fac8926911ded012adf2512119b90fe2973f0469494e66deeb029abdd37b6435971e9ad20562920ee835c25e0879 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 00e7da020005370a518c26d5deb40691 |
| SHA1 | 389b34fdb01997f1de74a5a2be0ff656280c0432 |
| SHA256 | a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe |
| SHA512 | 9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d096831023867930e62e6d8b3d4d8ca6 |
| SHA1 | 404a1e73dc1590f1c8b9327c396591567dac7365 |
| SHA256 | 167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b |
| SHA512 | 31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75 |
memory/3740-50-0x00007FFD3BCA0000-0x00007FFD3C761000-memory.dmp
memory/2064-62-0x00007FFD3BCA0000-0x00007FFD3C761000-memory.dmp
C:\ProgramData\SAWBLXTBFBTABRIXEUHKCX\GGZPYVAZZZWBKGUJBRBTVK.ps1
| MD5 | 51e3833f116232e99b0f6225990e370e |
| SHA1 | d87395adeb8cebcc1dae4f2576fbcbb901e30953 |
| SHA256 | 0294bf408107a48c1e4d8eb0585c7e25b4394caaa43e87115679df296c2a5698 |
| SHA512 | 7efe65cdca553660057be9fa72796a7711ff795e91b90ee8ea9f35621bd16369b52de897b7a751e3a54be0a8137ec275c12ffe92b367c587148db613d79009d1 |
memory/2592-64-0x000002193A470000-0x000002193A498000-memory.dmp
memory/2592-72-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-66-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-65-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-82-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-100-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-98-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-96-0x000002193A470000-0x000002193A491000-memory.dmp
memory/4984-101-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2592-92-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-90-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-88-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-86-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-80-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-78-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-76-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-74-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-70-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-68-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-94-0x000002193A470000-0x000002193A491000-memory.dmp
memory/2592-84-0x000002193A470000-0x000002193A491000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50a8221b93fbd2628ac460dd408a9fc1 |
| SHA1 | 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6 |
| SHA256 | 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e |
| SHA512 | 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0 |
memory/4984-105-0x0000000005860000-0x0000000005E04000-memory.dmp
memory/4984-106-0x0000000005490000-0x0000000005522000-memory.dmp
memory/4984-107-0x0000000005480000-0x000000000548A000-memory.dmp
memory/4984-108-0x00000000060F0000-0x000000000618C000-memory.dmp
memory/4984-109-0x0000000006190000-0x00000000061F6000-memory.dmp
memory/4984-110-0x0000000006F60000-0x0000000007094000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 09:56
Reported
2024-06-15 09:59
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe | C:\Windows\system32\WerFault.exe |
| PID 1196 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe | C:\Windows\system32\WerFault.exe |
| PID 1196 wrote to memory of 2644 | N/A | C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe
"C:\Users\Admin\AppData\Local\Temp\3db6a404d2c91a867cefab626a3485b0.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1196 -s 1032
Network
| Country | Destination | Domain | Proto |
| JP | 198.13.56.225:80 | tcp |
Files
memory/1196-0-0x000007FEF5323000-0x000007FEF5324000-memory.dmp
memory/1196-1-0x0000000000E60000-0x0000000000E76000-memory.dmp
memory/1196-2-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp
memory/1196-3-0x000007FEF5323000-0x000007FEF5324000-memory.dmp
memory/1196-4-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp