Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 06:52

General

  • Target

    3644f9a06d97f903a5ceebdd7f2f4500.exe

  • Size

    222KB

  • MD5

    3644f9a06d97f903a5ceebdd7f2f4500

  • SHA1

    53ed26fba664d03b0e2423d6da7235c983fe2a1e

  • SHA256

    bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

  • SHA512

    f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a

  • SSDEEP

    6144:zVW1Fk5kc9tepTde06Or1HVSuZyfbqLW:JWnYt0hHVSuTLW

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

94.232.249.111:6606

94.232.249.111:7707

94.232.249.111:8808

Mutex

o6tEeoRxJb0n

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Async RAT payload 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe
      "C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\system32\relog.exe
        C:\Windows\system32\relog.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3512
    • C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3812
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        3⤵
          PID:3668
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3280
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat""
          3⤵
            PID:3796
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:3608
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              "C:\Users\Admin\AppData\Roaming\svchost.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2928
        • C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe
          "C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe"
          2⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2364
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            3⤵
              PID:1752
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:1112
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show profile
                  4⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1092
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  4⤵
                    PID:4440
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  3⤵
                    PID:4568
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      4⤵
                        PID:2300
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh wlan show networks mode=bssid
                        4⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:3472
                  • C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe
                    "C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:1808
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                  1⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:684
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f4,0x7ffd3b3c2e98,0x7ffd3b3c2ea4,0x7ffd3b3c2eb0
                    2⤵
                      PID:2496
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2276 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:2
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2280
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:3
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:408
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
                      2⤵
                        PID:3436
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2524
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5324 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4288
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3468 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
                        2⤵
                          PID:3232
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
                          2⤵
                            PID:3336

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                          Filesize

                          1KB

                          MD5

                          e1acba25e664db4f5b29a4f53d733a42

                          SHA1

                          3372c405dc21ae7e061e947176041b3414b52818

                          SHA256

                          40b699f4d64261b9802580be4e723fed50af6e081a6453e2eabbf9c58eb29012

                          SHA512

                          a9cbb29a0f4543b350951df9bdd3f06bbf9df4871692f87b4e84862e85d5b72305efba0ee886914de6b05075910f2906d75f78ade715240bc70e970a1e31f206

                        • C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe

                          Filesize

                          175KB

                          MD5

                          da34ea26ddfedfd7966e8aedf0bb93e6

                          SHA1

                          ba30bde364d564268d175090364158cb66c165a9

                          SHA256

                          817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20

                          SHA512

                          fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff

                        • C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe

                          Filesize

                          47KB

                          MD5

                          6d13d147a209e3be044035f0c03b7bde

                          SHA1

                          1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283

                          SHA256

                          9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548

                          SHA512

                          a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9

                        • C:\Users\Admin\AppData\Local\Temp\TH6E1.tmp

                          Filesize

                          222KB

                          MD5

                          933bc84c355410977507fce60295cc73

                          SHA1

                          1b395d4888d1dc60127e7c65fe7da857981bda1e

                          SHA256

                          f097a2cdef650eddd702047ae31625bafedd92099b92c1cfc61be73e636ed152

                          SHA512

                          d7f3ae4b5729b392e610fd084b7b19408ec52215106e8dd58cf7d019db8cd398bd4a368adf526e72f8cd6e8584ac0fe392d979e719df79bb17b5570542cb4740

                        • C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat

                          Filesize

                          151B

                          MD5

                          2bea490af3f2d791c9d9d23d3ebfced7

                          SHA1

                          b048fdb35104437d740c5dd84ebe8b8cbf0a454b

                          SHA256

                          dd82e69f788b551c42ee824d773b724950d86511ff3e8a7e1709a926f08e57d8

                          SHA512

                          e3b1b271210b1a4582900aad715d4a14736199b59ac40f4666c4d9f62014d7dce9dec853a19d7ed2303b82fbb2b35799f42d1610e761e177847132abf181f1c7

                        • C:\Users\Admin\AppData\Local\ae2b3b02108afcee055284706dff9e4a\msgid.dat

                          Filesize

                          1B

                          MD5

                          cfcd208495d565ef66e7dff9f98764da

                          SHA1

                          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                          SHA256

                          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                          SHA512

                          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                        • C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

                          Filesize

                          105B

                          MD5

                          2e9d094dda5cdc3ce6519f75943a4ff4

                          SHA1

                          5d989b4ac8b699781681fe75ed9ef98191a5096c

                          SHA256

                          c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                          SHA512

                          d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

                        • C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\System\Process.txt

                          Filesize

                          4KB

                          MD5

                          f016dfc231f6a5632ee40227595e58a1

                          SHA1

                          1177fc2d3fd86e97f625bb700074936e9b39367c

                          SHA256

                          ad7217e70adbbee374d0a8a44528b4e68706a03daf09f06e2172009620728409

                          SHA512

                          6a8a209e987de6bef6267e75a4f6ecaecd739ff897c7b0b54ebaa90bcec851efb5e3342c5f5406e6b8e2f56debb163409b4d78233c89aae5eb3ed48acbe0a5e3

                        • C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe

                          Filesize

                          222KB

                          MD5

                          3644f9a06d97f903a5ceebdd7f2f4500

                          SHA1

                          53ed26fba664d03b0e2423d6da7235c983fe2a1e

                          SHA256

                          bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56

                          SHA512

                          f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a

                        • memory/2364-102-0x0000000004C70000-0x0000000004CD6000-memory.dmp

                          Filesize

                          408KB

                        • memory/2364-88-0x0000000000190000-0x00000000001C2000-memory.dmp

                          Filesize

                          200KB

                        • memory/2364-272-0x0000000005C40000-0x0000000005C52000-memory.dmp

                          Filesize

                          72KB

                        • memory/2364-266-0x0000000005080000-0x000000000508A000-memory.dmp

                          Filesize

                          40KB

                        • memory/2364-260-0x0000000006110000-0x00000000066B4000-memory.dmp

                          Filesize

                          5.6MB

                        • memory/2364-259-0x0000000005AC0000-0x0000000005B52000-memory.dmp

                          Filesize

                          584KB

                        • memory/3300-62-0x00007FFD5D3C0000-0x00007FFD5D3C1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3300-107-0x00000000033C0000-0x0000000003411000-memory.dmp

                          Filesize

                          324KB

                        • memory/3300-106-0x0000000003170000-0x000000000318A000-memory.dmp

                          Filesize

                          104KB

                        • memory/3300-50-0x00000000033C0000-0x0000000003411000-memory.dmp

                          Filesize

                          324KB

                        • memory/3300-46-0x0000000002FD0000-0x0000000002FE6000-memory.dmp

                          Filesize

                          88KB

                        • memory/3300-53-0x00000000033C0000-0x0000000003411000-memory.dmp

                          Filesize

                          324KB

                        • memory/3300-52-0x0000000003170000-0x000000000318A000-memory.dmp

                          Filesize

                          104KB

                        • memory/3300-48-0x00000000031C0000-0x0000000003202000-memory.dmp

                          Filesize

                          264KB

                        • memory/3812-96-0x00000000057D0000-0x000000000586C000-memory.dmp

                          Filesize

                          624KB

                        • memory/3812-89-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

                          Filesize

                          72KB