Malware Analysis Report

2024-09-23 03:05

Sample ID 240628-j9danasekp
Target 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.zip
SHA256 2a81763ec0377125d360703185d9f1690c4f3ec8422169f01b80bb63664e7ec9
Tags
rat default asyncrat stormkitty persistence privilege_escalation spyware stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a81763ec0377125d360703185d9f1690c4f3ec8422169f01b80bb63664e7ec9

Threat Level: Known bad

The file 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.zip was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stormkitty persistence privilege_escalation spyware stealer evasion

Async RAT payload

Stormkitty family

Asyncrat family

StormKitty payload

StormKitty

AsyncRat

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Resource Forking

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-28 08:21

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 08:21

Reported

2024-06-28 08:22

Platform

win7-20240220-en

Max time kernel

34s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\4dc58cc74e204b93f0fed6507a96ee9c\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1344 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1344 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1344 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1344 wrote to memory of 356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1344 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1344 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1344 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1344 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2968 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1616 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1616 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1616 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1616 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1616 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1616 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1616 wrote to memory of 1584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe

"C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/2968-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2968-1-0x0000000000130000-0x0000000000162000-memory.dmp

memory/2968-2-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2968-69-0x0000000074230000-0x000000007491E000-memory.dmp

C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2968-78-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2968-79-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2968-80-0x0000000074230000-0x000000007491E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 08:21

Reported

2024-06-28 08:22

Platform

win10v2004-20240611-en

Max time kernel

23s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
File created C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4612 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4612 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4612 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4612 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4612 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4612 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4612 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4612 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3564 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4392 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4392 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4392 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4392 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4392 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe

"C:\Users\Admin\AppData\Local\Temp\817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp

Files

memory/3564-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/3564-1-0x0000000000150000-0x0000000000182000-memory.dmp

memory/3564-2-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/3564-3-0x0000000004BC0000-0x0000000004C26000-memory.dmp

C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\75277855b11fe6cf1eff9c1e0deadbc0\Admin@TMUACBLB_en-US\System\Process.txt

MD5 5f05e296421dbdcc7197e77787882de3
SHA1 b33c585d697d6bebf0d3c28e8c2df3534d4f1d31
SHA256 05f53de5c1b817d4e7edc03eb13485a6f0bd2b23a7815aa3d64610886cf8a1f2
SHA512 a3cfd97a89ef3f06569c56077f9b8b7c0872e894d8b7c188d7043af29827de1978f46fa20583893af881b9b805a38ef08f001b514bd28ac4b053341a2da18536

memory/3564-150-0x00000000749A0000-0x0000000075150000-memory.dmp

memory/3564-151-0x0000000005610000-0x00000000056A2000-memory.dmp

memory/3564-152-0x0000000005D60000-0x0000000006304000-memory.dmp

memory/3564-156-0x00000000057D0000-0x00000000057DA000-memory.dmp

C:\Users\Admin\AppData\Local\046b6fa220d7c271e56e5729a34d75e8\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3564-162-0x00000000749AE000-0x00000000749AF000-memory.dmp

memory/3564-163-0x00000000749A0000-0x0000000075150000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 08:21

Reported

2024-06-28 08:22

Platform

macos-20240611-en

Max time kernel

25s

Max time network

28s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]

/bin/zsh

[/bin/zsh -c /Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]

/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe

[/Users/run/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
GB 17.250.81.67:443 tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.77.118.121:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 23.59.171.27:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-28 08:21

Reported

2024-06-28 08:22

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Command Line

[/tmp/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]

Signatures

N/A

Processes

/tmp/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe

[/tmp/817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20.exe]

Network

N/A

Files

N/A