Analysis Overview
SHA256
9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
Threat Level: Known bad
The file 6d13d147a209e3be044035f0c03b7bde.exe was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
StormKitty
AsyncRat
Async RAT payload
StormKitty payload
Async RAT payload
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Looks up geolocation information via web service
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 09:18
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 09:18
Reported
2024-06-28 09:20
Platform
win7-20240220-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pymvyg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe
"C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC9.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pymvyg.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pymvyg.exe"'
C:\Users\Admin\AppData\Local\Temp\pymvyg.exe
"C:\Users\Admin\AppData\Local\Temp\pymvyg.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe"'
C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe
"C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| SY | 94.232.249.111:8808 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/1740-0-0x000000007401E000-0x000000007401F000-memory.dmp
memory/1740-1-0x0000000000E70000-0x0000000000E82000-memory.dmp
memory/1740-2-0x0000000074010000-0x00000000746FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFC9.tmp.bat
| MD5 | 144627706fd33295ade7369a14480f05 |
| SHA1 | 0f1f961a99219433fb8bb36544521372db6384fb |
| SHA256 | 11f5a9cc9b80325c6c9eb0d18040f91216d7e8d0b8bb85cb13238d4e54de38de |
| SHA512 | e72072fb3177e4c3bce298653888665496ca7112042d360b60cb09241da714a6da2fb0c670414d248a2845d11970fe68a1dd2da62bd8a394e06901a098223428 |
memory/1740-12-0x0000000074010000-0x00000000746FE000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 6d13d147a209e3be044035f0c03b7bde |
| SHA1 | 1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283 |
| SHA256 | 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548 |
| SHA512 | a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9 |
memory/2656-16-0x0000000000030000-0x0000000000042000-memory.dmp
memory/2656-34-0x0000000005530000-0x0000000005592000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3663.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\pymvyg.exe
| MD5 | da34ea26ddfedfd7966e8aedf0bb93e6 |
| SHA1 | ba30bde364d564268d175090364158cb66c165a9 |
| SHA256 | 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20 |
| SHA512 | fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff |
memory/1608-61-0x0000000000120000-0x0000000000152000-memory.dmp
memory/2656-132-0x0000000005140000-0x00000000051A2000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c82e73038c9113f96b1a4bab757fe0d0 |
| SHA1 | 9c3e755d8cf1b7a94a3af3600e2d970683675153 |
| SHA256 | 93abead3914dd79b01f1290a03be7af2825d9da30ace99d3ff0084049952e6cd |
| SHA512 | 437641bb52a310d5598b20f1529be6b4916e9b8a5180f6b481c0cbd31092745b62cc1fb2cc81274cf7d8160cec40e1383c063c448c9b526036fc100d2b75bf49 |
C:\Users\Admin\AppData\Local\Temp\fzxuwp.exe
| MD5 | ff895d93516828450e0c0dd0e467e1d0 |
| SHA1 | a19edaa4b1fbfb8b3c8fe61d4cac894beb921b39 |
| SHA256 | 24c4301e81d0f742d7470fdaae62499b9793265f2e78d77c71e8b84bf1718cca |
| SHA512 | c3758aa89990653619c4803122fd0761e1c2709fea0dd9b89317ac4627d4e73e54a15397f121716b1dd48fb180fbbd2ed4a3c7b799b11743b2f9079cd1b9f75e |
memory/1908-163-0x0000000000900000-0x0000000000932000-memory.dmp
C:\Users\Admin\AppData\Local\e969a13c26976db0d9f61051b972460e\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\Users\Admin\AppData\Local\Temp\tmp8833.tmp.dat
| MD5 | 18e04095708297d6889a6962f81e8d8f |
| SHA1 | 9a25645db1da0217092c06579599b04982192124 |
| SHA256 | 4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7 |
| SHA512 | 45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf |
C:\Users\Admin\AppData\Local\Temp\tmp8845.tmp.dat
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Temp\places.raw
| MD5 | 5abefffbcfcb833e098dff88ca9c2cf2 |
| SHA1 | 00c13b1547bf540e7106742f45e6d55f01e8dcf0 |
| SHA256 | 679c618e9cb42323cd0be32e9a9a55649e1700efa0a862a0d4a05b78e4dffdb6 |
| SHA512 | 3404324afa33be247f6b402703ce2f45af174e6faaff2aaa35b6b01b77b5fcc68454acc61399bc197fa4e3942e0d044f7ecaaa73aa7403d1bc2fea04bdad201a |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Temp.txt
| MD5 | b34cb7a207081e4eac875c90f197f4c4 |
| SHA1 | 069b7b46a430b3178eca02c4c6de28d368ba5f81 |
| SHA256 | c313bb6a5ae5c87ed64b072c7a00b188b9900c46fe389113d46f0b5b0a4f2946 |
| SHA512 | b325c22d3106f633efd7cb478700086c8a4c227e536fc7dffcfab7ef666dc5534e986b55a1f2ece860769561d7781d2f02ab203a89c7c288ed0b5f8c4dfdc7d9 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Downloads.txt
| MD5 | 0f1f33363a62ec05502feadd8d63b4f2 |
| SHA1 | ccb3639c3419d0c1af880d215055917bb7792cd0 |
| SHA256 | 591ebd650c6706c6bc71a595318f4921a8071b61f36740538dbb835f1ae26e53 |
| SHA512 | fd95c5622b79618d4e001146fc8c760c25e2f277c2b07678dd85fe277dfb8d05b010c5755f4bc4f7fb35b002d2e10a50bb7755d8463f77d41cc203c6fdccc2a4 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Pictures.txt
| MD5 | 9f18ac86728e9866aa9e5c9974139536 |
| SHA1 | 0d14e792840c55c0b5dff62879061828eaba14b3 |
| SHA256 | e040f5ad99ac0e3c7d3f4c17a0af4ec59d0a5ca40609ffcdfa872012e9e106c9 |
| SHA512 | 60cee17fb9cd8a3888ff86fd22ad21fd267783e1c03b56d6ef7283d66a4885651de3c3e357543fe2f4751f3101626098465a5ab44705da36e679138c6c78d5bd |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Documents.txt
| MD5 | 5dfc33ef6a4d4e65f574256cab9fa233 |
| SHA1 | 725028e623b2bd4d9fcd7174ad17cfc6713db9ad |
| SHA256 | 1101e77cc25e9601ed0ee39c6f339cfcf37017f477796502b98390fa6f140fb3 |
| SHA512 | 69bc28f9a36e9af0720373ad2a0dbddc3515eb4413b842c9a097813a862b110c38659d93eb29ce3165dec06a0b0579c712b06b7f6db1c9210615b70ebec71ec3 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\Directories\Desktop.txt
| MD5 | 6ad1051148e16229143dbc977b368a62 |
| SHA1 | 31ea9ac82317189b7f03a52fd69d301bac93dd4e |
| SHA256 | 52b48a0d1af939a4c5e88888641e4dcf45128675bec28605a9a1020b521476b0 |
| SHA512 | 60b2e2b9008c56a67b02aab75e1a73d4a5d9f5628aaa1bd3535e39cb8c8b1fb589e2d9e95c6ecac060d6df9179baef2449c8f40bb5c0121299c661948e8d7693 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\System\Process.txt
| MD5 | 938e288585d14cd4b4cd1d9123d2099c |
| SHA1 | b8c90dbf2adaa7c049223c1ea9ca913dbff22827 |
| SHA256 | b458df87e73300409763c75404e6365c28b45871c25d73521b42dca1ab35287e |
| SHA512 | bc0695a0b6e804028783d98078e2553f434d08ad363f5960488456684c4fb035d2ddf6cffcbc1266204977f75a8baa593f78ce34f41c28d5971f6d4d53cb067a |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\System\ScanningNetworks.txt
| MD5 | 2a5b1b68e8c60a7bbc64ccbdab5c059b |
| SHA1 | 9ed50f7bdc446b08407a43ea4144ed3d7062c3bb |
| SHA256 | 1dbd461d3e88a299f97ae8779e98a20f20f906fbbc7c6f61f2ca1b663b997189 |
| SHA512 | d13f54fa81639cef910a0406372bf5bb190bfe7cecb7b6ab045d2939c323e29dd2893f3c20e2ffd15ea452dafdbf94320b15b8cac47791f00d545c862a17a930 |
C:\Users\Admin\AppData\Local\bbe4d32d3a8785275f217713963c932e\Admin@BISMIZHX_en-US\System\ProductKey.txt
| MD5 | cad6c6bee6c11c88f5e2f69f0be6deb7 |
| SHA1 | 289d74c3bebe6cca4e1d2e084482ad6d21316c84 |
| SHA256 | dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0 |
| SHA512 | e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 09:18
Reported
2024-06-28 09:19
Platform
win10v2004-20240508-en
Max time kernel
83s
Max time network
85s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\a0c2de03e62ae31d55388b1af1491ef3\Admin@RIJTOOVX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zqbygv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe
"C:\Users\Admin\AppData\Local\Temp\6d13d147a209e3be044035f0c03b7bde.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"'
C:\Users\Admin\AppData\Local\Temp\zqbygv.exe
"C:\Users\Admin\AppData\Local\Temp\zqbygv.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"'
C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe
"C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
C:\Windows\SysWOW64\shutdown.exe
Shutdown /s /f /t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399b855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| SY | 94.232.249.111:8808 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.249.232.94.in-addr.arpa | udp |
| SY | 94.232.249.111:8808 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| SY | 94.232.249.111:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/5020-0-0x000000007508E000-0x000000007508F000-memory.dmp
memory/5020-1-0x0000000000520000-0x0000000000532000-memory.dmp
memory/5020-2-0x0000000075080000-0x0000000075830000-memory.dmp
memory/5020-3-0x0000000004EE0000-0x0000000004F7C000-memory.dmp
memory/5020-8-0x0000000075080000-0x0000000075830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp.bat
| MD5 | 9c74606d9a3e368fa6adff06939ce1b7 |
| SHA1 | dcde2bcc5a5a0b49e7ffab2c1882d453112d65a5 |
| SHA256 | af18964e7cf7415c4c46a471aef9ce0d9893be82137b873997ef9d665e6b10f8 |
| SHA512 | 04d737ea503e1946a16940a6db13ceb3798dae845c5b73ee6ec540acfe1e021350b8ccd8b36ace1cc7608b4fb2ce9887708296a5b213bf995bb9910ceb82aded |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 6d13d147a209e3be044035f0c03b7bde |
| SHA1 | 1eb5fb487ea7742ff1766ca5bf1b7191cfcf6283 |
| SHA256 | 9c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548 |
| SHA512 | a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9 |
memory/4872-13-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/4872-16-0x0000000006BB0000-0x0000000007154000-memory.dmp
memory/4872-17-0x0000000006370000-0x00000000063D6000-memory.dmp
memory/4872-18-0x0000000007760000-0x00000000077D6000-memory.dmp
memory/4872-19-0x00000000076E0000-0x0000000007742000-memory.dmp
memory/4872-20-0x0000000007840000-0x000000000785E000-memory.dmp
memory/3628-22-0x00000000052B0000-0x00000000052E6000-memory.dmp
memory/3628-23-0x00000000059E0000-0x0000000006008000-memory.dmp
memory/3628-25-0x00000000061A0000-0x0000000006206000-memory.dmp
memory/3628-24-0x00000000060D0000-0x00000000060F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpwe23z3.eas.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3628-35-0x0000000006280000-0x00000000065D4000-memory.dmp
memory/3628-36-0x0000000006870000-0x000000000688E000-memory.dmp
memory/3628-37-0x00000000068A0000-0x00000000068EC000-memory.dmp
memory/3628-38-0x0000000007880000-0x0000000007916000-memory.dmp
memory/3628-39-0x0000000006D50000-0x0000000006D6A000-memory.dmp
memory/3628-40-0x0000000006DA0000-0x0000000006DC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zqbygv.exe
| MD5 | da34ea26ddfedfd7966e8aedf0bb93e6 |
| SHA1 | ba30bde364d564268d175090364158cb66c165a9 |
| SHA256 | 817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20 |
| SHA512 | fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff |
memory/4044-44-0x0000000000210000-0x0000000000242000-memory.dmp
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\Admin@RIJTOOVX_en-US\System\Process.txt
| MD5 | 47b9080cf3b36ab1f368c91a41b3d82e |
| SHA1 | ac79537ca12aef72207b3bb198a28d673efd20fd |
| SHA256 | 68ead6f5834e8ffb25f858b785b5e6343dc970621edebb9d4172ec82c41f8384 |
| SHA512 | 694baff9bb916969f11e323342b80db66379eb1a316f4e0007515997915f0f5ba5de186e1f0f19cc8a5d149b3edf917751fe1478d08a3a3251e140f0d096e6e5 |
memory/4044-190-0x0000000005620000-0x00000000056B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 5315900105942deb090a358a315b06fe |
| SHA1 | 22fe5d2e1617c31afbafb91c117508d41ef0ce44 |
| SHA256 | e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7 |
| SHA512 | 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6 |
memory/4372-205-0x0000000005D80000-0x00000000060D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 681a67c52d39f65864d10b88d169a006 |
| SHA1 | a492fd83f28dd136afcbd397607e130000f9e0ad |
| SHA256 | 27e4865cc6709e4ba14e6a8d29e838e0a6643232acf0544179efafbed07712f0 |
| SHA512 | 79bbe58168c27530ec63eb75e03d2f410a7d1e9bff685ce02face30054a7baaf272bfe46f7a40fda1bfd2248357d51d68e3f7d88c07fa58416074f53919797ee |
memory/4372-207-0x0000000006670000-0x00000000066BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tyhdxz.exe
| MD5 | ff895d93516828450e0c0dd0e467e1d0 |
| SHA1 | a19edaa4b1fbfb8b3c8fe61d4cac894beb921b39 |
| SHA256 | 24c4301e81d0f742d7470fdaae62499b9793265f2e78d77c71e8b84bf1718cca |
| SHA512 | c3758aa89990653619c4803122fd0761e1c2709fea0dd9b89317ac4627d4e73e54a15397f121716b1dd48fb180fbbd2ed4a3c7b799b11743b2f9079cd1b9f75e |
memory/1444-210-0x00000000002D0000-0x0000000000302000-memory.dmp
memory/4044-212-0x0000000005750000-0x000000000575A000-memory.dmp
memory/4872-213-0x0000000074FD0000-0x0000000075780000-memory.dmp
C:\Users\Admin\AppData\Local\146f24452249d403ffeadb01eee2dd29\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\tmpF8A8.tmp.dat
| MD5 | 9df444e0de734921d4d96deeeac4b16e |
| SHA1 | 31542622ecf896b93d830e21595091aef8742901 |
| SHA256 | 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900 |
| SHA512 | 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957 |
C:\Users\Admin\AppData\Local\Temp\tmpF8AA.tmp.dat
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Temp\tmpF8BD.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\places.raw
| MD5 | b01182fd0bcfecd25f0378b6ddd50714 |
| SHA1 | faf0abd8ccde904e4ec90d216f9dada2c3a046d3 |
| SHA256 | 921d4d81de816c9f7add02a5c5dc28209959a2ce1bdd64eff6675a5cdbd90a55 |
| SHA512 | a409fe0c1fbbcc158d47f6f727446ddf754b99ec235715f5f03b66a4f0c91b93c8bbd9e7ab235ed65e9b0abdd4bf2899dd3e5ec4afa8f45822e6f3dbc9d1bd7d |
memory/4872-368-0x0000000007A60000-0x0000000007AC8000-memory.dmp
memory/1444-374-0x00000000065D0000-0x00000000065E2000-memory.dmp
memory/4872-397-0x0000000008590000-0x00000000085F2000-memory.dmp
memory/4872-398-0x0000000008D10000-0x0000000008D1A000-memory.dmp
memory/4872-399-0x0000000007F40000-0x0000000007FA4000-memory.dmp
memory/4872-400-0x0000000074FD0000-0x0000000075780000-memory.dmp