Overview

overview

10

Static

static

3

cb22cebed9...26.exe

windows7-x64

10

cb22cebed9...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2024, 01:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe

  • Size

    748KB

  • MD5

    457143901d9ca2f0bc836c1dd1faefe3

  • SHA1

    11e554dcfca0dd51c5bfe92d35b9c13b21b81691

  • SHA256

    cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26

  • SHA512

    0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0

  • SSDEEP

    12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT

Score
10/10
asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

Malware Config

Extracted

Family

xworm

C2

head-experimental.gl.at.ply.gg:46178

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

wiz.bounceme.net:6000
Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    ql4fQ8TV9ZFP9vRX2myA

  • install_name

    $sxr~Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77STARTUP~MSF

  • subdirectory

    $sxr~SubDir

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 7 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
    "C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\Part1.exe
      "C:\Users\Admin\AppData\Local\Temp\Part1.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
    • C:\Users\Admin\AppData\Local\Temp\Part2.exe
      "C:\Users\Admin\AppData\Local\Temp\Part2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\Temp\Part 1.exe
        "C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:884
      • C:\Users\Admin\AppData\Local\Temp\Part 2.exe
        "C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:772
      • C:\Users\Admin\AppData\Local\Temp\Part 3.exe
        "C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:216
      • C:\Users\Admin\AppData\Local\Temp\Part 4.exe
        "C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1972
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4264
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:3136
      • C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:5024

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            62623d22bd9e037191765d5083ce16a3

            SHA1

            4a07da6872672f715a4780513d95ed8ddeefd259

            SHA256

            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

            SHA512

            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            1f545274ba19d9199a78f74cd05e8187

            SHA1

            4036cf78d3f310af42963c8f16ae27c5922b5dff

            SHA256

            3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

            SHA512

            b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            a9451a6b9669d49bd90704dff21beb85

            SHA1

            5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

            SHA256

            b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

            SHA512

            06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Part 1.exe
            Filesize

            67KB

            MD5

            092a0c6fe885844fd74947e64e7fc11e

            SHA1

            bfe46f64f36f2e927d862a1a787f146ed2c01219

            SHA256

            91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

            SHA512

            022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Part 2.exe
            Filesize

            409KB

            MD5

            e10c7425705b2bd3214fa96247ee21c4

            SHA1

            7603536b97ab6337fa023bafcf80579c2b4059e6

            SHA256

            021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

            SHA512

            47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Part 3.exe
            Filesize

            63KB

            MD5

            27fe9341167a34f606b800303ac54b1f

            SHA1

            86373d218b48361bff1c23ddd08b6ab1803a51d0

            SHA256

            29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

            SHA512

            05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Part 4.exe
            Filesize

            79KB

            MD5

            1f1b23752df3d29e7604ba52aea85862

            SHA1

            bb582c6cf022098b171c4c9c7318a51de29ebcf4

            SHA256

            4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

            SHA512

            d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Part1.exe
            Filesize

            74KB

            MD5

            e35a7249966beef31a45272c53e06727

            SHA1

            cc54648f9c9423f7a625e96256c608791b1ab275

            SHA256

            ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998

            SHA512

            1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Part2.exe
            Filesize

            661KB

            MD5

            c47c0d681b491091209c54147c33da81

            SHA1

            58cb51be41aa576ce56d4c16c9c443e70e648f62

            SHA256

            429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720

            SHA512

            f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
            Filesize

            27KB

            MD5

            4daae2de5a31125d02b057c1ff18d58f

            SHA1

            e1d603edfcc150a4718e2916ae3dda3aa9548dc8

            SHA256

            25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f

            SHA512

            7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wq4uwbe3.sl3.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpB32E.tmp.bat
            Filesize

            158B

            MD5

            fa27b2e5118a874708c9f3168cc56c1c

            SHA1

            b55f2f6429f50b144e6468eec989c7a815f5dfd3

            SHA256

            5a67c947e5ea2552960568a02770e18e0a5b839116f4769d6a78b14a4bdde6c8

            SHA512

            dd4048645b1c4113cb6cc14e29af544fcd6182c76777171d815dd044c29cbdbbc11e6bee95820fd40a4b608e9e0f3f9635497dae1b87ed1df0f082117b9f8d8b

            Download Submit

          • memory/216-71-0x0000000000640000-0x0000000000656000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2140-93-0x0000000000C70000-0x0000000000CDC000-memory.dmp

            Filesize

            432KB

            Download

          • memory/2140-104-0x0000000005B90000-0x0000000006134000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2140-170-0x0000000007280000-0x000000000728A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2140-168-0x0000000006B30000-0x0000000006B6C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2140-167-0x00000000066F0000-0x0000000006702000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2140-153-0x0000000005AC0000-0x0000000005B26000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2140-124-0x0000000005720000-0x00000000057B2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2604-27-0x00000000006E0000-0x000000000078C000-memory.dmp

            Filesize

            688KB

            Download

          • memory/2604-87-0x000000001B300000-0x000000001B4A9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/2604-30-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2604-88-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2856-99-0x0000029B6F190000-0x0000029B6F1B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2860-44-0x0000000000C70000-0x0000000000C88000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2860-171-0x000000001CFA0000-0x000000001CFAE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3632-173-0x0000000002D40000-0x0000000002D4C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3632-86-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4064-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4064-26-0x000000001B220000-0x000000001B3C9000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/4064-1-0x0000000000510000-0x00000000005D2000-memory.dmp

            Filesize

            776KB

            Download

          • memory/4392-92-0x00000000004A0000-0x00000000004AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4392-123-0x0000000000E10000-0x0000000000E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4448-29-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4448-91-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4448-172-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4448-16-0x00000000004F0000-0x0000000000508000-memory.dmp

            Filesize

            96KB

            Download