Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01-07-2024 18:28
General
-
Target
zvgfd-main/Empyrean Removal Tool.exe
-
Size
495KB
-
MD5
0858df720da731fb05cfa980134fa639
-
SHA1
0e5e7bf34494892b20e2ed62cea218ada919361d
-
SHA256
4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810
-
SHA512
c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9
-
SSDEEP
12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux
Malware Config
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yr4iflnr7uc1.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VG521Bu1hkqd.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe"C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD58cda934f09fa222462f567ed79650e75
SHA1a4e98ad2eaf08648f1609eaae5627826da608b28
SHA2560ad5175fc237982f93219f5bdc98efdbe50a8af797f52bc0dba5b15030d5580e
SHA512a1a311e027191eb92b1ab173a1aea65353fd816f2ae66041f040ea5610c5b5eb3d677a69a67b371c06b4a0ebf1fa561488f88cd1bb1e5a2d6776077d4b079a85
-
Filesize
214B
MD5d256dffd26c9a5eb40456785eee8c1ee
SHA15224c62354c02d23dd9b407c095c5a812113be95
SHA256259f9f832dd78be46b20477a5c4976bc55a3fd3a5404206f4a3be37b6d0f1142
SHA5122e8226706456ccb1c5e6957e3f2fcff8563ca244276ee350110a4e175c08665f512f8db124962a92be302e78786b7479b9bf2e9b6446f5effcf78d14f44b0888
-
Filesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
Filesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
Filesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
Filesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
Filesize
7KB
MD5cd6255064a0b4c1de4e863375fadd588
SHA12f69f9403df6df78463020b3811b250dff6b2d09
SHA2563a282c0ad427489f1b19b23072df916cc4d8e19c2d0f7f636e46262b2f194492
SHA51288c447e22ed3ce12abe64b2d508ac4af863fb8984327a055b52a8c95e92e555eade59e4aa0c367db879c05db1f4bd4bc12e78fc1503bf57ec2a5013a9b6887a9
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
432KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
96KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
88KB
-
Filesize
104KB