Overview

overview

10

Static

static

10

zvgfd-main...iz.bat

windows7-x64

1

zvgfd-main...iz.bat

windows10-2004-x64

1

zvgfd-main...lt.exe

windows7-x64

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main/Client.bat

windows7-x64

8

zvgfd-main/Client.bat

windows10-2004-x64

10

zvgfd-main...lt.exe

windows7-x64

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main... .exe

windows7-x64

10

zvgfd-main... .exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows7-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows7-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

Exculsion/...dec.js

windows7-x64

3

Exculsion/...dec.js

windows10-2004-x64

3

zvgfd-main...ve.bat

windows7-x64

8

zvgfd-main...ve.bat

windows10-2004-x64

10

zvgfd-main...ve.exe

windows7-x64

10

zvgfd-main...ve.exe

windows10-2004-x64

10

zvgfd-main...V2.exe

windows7-x64

10

zvgfd-main...V2.exe

windows10-2004-x64

10

zvgfd-main...ll.exe

windows7-x64

5

zvgfd-main...ll.exe

windows10-2004-x64

zvgfd-main...up.exe

windows10-2004-x64

8

zvgfd-main/Output.exe

windows7-x64

3

zvgfd-main/Output.exe

windows10-2004-x64

10

zvgfd-main/Part 1.bat

windows7-x64

8

zvgfd-main/Part 1.bat

windows10-2004-x64

10

zvgfd-main...om.exe

windows7-x64

1

zvgfd-main...om.exe

windows10-2004-x64

1

zvgfd-main...er.exe

windows7-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zvgfd-main/Empyrean Removal Tool.exe

  • Size

    633KB

  • MD5

    0079fab4268be36298a113b2979d70d7

  • SHA1

    804a7ace22a2785ac517b3c5325aea96d96231cf

  • SHA256

    33b4200a51c4ddd324dcfae8edb0a53a4bce3f1ad32ab882a0160af319f66900

  • SHA512

    cd8b523714a074fbd88fc726302b908c192c06f81ac4d1c46effa7fba162ff3289322d3a6f4764709914e081efde1d95a2358f80ea99817de98eade452462fb4

  • SSDEEP

    12288:2MH/IGvJlRawMnSG6BeogdLcuVipiKgn0leY8GbMyj8bExHwVaAWHjsXf:2MfI60wnG6YRdLbVipc0leY8GbMkj

Score
10/10
asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

Malware Config

Extracted

Family

xworm

C2

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    ql4fQ8TV9ZFP9vRX2myA

  • install_name

    $sxr~Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77STARTUP~MSF

  • subdirectory

    $sxr~SubDir

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool.exe
    "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Empyrean Removal Tool.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe
      "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:280
    • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe
      "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2344
    • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe
      "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe
      "C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 1.exe
    Filesize

    67KB

    MD5

    092a0c6fe885844fd74947e64e7fc11e

    SHA1

    bfe46f64f36f2e927d862a1a787f146ed2c01219

    SHA256

    91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

    SHA512

    022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 2.exe
    Filesize

    409KB

    MD5

    e10c7425705b2bd3214fa96247ee21c4

    SHA1

    7603536b97ab6337fa023bafcf80579c2b4059e6

    SHA256

    021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

    SHA512

    47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 3.exe
    Filesize

    63KB

    MD5

    27fe9341167a34f606b800303ac54b1f

    SHA1

    86373d218b48361bff1c23ddd08b6ab1803a51d0

    SHA256

    29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

    SHA512

    05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zvgfd-main\Part 4.exe
    Filesize

    79KB

    MD5

    1f1b23752df3d29e7604ba52aea85862

    SHA1

    bb582c6cf022098b171c4c9c7318a51de29ebcf4

    SHA256

    4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

    SHA512

    d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    18e9eef29fc55ae62acfa11b343acb6d

    SHA1

    3923014b5a5121c1ec1288139ae74786b081ba75

    SHA256

    9b4f10b66f52e03143e62aa01c5aa261a8cd84ccaba1c8ac8c78125b58c856e4

    SHA512

    7cd8ff65ad0d68d27dd654c9aba334630a4c0e4a5f06db6e156c9525703002d533b293560e2ad1f032fe7922af1feaa8ac68e94040842cb4f064ff4083a3149e

    Download Submit

  • memory/280-42-0x0000000002040000-0x0000000002048000-memory.dmp

    Filesize

    32KB

    Download

  • memory/280-41-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1120-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-1-0x0000000000E10000-0x0000000000EB4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1892-34-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1892-35-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2120-27-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2120-28-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2120-9-0x0000000000B70000-0x0000000000B88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2120-70-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2120-71-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2680-26-0x0000000000CE0000-0x0000000000D4C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2848-21-0x0000000000DF0000-0x0000000000E06000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3004-25-0x0000000000ED0000-0x0000000000EEA000-memory.dmp

    Filesize

    104KB

    Download