Analysis

  • max time kernel
    598s
  • max time network
    598s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 21:47

General

  • Target

    FLASH USDT SENDER.exe

  • Size

    3.0MB

  • MD5

    512ea77783b034c322b2c0415719681b

  • SHA1

    c50982fdf94ba90c1d986a61558076f829660184

  • SHA256

    22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4

  • SHA512

    67c5a69dbc126303ca5144b7be6d4a1231ece395aad42f6c413076eca3416d1f82633a6b608d9ec7364afab364325fb0b4972d5e6546e99901c44d588f4b9b6c

  • SSDEEP

    49152:Yv0/fgbow5XrKMnp7XIEqQCYJ2JwxQCa3ATKXKmfmzNrFsqSChdgsBoZLMw:Mm4b1PKEJCYJ2Jww36KXfYoChdQZLX

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

146.70.34.130:7812

Mutex

JJiadfedYxUoR5Gx

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 9 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe
    "C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Roaming\crack.exe
      "C:\Users\Admin\AppData\Roaming\crack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:4296
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:4596
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:444
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            4⤵
              PID:5116
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              4⤵
                PID:1140
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                4⤵
                • Event Triggered Execution: Netsh Helper DLL
                PID:1212
          • C:\Users\Admin\AppData\Roaming\windows security.exe
            "C:\Users\Admin\AppData\Roaming\windows security.exe"
            2⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:640
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4444
          • C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
            "C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"
            2⤵
            • Executes dropped EXE
            PID:3724

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        3
        T1082

        Collection

        Data from Local System

        1
        T1005

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd
          Filesize

          151B

          MD5

          a3b491587cb0848b11fccfae02f61298

          SHA1

          85336b00f24246df06b742c8adf487db30c07fc9

          SHA256

          0da8533566b3e370d1ae6e759834cc4f317dc0f7392a9e66fb0f611c0a14a567

          SHA512

          226ddab3669fa98890b6a12c9f477fc791537da968ae17748d8d8daeab5d530cf18aa447ea057f7382986064985665952862325c55b103dfc26abbfbec23eac5

        • C:\Users\Admin\AppData\Local\bc838b1e8e9e75a1bafee61d9e16f712\msgid.dat
          Filesize

          6B

          MD5

          72e7386cdcbea6f2518dc5c1cc189456

          SHA1

          e61084dddd503547a4ba5589839b1755a2e638fe

          SHA256

          eaa3694b9d80f950078167557333000d734e8f560fc35a1f6f2c29daebafe57a

          SHA512

          5b7af94bd30f063ac2765bf0adae7c5946752ed8c8347f088e71d8c42f046b0eee232f5d6b8030688b744538457333a4ebdf07015af81917a83ba517cb7f0b8b

        • C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Browsers\Firefox\Bookmarks.txt
          Filesize

          105B

          MD5

          2e9d094dda5cdc3ce6519f75943a4ff4

          SHA1

          5d989b4ac8b699781681fe75ed9ef98191a5096c

          SHA256

          c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

          SHA512

          d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

        • C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          38c3b4b093d0f3723a2eecdd42235772

          SHA1

          931d4cd2bc965264c87a457ce656afa2474f3da8

          SHA256

          9908b1f810a166d14c68aa5edee2c3ccd9fc7f80f5f7e65ea1e84842da413285

          SHA512

          5866cf44cfadd82fdf280fdccf68924589bc59b58c0865743fa149c1f32b421d9bfb4019c9f43087aed5884bc8786175a865353aeada40f86d5221647c643934

        • C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
          Filesize

          2.5MB

          MD5

          b7d1773c7e805e0c141e9b078b8a08e9

          SHA1

          dfae7bd2a1d082726a9e4cb766741b29a50b4e10

          SHA256

          5233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb

          SHA512

          b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07

        • C:\Users\Admin\AppData\Roaming\crack.exe
          Filesize

          8KB

          MD5

          9215015740c937980b6b53cee5087769

          SHA1

          a0bfe95486944f1548620d4de472c3758e95d36a

          SHA256

          a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541

          SHA512

          5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          226KB

          MD5

          bf0258700fe3cba1282f8d366730283c

          SHA1

          b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23

          SHA256

          ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a

          SHA512

          15e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f

        • C:\Users\Admin\AppData\Roaming\windows security.exe
          Filesize

          42KB

          MD5

          6cc2340c1306dca521b47a51ce488633

          SHA1

          047fdcfa7c4b349a74fbd9621db9da04406ba921

          SHA256

          cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517

          SHA512

          10b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2

        • memory/640-35-0x0000000000930000-0x0000000000940000-memory.dmp
          Filesize

          64KB

        • memory/640-248-0x00007FFE135C0000-0x00007FFE14081000-memory.dmp
          Filesize

          10.8MB

        • memory/640-48-0x00007FFE135C0000-0x00007FFE14081000-memory.dmp
          Filesize

          10.8MB

        • memory/1596-1-0x0000000000560000-0x000000000085C000-memory.dmp
          Filesize

          3.0MB

        • memory/1596-0-0x00007FFE135C3000-0x00007FFE135C5000-memory.dmp
          Filesize

          8KB

        • memory/3336-65-0x00000000056F0000-0x0000000005756000-memory.dmp
          Filesize

          408KB

        • memory/3336-217-0x0000000006350000-0x000000000635A000-memory.dmp
          Filesize

          40KB

        • memory/3336-223-0x00000000063E0000-0x00000000063F2000-memory.dmp
          Filesize

          72KB

        • memory/3336-49-0x0000000000920000-0x000000000095E000-memory.dmp
          Filesize

          248KB

        • memory/3724-55-0x0000000006AF0000-0x0000000006B82000-memory.dmp
          Filesize

          584KB

        • memory/3724-57-0x0000000006D20000-0x0000000006D76000-memory.dmp
          Filesize

          344KB

        • memory/3724-56-0x00000000058D0000-0x00000000058DA000-memory.dmp
          Filesize

          40KB

        • memory/3724-54-0x00000000070A0000-0x0000000007644000-memory.dmp
          Filesize

          5.6MB

        • memory/3724-53-0x0000000005920000-0x00000000059BC000-memory.dmp
          Filesize

          624KB

        • memory/3724-52-0x0000000005640000-0x0000000005886000-memory.dmp
          Filesize

          2.3MB

        • memory/3724-50-0x00000000009D0000-0x0000000000C4C000-memory.dmp
          Filesize

          2.5MB

        • memory/4952-51-0x0000000000C50000-0x0000000000C58000-memory.dmp
          Filesize

          32KB