Analysis
-
max time kernel
598s -
max time network
598s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 21:47
Static task
static1
Behavioral task
behavioral1
Sample
FLASH USDT SENDER.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
FLASH USDT SENDER.exe
Resource
win11-20240709-en
General
-
Target
FLASH USDT SENDER.exe
-
Size
3.0MB
-
MD5
512ea77783b034c322b2c0415719681b
-
SHA1
c50982fdf94ba90c1d986a61558076f829660184
-
SHA256
22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4
-
SHA512
67c5a69dbc126303ca5144b7be6d4a1231ece395aad42f6c413076eca3416d1f82633a6b608d9ec7364afab364325fb0b4972d5e6546e99901c44d588f4b9b6c
-
SSDEEP
49152:Yv0/fgbow5XrKMnp7XIEqQCYJ2JwxQCa3ATKXKmfmzNrFsqSChdgsBoZLMw:Mm4b1PKEJCYJ2Jww36KXfYoChdQZLX
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
146.70.34.130:7812
JJiadfedYxUoR5Gx
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\windows security.exe family_xworm behavioral1/memory/640-35-0x0000000000930000-0x0000000000940000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_stormkitty behavioral1/memory/3336-49-0x0000000000920000-0x000000000095E000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_asyncrat -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FLASH USDT SENDER.exewindows security.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation FLASH USDT SENDER.exe Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation windows security.exe -
Drops startup file 2 IoCs
Processes:
windows security.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk windows security.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk windows security.exe -
Executes dropped EXE 4 IoCs
Processes:
crack.exesvchost.exewindows security.exeUFlash Ultimate v3.exepid process 4952 crack.exe 3336 svchost.exe 640 windows security.exe 3724 UFlash Ultimate v3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows security.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService" windows security.exe -
Drops desktop.ini file(s) 9 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4296 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
windows security.exepid process 640 windows security.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
windows security.exesvchost.exepid process 640 windows security.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe 3336 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
windows security.exesvchost.execrack.exedescription pid process Token: SeDebugPrivilege 640 windows security.exe Token: SeDebugPrivilege 3336 svchost.exe Token: SeDebugPrivilege 4952 crack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
windows security.exepid process 640 windows security.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
FLASH USDT SENDER.exewindows security.execrack.execmd.exesvchost.execmd.execmd.exedescription pid process target process PID 1596 wrote to memory of 4952 1596 FLASH USDT SENDER.exe crack.exe PID 1596 wrote to memory of 4952 1596 FLASH USDT SENDER.exe crack.exe PID 1596 wrote to memory of 4952 1596 FLASH USDT SENDER.exe crack.exe PID 1596 wrote to memory of 3336 1596 FLASH USDT SENDER.exe svchost.exe PID 1596 wrote to memory of 3336 1596 FLASH USDT SENDER.exe svchost.exe PID 1596 wrote to memory of 3336 1596 FLASH USDT SENDER.exe svchost.exe PID 1596 wrote to memory of 640 1596 FLASH USDT SENDER.exe windows security.exe PID 1596 wrote to memory of 640 1596 FLASH USDT SENDER.exe windows security.exe PID 1596 wrote to memory of 3724 1596 FLASH USDT SENDER.exe UFlash Ultimate v3.exe PID 1596 wrote to memory of 3724 1596 FLASH USDT SENDER.exe UFlash Ultimate v3.exe PID 1596 wrote to memory of 3724 1596 FLASH USDT SENDER.exe UFlash Ultimate v3.exe PID 640 wrote to memory of 4444 640 windows security.exe schtasks.exe PID 640 wrote to memory of 4444 640 windows security.exe schtasks.exe PID 4952 wrote to memory of 3512 4952 crack.exe cmd.exe PID 4952 wrote to memory of 3512 4952 crack.exe cmd.exe PID 4952 wrote to memory of 3512 4952 crack.exe cmd.exe PID 3512 wrote to memory of 4296 3512 cmd.exe timeout.exe PID 3512 wrote to memory of 4296 3512 cmd.exe timeout.exe PID 3512 wrote to memory of 4296 3512 cmd.exe timeout.exe PID 3336 wrote to memory of 3776 3336 svchost.exe cmd.exe PID 3336 wrote to memory of 3776 3336 svchost.exe cmd.exe PID 3336 wrote to memory of 3776 3336 svchost.exe cmd.exe PID 3776 wrote to memory of 4596 3776 cmd.exe chcp.com PID 3776 wrote to memory of 4596 3776 cmd.exe chcp.com PID 3776 wrote to memory of 4596 3776 cmd.exe chcp.com PID 3776 wrote to memory of 444 3776 cmd.exe netsh.exe PID 3776 wrote to memory of 444 3776 cmd.exe netsh.exe PID 3776 wrote to memory of 444 3776 cmd.exe netsh.exe PID 3776 wrote to memory of 5116 3776 cmd.exe findstr.exe PID 3776 wrote to memory of 5116 3776 cmd.exe findstr.exe PID 3776 wrote to memory of 5116 3776 cmd.exe findstr.exe PID 3336 wrote to memory of 2084 3336 svchost.exe cmd.exe PID 3336 wrote to memory of 2084 3336 svchost.exe cmd.exe PID 3336 wrote to memory of 2084 3336 svchost.exe cmd.exe PID 2084 wrote to memory of 1140 2084 cmd.exe chcp.com PID 2084 wrote to memory of 1140 2084 cmd.exe chcp.com PID 2084 wrote to memory of 1140 2084 cmd.exe chcp.com PID 2084 wrote to memory of 1212 2084 cmd.exe netsh.exe PID 2084 wrote to memory of 1212 2084 cmd.exe netsh.exe PID 2084 wrote to memory of 1212 2084 cmd.exe netsh.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Users\Admin\AppData\Roaming\windows security.exe"C:\Users\Admin\AppData\Roaming\windows security.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmdFilesize
151B
MD5a3b491587cb0848b11fccfae02f61298
SHA185336b00f24246df06b742c8adf487db30c07fc9
SHA2560da8533566b3e370d1ae6e759834cc4f317dc0f7392a9e66fb0f611c0a14a567
SHA512226ddab3669fa98890b6a12c9f477fc791537da968ae17748d8d8daeab5d530cf18aa447ea057f7382986064985665952862325c55b103dfc26abbfbec23eac5
-
C:\Users\Admin\AppData\Local\bc838b1e8e9e75a1bafee61d9e16f712\msgid.datFilesize
6B
MD572e7386cdcbea6f2518dc5c1cc189456
SHA1e61084dddd503547a4ba5589839b1755a2e638fe
SHA256eaa3694b9d80f950078167557333000d734e8f560fc35a1f6f2c29daebafe57a
SHA5125b7af94bd30f063ac2765bf0adae7c5946752ed8c8347f088e71d8c42f046b0eee232f5d6b8030688b744538457333a4ebdf07015af81917a83ba517cb7f0b8b
-
C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\System\Process.txtFilesize
4KB
MD538c3b4b093d0f3723a2eecdd42235772
SHA1931d4cd2bc965264c87a457ce656afa2474f3da8
SHA2569908b1f810a166d14c68aa5edee2c3ccd9fc7f80f5f7e65ea1e84842da413285
SHA5125866cf44cfadd82fdf280fdccf68924589bc59b58c0865743fa149c1f32b421d9bfb4019c9f43087aed5884bc8786175a865353aeada40f86d5221647c643934
-
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exeFilesize
2.5MB
MD5b7d1773c7e805e0c141e9b078b8a08e9
SHA1dfae7bd2a1d082726a9e4cb766741b29a50b4e10
SHA2565233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb
SHA512b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07
-
C:\Users\Admin\AppData\Roaming\crack.exeFilesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
226KB
MD5bf0258700fe3cba1282f8d366730283c
SHA1b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23
SHA256ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a
SHA51215e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f
-
C:\Users\Admin\AppData\Roaming\windows security.exeFilesize
42KB
MD56cc2340c1306dca521b47a51ce488633
SHA1047fdcfa7c4b349a74fbd9621db9da04406ba921
SHA256cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517
SHA51210b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2
-
memory/640-35-0x0000000000930000-0x0000000000940000-memory.dmpFilesize
64KB
-
memory/640-248-0x00007FFE135C0000-0x00007FFE14081000-memory.dmpFilesize
10.8MB
-
memory/640-48-0x00007FFE135C0000-0x00007FFE14081000-memory.dmpFilesize
10.8MB
-
memory/1596-1-0x0000000000560000-0x000000000085C000-memory.dmpFilesize
3.0MB
-
memory/1596-0-0x00007FFE135C3000-0x00007FFE135C5000-memory.dmpFilesize
8KB
-
memory/3336-65-0x00000000056F0000-0x0000000005756000-memory.dmpFilesize
408KB
-
memory/3336-217-0x0000000006350000-0x000000000635A000-memory.dmpFilesize
40KB
-
memory/3336-223-0x00000000063E0000-0x00000000063F2000-memory.dmpFilesize
72KB
-
memory/3336-49-0x0000000000920000-0x000000000095E000-memory.dmpFilesize
248KB
-
memory/3724-55-0x0000000006AF0000-0x0000000006B82000-memory.dmpFilesize
584KB
-
memory/3724-57-0x0000000006D20000-0x0000000006D76000-memory.dmpFilesize
344KB
-
memory/3724-56-0x00000000058D0000-0x00000000058DA000-memory.dmpFilesize
40KB
-
memory/3724-54-0x00000000070A0000-0x0000000007644000-memory.dmpFilesize
5.6MB
-
memory/3724-53-0x0000000005920000-0x00000000059BC000-memory.dmpFilesize
624KB
-
memory/3724-52-0x0000000005640000-0x0000000005886000-memory.dmpFilesize
2.3MB
-
memory/3724-50-0x00000000009D0000-0x0000000000C4C000-memory.dmpFilesize
2.5MB
-
memory/4952-51-0x0000000000C50000-0x0000000000C58000-memory.dmpFilesize
32KB