Analysis
-
max time kernel
599s -
max time network
602s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-07-2024 21:47
Static task
static1
Behavioral task
behavioral1
Sample
FLASH USDT SENDER.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
FLASH USDT SENDER.exe
Resource
win11-20240709-en
General
-
Target
FLASH USDT SENDER.exe
-
Size
3.0MB
-
MD5
512ea77783b034c322b2c0415719681b
-
SHA1
c50982fdf94ba90c1d986a61558076f829660184
-
SHA256
22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4
-
SHA512
67c5a69dbc126303ca5144b7be6d4a1231ece395aad42f6c413076eca3416d1f82633a6b608d9ec7364afab364325fb0b4972d5e6546e99901c44d588f4b9b6c
-
SSDEEP
49152:Yv0/fgbow5XrKMnp7XIEqQCYJ2JwxQCa3ATKXKmfmzNrFsqSChdgsBoZLMw:Mm4b1PKEJCYJ2Jww36KXfYoChdQZLX
Malware Config
Extracted
xworm
5.0
146.70.34.130:7812
JJiadfedYxUoR5Gx
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\windows security.exe family_xworm behavioral2/memory/1556-35-0x0000000000290000-0x00000000002A0000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_stormkitty behavioral2/memory/656-50-0x00000000007A0000-0x00000000007DE000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_asyncrat -
Drops startup file 2 IoCs
Processes:
windows security.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk windows security.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk windows security.exe -
Executes dropped EXE 4 IoCs
Processes:
crack.exesvchost.exewindows security.exeUFlash Ultimate v3.exepid process 5860 crack.exe 656 svchost.exe 1556 windows security.exe 2492 UFlash Ultimate v3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows security.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService" windows security.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4032 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
windows security.exepid process 1556 windows security.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
windows security.exesvchost.exepid process 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 656 svchost.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe 1556 windows security.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
windows security.exepid process 1556 windows security.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
windows security.exesvchost.execrack.exedescription pid process Token: SeDebugPrivilege 1556 windows security.exe Token: SeDebugPrivilege 656 svchost.exe Token: SeDebugPrivilege 5860 crack.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
windows security.exepid process 1556 windows security.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
FLASH USDT SENDER.execrack.execmd.exewindows security.exesvchost.execmd.execmd.exedescription pid process target process PID 5848 wrote to memory of 5860 5848 FLASH USDT SENDER.exe crack.exe PID 5848 wrote to memory of 5860 5848 FLASH USDT SENDER.exe crack.exe PID 5848 wrote to memory of 5860 5848 FLASH USDT SENDER.exe crack.exe PID 5848 wrote to memory of 656 5848 FLASH USDT SENDER.exe svchost.exe PID 5848 wrote to memory of 656 5848 FLASH USDT SENDER.exe svchost.exe PID 5848 wrote to memory of 656 5848 FLASH USDT SENDER.exe svchost.exe PID 5848 wrote to memory of 1556 5848 FLASH USDT SENDER.exe windows security.exe PID 5848 wrote to memory of 1556 5848 FLASH USDT SENDER.exe windows security.exe PID 5848 wrote to memory of 2492 5848 FLASH USDT SENDER.exe UFlash Ultimate v3.exe PID 5848 wrote to memory of 2492 5848 FLASH USDT SENDER.exe UFlash Ultimate v3.exe PID 5848 wrote to memory of 2492 5848 FLASH USDT SENDER.exe UFlash Ultimate v3.exe PID 5860 wrote to memory of 2152 5860 crack.exe cmd.exe PID 5860 wrote to memory of 2152 5860 crack.exe cmd.exe PID 5860 wrote to memory of 2152 5860 crack.exe cmd.exe PID 2152 wrote to memory of 4032 2152 cmd.exe timeout.exe PID 2152 wrote to memory of 4032 2152 cmd.exe timeout.exe PID 2152 wrote to memory of 4032 2152 cmd.exe timeout.exe PID 1556 wrote to memory of 1916 1556 windows security.exe schtasks.exe PID 1556 wrote to memory of 1916 1556 windows security.exe schtasks.exe PID 656 wrote to memory of 3140 656 svchost.exe cmd.exe PID 656 wrote to memory of 3140 656 svchost.exe cmd.exe PID 656 wrote to memory of 3140 656 svchost.exe cmd.exe PID 3140 wrote to memory of 2088 3140 cmd.exe chcp.com PID 3140 wrote to memory of 2088 3140 cmd.exe chcp.com PID 3140 wrote to memory of 2088 3140 cmd.exe chcp.com PID 3140 wrote to memory of 5496 3140 cmd.exe netsh.exe PID 3140 wrote to memory of 5496 3140 cmd.exe netsh.exe PID 3140 wrote to memory of 5496 3140 cmd.exe netsh.exe PID 3140 wrote to memory of 2208 3140 cmd.exe findstr.exe PID 3140 wrote to memory of 2208 3140 cmd.exe findstr.exe PID 3140 wrote to memory of 2208 3140 cmd.exe findstr.exe PID 656 wrote to memory of 4848 656 svchost.exe cmd.exe PID 656 wrote to memory of 4848 656 svchost.exe cmd.exe PID 656 wrote to memory of 4848 656 svchost.exe cmd.exe PID 4848 wrote to memory of 2184 4848 cmd.exe chcp.com PID 4848 wrote to memory of 2184 4848 cmd.exe chcp.com PID 4848 wrote to memory of 2184 4848 cmd.exe chcp.com PID 4848 wrote to memory of 5844 4848 cmd.exe netsh.exe PID 4848 wrote to memory of 5844 4848 cmd.exe netsh.exe PID 4848 wrote to memory of 5844 4848 cmd.exe netsh.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Users\Admin\AppData\Roaming\windows security.exe"C:\Users\Admin\AppData\Roaming\windows security.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\29eb23550e208a74a9f0aeaee60bbdd7\msgid.datFilesize
6B
MD5b56a134da854862c93e9a26b7fb5505c
SHA10c38060ffc75acc9c6462b5099253292e477afd9
SHA256c27b308e90d328f72860705c9381205d4f1fe0f3e8abdb37d9b9abd315c6c6d0
SHA512158dea31acd9c30ac23dc216a8aa6c1e37db61106341367c0393738cd6f218edb3da38da46ce9787874289497b965349b1837e5b5ee3e5160edf4aa430c54a30
-
C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\System\Process.txtFilesize
4KB
MD54790503f99029569815d3cc93d63b48c
SHA166dcb14f14c0b1529e011ea9b74f4d40a4c0c922
SHA256ed68e35817030503d82f50e07adb831974a28e8231cd5a21a238c33fd6d65bca
SHA5122cc8f61164168ff295bf00107f9e3bb6e2fb14ebe302dd9dbb3e23442fc35d2a5642529c510681088e3c76ee79bb81f397068624f9df7b4da45364df79c3b705
-
C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmdFilesize
151B
MD5b2b10a7747d361324d957f3bb5de69d1
SHA17e8c16dada7b79cf14cb8859da6e1093fdd945df
SHA256d58c245db634311c3940e2e27f50ffbb93e68153218bbc696aa136b7b143ba18
SHA5128c7f5147397ef5947b29267a2bac23bd562dff9d2adec4c963158256ef4cd4f7b160e2a6093d59ef9d1143af220e94dfb5ef4d8267954e4a2d4644add5156cfb
-
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exeFilesize
2.5MB
MD5b7d1773c7e805e0c141e9b078b8a08e9
SHA1dfae7bd2a1d082726a9e4cb766741b29a50b4e10
SHA2565233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb
SHA512b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07
-
C:\Users\Admin\AppData\Roaming\crack.exeFilesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
226KB
MD5bf0258700fe3cba1282f8d366730283c
SHA1b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23
SHA256ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a
SHA51215e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f
-
C:\Users\Admin\AppData\Roaming\windows security.exeFilesize
42KB
MD56cc2340c1306dca521b47a51ce488633
SHA1047fdcfa7c4b349a74fbd9621db9da04406ba921
SHA256cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517
SHA51210b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2
-
memory/656-63-0x0000000005870000-0x00000000058D6000-memory.dmpFilesize
408KB
-
memory/656-50-0x00000000007A0000-0x00000000007DE000-memory.dmpFilesize
248KB
-
memory/656-222-0x0000000007310000-0x0000000007322000-memory.dmpFilesize
72KB
-
memory/656-211-0x00000000063A0000-0x00000000063AA000-memory.dmpFilesize
40KB
-
memory/1556-44-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmpFilesize
10.8MB
-
memory/1556-249-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmpFilesize
10.8MB
-
memory/1556-35-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/2492-53-0x00000000056A0000-0x000000000573C000-memory.dmpFilesize
624KB
-
memory/2492-56-0x0000000006880000-0x000000000688A000-memory.dmpFilesize
40KB
-
memory/2492-57-0x0000000006AA0000-0x0000000006AF6000-memory.dmpFilesize
344KB
-
memory/2492-55-0x0000000006910000-0x00000000069A2000-memory.dmpFilesize
584KB
-
memory/2492-54-0x0000000006E20000-0x00000000073C6000-memory.dmpFilesize
5.6MB
-
memory/2492-52-0x00000000053C0000-0x0000000005606000-memory.dmpFilesize
2.3MB
-
memory/2492-51-0x00000000006B0000-0x000000000092C000-memory.dmpFilesize
2.5MB
-
memory/5848-0-0x00007FFD0E0B3000-0x00007FFD0E0B5000-memory.dmpFilesize
8KB
-
memory/5848-1-0x0000000000940000-0x0000000000C3C000-memory.dmpFilesize
3.0MB
-
memory/5860-47-0x00000000003C0000-0x00000000003C8000-memory.dmpFilesize
32KB