Analysis

  • max time kernel
    599s
  • max time network
    602s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-07-2024 21:47

General

  • Target

    FLASH USDT SENDER.exe

  • Size

    3.0MB

  • MD5

    512ea77783b034c322b2c0415719681b

  • SHA1

    c50982fdf94ba90c1d986a61558076f829660184

  • SHA256

    22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4

  • SHA512

    67c5a69dbc126303ca5144b7be6d4a1231ece395aad42f6c413076eca3416d1f82633a6b608d9ec7364afab364325fb0b4972d5e6546e99901c44d588f4b9b6c

  • SSDEEP

    49152:Yv0/fgbow5XrKMnp7XIEqQCYJ2JwxQCa3ATKXKmfmzNrFsqSChdgsBoZLMw:Mm4b1PKEJCYJ2Jww36KXfYoChdQZLX

Malware Config

Extracted

Family

xworm

Version

5.0

C2

146.70.34.130:7812

Mutex

JJiadfedYxUoR5Gx

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe
    "C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5848
    • C:\Users\Admin\AppData\Roaming\crack.exe
      "C:\Users\Admin\AppData\Roaming\crack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:4032
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2088
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:5496
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            4⤵
              PID:2208
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4848
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              4⤵
                PID:2184
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show networks mode=bssid
                4⤵
                • Event Triggered Execution: Netsh Helper DLL
                PID:5844
          • C:\Users\Admin\AppData\Roaming\windows security.exe
            "C:\Users\Admin\AppData\Roaming\windows security.exe"
            2⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1916
          • C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
            "C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"
            2⤵
            • Executes dropped EXE
            PID:2492

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        2
        T1012

        Collection

        Data from Local System

        1
        T1005

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\29eb23550e208a74a9f0aeaee60bbdd7\msgid.dat
          Filesize

          6B

          MD5

          b56a134da854862c93e9a26b7fb5505c

          SHA1

          0c38060ffc75acc9c6462b5099253292e477afd9

          SHA256

          c27b308e90d328f72860705c9381205d4f1fe0f3e8abdb37d9b9abd315c6c6d0

          SHA512

          158dea31acd9c30ac23dc216a8aa6c1e37db61106341367c0393738cd6f218edb3da38da46ce9787874289497b965349b1837e5b5ee3e5160edf4aa430c54a30

        • C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          4790503f99029569815d3cc93d63b48c

          SHA1

          66dcb14f14c0b1529e011ea9b74f4d40a4c0c922

          SHA256

          ed68e35817030503d82f50e07adb831974a28e8231cd5a21a238c33fd6d65bca

          SHA512

          2cc8f61164168ff295bf00107f9e3bb6e2fb14ebe302dd9dbb3e23442fc35d2a5642529c510681088e3c76ee79bb81f397068624f9df7b4da45364df79c3b705

        • C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd
          Filesize

          151B

          MD5

          b2b10a7747d361324d957f3bb5de69d1

          SHA1

          7e8c16dada7b79cf14cb8859da6e1093fdd945df

          SHA256

          d58c245db634311c3940e2e27f50ffbb93e68153218bbc696aa136b7b143ba18

          SHA512

          8c7f5147397ef5947b29267a2bac23bd562dff9d2adec4c963158256ef4cd4f7b160e2a6093d59ef9d1143af220e94dfb5ef4d8267954e4a2d4644add5156cfb

        • C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
          Filesize

          2.5MB

          MD5

          b7d1773c7e805e0c141e9b078b8a08e9

          SHA1

          dfae7bd2a1d082726a9e4cb766741b29a50b4e10

          SHA256

          5233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb

          SHA512

          b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07

        • C:\Users\Admin\AppData\Roaming\crack.exe
          Filesize

          8KB

          MD5

          9215015740c937980b6b53cee5087769

          SHA1

          a0bfe95486944f1548620d4de472c3758e95d36a

          SHA256

          a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541

          SHA512

          5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          226KB

          MD5

          bf0258700fe3cba1282f8d366730283c

          SHA1

          b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23

          SHA256

          ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a

          SHA512

          15e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f

        • C:\Users\Admin\AppData\Roaming\windows security.exe
          Filesize

          42KB

          MD5

          6cc2340c1306dca521b47a51ce488633

          SHA1

          047fdcfa7c4b349a74fbd9621db9da04406ba921

          SHA256

          cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517

          SHA512

          10b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2

        • memory/656-63-0x0000000005870000-0x00000000058D6000-memory.dmp
          Filesize

          408KB

        • memory/656-50-0x00000000007A0000-0x00000000007DE000-memory.dmp
          Filesize

          248KB

        • memory/656-222-0x0000000007310000-0x0000000007322000-memory.dmp
          Filesize

          72KB

        • memory/656-211-0x00000000063A0000-0x00000000063AA000-memory.dmp
          Filesize

          40KB

        • memory/1556-44-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp
          Filesize

          10.8MB

        • memory/1556-249-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp
          Filesize

          10.8MB

        • memory/1556-35-0x0000000000290000-0x00000000002A0000-memory.dmp
          Filesize

          64KB

        • memory/2492-53-0x00000000056A0000-0x000000000573C000-memory.dmp
          Filesize

          624KB

        • memory/2492-56-0x0000000006880000-0x000000000688A000-memory.dmp
          Filesize

          40KB

        • memory/2492-57-0x0000000006AA0000-0x0000000006AF6000-memory.dmp
          Filesize

          344KB

        • memory/2492-55-0x0000000006910000-0x00000000069A2000-memory.dmp
          Filesize

          584KB

        • memory/2492-54-0x0000000006E20000-0x00000000073C6000-memory.dmp
          Filesize

          5.6MB

        • memory/2492-52-0x00000000053C0000-0x0000000005606000-memory.dmp
          Filesize

          2.3MB

        • memory/2492-51-0x00000000006B0000-0x000000000092C000-memory.dmp
          Filesize

          2.5MB

        • memory/5848-0-0x00007FFD0E0B3000-0x00007FFD0E0B5000-memory.dmp
          Filesize

          8KB

        • memory/5848-1-0x0000000000940000-0x0000000000C3C000-memory.dmp
          Filesize

          3.0MB

        • memory/5860-47-0x00000000003C0000-0x00000000003C8000-memory.dmp
          Filesize

          32KB