Analysis Overview
SHA256
22e8da397dee6cd3c9cca6d64c9c767dbd044001d549b25150fb2e464e621ec4
Threat Level: Known bad
The file FLASH USDT SENDER.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty
StormKitty payload
Detect Xworm Payload
AsyncRat
Xworm
Async RAT payload
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-09 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 21:47
Reported
2024-07-09 21:57
Platform
win10v2004-20240709-en
Max time kernel
598s
Max time network
598s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService" | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe
"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"
C:\Users\Admin\AppData\Roaming\crack.exe
"C:\Users\Admin\AppData\Roaming\crack.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\windows security.exe
"C:\Users\Admin\AppData\Roaming\windows security.exe"
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
"C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 146.70.34.130:7812 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:3389 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp |
Files
memory/1596-0-0x00007FFE135C3000-0x00007FFE135C5000-memory.dmp
memory/1596-1-0x0000000000560000-0x000000000085C000-memory.dmp
C:\Users\Admin\AppData\Roaming\crack.exe
| MD5 | 9215015740c937980b6b53cee5087769 |
| SHA1 | a0bfe95486944f1548620d4de472c3758e95d36a |
| SHA256 | a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541 |
| SHA512 | 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | bf0258700fe3cba1282f8d366730283c |
| SHA1 | b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23 |
| SHA256 | ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a |
| SHA512 | 15e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f |
C:\Users\Admin\AppData\Roaming\windows security.exe
| MD5 | 6cc2340c1306dca521b47a51ce488633 |
| SHA1 | 047fdcfa7c4b349a74fbd9621db9da04406ba921 |
| SHA256 | cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517 |
| SHA512 | 10b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2 |
memory/640-35-0x0000000000930000-0x0000000000940000-memory.dmp
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
| MD5 | b7d1773c7e805e0c141e9b078b8a08e9 |
| SHA1 | dfae7bd2a1d082726a9e4cb766741b29a50b4e10 |
| SHA256 | 5233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb |
| SHA512 | b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07 |
memory/3336-49-0x0000000000920000-0x000000000095E000-memory.dmp
memory/640-48-0x00007FFE135C0000-0x00007FFE14081000-memory.dmp
memory/4952-51-0x0000000000C50000-0x0000000000C58000-memory.dmp
memory/3724-50-0x00000000009D0000-0x0000000000C4C000-memory.dmp
memory/3724-52-0x0000000005640000-0x0000000005886000-memory.dmp
memory/3724-53-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/3724-54-0x00000000070A0000-0x0000000007644000-memory.dmp
memory/3724-55-0x0000000006AF0000-0x0000000006B82000-memory.dmp
memory/3724-57-0x0000000006D20000-0x0000000006D76000-memory.dmp
memory/3724-56-0x00000000058D0000-0x00000000058DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA9EC.tmp.cmd
| MD5 | a3b491587cb0848b11fccfae02f61298 |
| SHA1 | 85336b00f24246df06b742c8adf487db30c07fc9 |
| SHA256 | 0da8533566b3e370d1ae6e759834cc4f317dc0f7392a9e66fb0f611c0a14a567 |
| SHA512 | 226ddab3669fa98890b6a12c9f477fc791537da968ae17748d8d8daeab5d530cf18aa447ea057f7382986064985665952862325c55b103dfc26abbfbec23eac5 |
memory/3336-65-0x00000000056F0000-0x0000000005756000-memory.dmp
C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\System\Process.txt
| MD5 | 38c3b4b093d0f3723a2eecdd42235772 |
| SHA1 | 931d4cd2bc965264c87a457ce656afa2474f3da8 |
| SHA256 | 9908b1f810a166d14c68aa5edee2c3ccd9fc7f80f5f7e65ea1e84842da413285 |
| SHA512 | 5866cf44cfadd82fdf280fdccf68924589bc59b58c0865743fa149c1f32b421d9bfb4019c9f43087aed5884bc8786175a865353aeada40f86d5221647c643934 |
memory/3336-217-0x0000000006350000-0x000000000635A000-memory.dmp
C:\Users\Admin\AppData\Local\bc838b1e8e9e75a1bafee61d9e16f712\msgid.dat
| MD5 | 72e7386cdcbea6f2518dc5c1cc189456 |
| SHA1 | e61084dddd503547a4ba5589839b1755a2e638fe |
| SHA256 | eaa3694b9d80f950078167557333000d734e8f560fc35a1f6f2c29daebafe57a |
| SHA512 | 5b7af94bd30f063ac2765bf0adae7c5946752ed8c8347f088e71d8c42f046b0eee232f5d6b8030688b744538457333a4ebdf07015af81917a83ba517cb7f0b8b |
C:\Users\Admin\AppData\Local\f8f2c6801dc992d24be5fc99bd52cb77\Admin@FIPWTUZL_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/3336-223-0x00000000063E0000-0x00000000063F2000-memory.dmp
memory/640-248-0x00007FFE135C0000-0x00007FFE14081000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 21:47
Reported
2024-07-09 21:57
Platform
win11-20240709-en
Max time kernel
599s
Max time network
602s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService" | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\windows security.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe
"C:\Users\Admin\AppData\Local\Temp\FLASH USDT SENDER.exe"
C:\Users\Admin\AppData\Roaming\crack.exe
"C:\Users\Admin\AppData\Roaming\crack.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\windows security.exe
"C:\Users\Admin\AppData\Roaming\windows security.exe"
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
"C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:3389 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 146.70.34.130:7812 | tcp | |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 146.70.34.130:7812 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 146.70.34.130:7812 | tcp |
Files
memory/5848-0-0x00007FFD0E0B3000-0x00007FFD0E0B5000-memory.dmp
memory/5848-1-0x0000000000940000-0x0000000000C3C000-memory.dmp
C:\Users\Admin\AppData\Roaming\crack.exe
| MD5 | 9215015740c937980b6b53cee5087769 |
| SHA1 | a0bfe95486944f1548620d4de472c3758e95d36a |
| SHA256 | a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541 |
| SHA512 | 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | bf0258700fe3cba1282f8d366730283c |
| SHA1 | b666e0d8f243feec6f7c9b2dfbdbe8580d9c5f23 |
| SHA256 | ba3768d532d7b4c9e2e1dea80f1b77d6915304e37a31b2f611895b54a709554a |
| SHA512 | 15e86c289cc85ddc01d9190ee9cb1cd7a7c48986a7ee2ec3336642723160b0fbe59bf4b73d703f88c2c6575c61453adfd2a9a3f8ca431fa979b2fdc6fa72284f |
C:\Users\Admin\AppData\Roaming\windows security.exe
| MD5 | 6cc2340c1306dca521b47a51ce488633 |
| SHA1 | 047fdcfa7c4b349a74fbd9621db9da04406ba921 |
| SHA256 | cc6677190c144f17b6cd8b15861a200b455a662c4112c6bcc79fdcf0ad50d517 |
| SHA512 | 10b2e19942268357cfd7a198d6b02dde13aadf10458bbdfc9f178968937329d7bafdc721ac794d705eb8427f95642a010e3ffb3ed7be05f2d50065752fda64e2 |
memory/1556-35-0x0000000000290000-0x00000000002A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\UFlash Ultimate v3.exe
| MD5 | b7d1773c7e805e0c141e9b078b8a08e9 |
| SHA1 | dfae7bd2a1d082726a9e4cb766741b29a50b4e10 |
| SHA256 | 5233bb99327b627da8114e43f4de4afec77c1ee188ac93171e4651f872f809eb |
| SHA512 | b3a620413b9f6de8d883b0793dda33d0179ec855445f47de9515fa7f08d7b9ebf166457b3402a2c2fa0277e95fb9c959cf0cbdc61e364f977ddeb0f1b676ed07 |
memory/1556-44-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp
memory/5860-47-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/656-50-0x00000000007A0000-0x00000000007DE000-memory.dmp
memory/2492-51-0x00000000006B0000-0x000000000092C000-memory.dmp
memory/2492-52-0x00000000053C0000-0x0000000005606000-memory.dmp
memory/2492-53-0x00000000056A0000-0x000000000573C000-memory.dmp
memory/2492-54-0x0000000006E20000-0x00000000073C6000-memory.dmp
memory/2492-55-0x0000000006910000-0x00000000069A2000-memory.dmp
memory/2492-56-0x0000000006880000-0x000000000688A000-memory.dmp
memory/2492-57-0x0000000006AA0000-0x0000000006AF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpABEF.tmp.cmd
| MD5 | b2b10a7747d361324d957f3bb5de69d1 |
| SHA1 | 7e8c16dada7b79cf14cb8859da6e1093fdd945df |
| SHA256 | d58c245db634311c3940e2e27f50ffbb93e68153218bbc696aa136b7b143ba18 |
| SHA512 | 8c7f5147397ef5947b29267a2bac23bd562dff9d2adec4c963158256ef4cd4f7b160e2a6093d59ef9d1143af220e94dfb5ef4d8267954e4a2d4644add5156cfb |
memory/656-63-0x0000000005870000-0x00000000058D6000-memory.dmp
C:\Users\Admin\AppData\Local\8b9028347399d412d7e62dab876a0ba2\Admin@BOBTBVSB_en-US\System\Process.txt
| MD5 | 4790503f99029569815d3cc93d63b48c |
| SHA1 | 66dcb14f14c0b1529e011ea9b74f4d40a4c0c922 |
| SHA256 | ed68e35817030503d82f50e07adb831974a28e8231cd5a21a238c33fd6d65bca |
| SHA512 | 2cc8f61164168ff295bf00107f9e3bb6e2fb14ebe302dd9dbb3e23442fc35d2a5642529c510681088e3c76ee79bb81f397068624f9df7b4da45364df79c3b705 |
memory/656-211-0x00000000063A0000-0x00000000063AA000-memory.dmp
C:\Users\Admin\AppData\Local\29eb23550e208a74a9f0aeaee60bbdd7\msgid.dat
| MD5 | b56a134da854862c93e9a26b7fb5505c |
| SHA1 | 0c38060ffc75acc9c6462b5099253292e477afd9 |
| SHA256 | c27b308e90d328f72860705c9381205d4f1fe0f3e8abdb37d9b9abd315c6c6d0 |
| SHA512 | 158dea31acd9c30ac23dc216a8aa6c1e37db61106341367c0393738cd6f218edb3da38da46ce9787874289497b965349b1837e5b5ee3e5160edf4aa430c54a30 |
memory/656-222-0x0000000007310000-0x0000000007322000-memory.dmp
memory/1556-249-0x00007FFD0E0B0000-0x00007FFD0EB72000-memory.dmp