Overview

overview

10

Static

static

10

670d1014ec...9e.exe

windows7-x64

10

670d1014ec...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    670d1014ec5713d005f8ddfefc495a9e.exe

  • Size

    47KB

  • MD5

    670d1014ec5713d005f8ddfefc495a9e

  • SHA1

    91362eaf33dc55e4d970fbefbda975be32628d6b

  • SHA256

    70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd

  • SHA512

    175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f

  • SSDEEP

    768:EuwpFTAY3IQWUe9jqmo2qLPzXR8myUdPIvfc2C0b2lnNPVPUXHyk/UQsS25BDZ8x:EuwpFTA4/2KRx0vfb9bgnTUXHmpS2nd+

Score
10/10
asyncratredlinedefaultdiamotrixcredential_accessdiscoveryexecutioninfostealerpersistenceratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808
Mutex

PWhSiRkcxVoa

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\670d1014ec5713d005f8ddfefc495a9e.exe
      "C:\Users\Admin\AppData\Local\Temp\670d1014ec5713d005f8ddfefc495a9e.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp399.tmp.bat""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2872
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nbevmi.exe"' & exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nbevmi.exe"'
              6⤵
              • Loads dropped DLL
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Users\Admin\AppData\Local\Temp\nbevmi.exe
                "C:\Users\Admin\AppData\Local\Temp\nbevmi.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1564
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{65816AE947551497239002}\{65816AE947551497239002}.exe" /sc onstart /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2940
                • C:\Windows\system32\relog.exe
                  C:\Windows\system32\relog.exe
                  8⤵
                  • Drops file in Drivers directory
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2956
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "OBuSfAoJg9" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2316
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "RXW41U06Uz" /tr "C:\Users\Admin\AppData\Roaming\Identities\Service_Identities.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1476
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "RXW41U06Uz" /tr "C:\Users\Admin\AppData\Roaming\Macromedia\Service_Macromedia.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1584
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "RXW41U06Uz" /tr "C:\Users\Admin\AppData\Roaming\Media Center Programs\Service_Media Center Programs.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2404
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "RXW41U06Uz" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:980
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "UueBOpDtop" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1792
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "UueBOpDtop" /tr "C:\Users\Admin\AppData\Roaming\{65816AE947551497239002}\Service_{65816AE947551497239002}.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3064
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gipdyp.exe"' & exit
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2380
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\gipdyp.exe"'
              6⤵
              • Loads dropped DLL
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              PID:1748
              • C:\Users\Admin\AppData\Local\Temp\gipdyp.exe
                "C:\Users\Admin\AppData\Local\Temp\gipdyp.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2992
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2840
    • C:\Users\Admin\AppData\Local\Temp\8C0A.tmp.uIZtAux.exe
      "C:\Users\Admin\AppData\Local\Temp\8C0A.tmp.uIZtAux.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2388
    • C:\Users\Admin\AppData\Local\Temp\8F84.tmp.svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\8F84.tmp.svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2764
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {96CDD2B8-C5D2-413D-80A0-44024AC92417} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
    1⤵
      PID:1636
      • C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
        C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2892
      • C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
        C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1432

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8C0A.tmp.uIZtAux.exe
      Filesize

      300KB

      MD5

      8d14c4ba7260c61ecde30d97fd3c124a

      SHA1

      f60a7243a5160ff0dd60c37e1de43b81cead3549

      SHA256

      6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

      SHA512

      b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab42FB.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5B4F.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gipdyp.exe
      Filesize

      321KB

      MD5

      6ddd28445b8fc2485cb72f22d1adc936

      SHA1

      403c02d952120aafc6fb659a0ce0b99b1384442c

      SHA256

      d73a9c06d72b25fc9cc1d3883ba52ba949c91297d20f8cff37481d9b442a7ef7

      SHA512

      9abc68fab4c2a37f6cf07e2d1d7baccf26da411969b6dca4508776b9f57e3ed228dbc1a50e6dc4784791bdb86423d1f20c0f4d118c20d23951906a14ebd4682b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nbevmi.exe
      Filesize

      322KB

      MD5

      61c5a8e414a47b8cc2c69e1ac4370a35

      SHA1

      d6d66b31e7ebe3bd032a33fbe35fed2720fae964

      SHA256

      4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b

      SHA512

      b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp399.tmp.bat
      Filesize

      150B

      MD5

      b64ba8ae8b4a374aa1e23fc0c5a0bcb1

      SHA1

      a6c4667bf488577bfb610ab94a489697393113c8

      SHA256

      bfd9b4f57e80c558d88e81cf3aab6f518ce1070d1bbfa6cdf576f74fa61267c2

      SHA512

      0312f2cb61e814889ced651c6589e7b03bf69931244cd11e8447aea0ee25bcc87d02cb1ba9b360c8f6360d9755fc324457443dd621f7547f0449f851c58561ed

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      75abe523562b23a7d707c0345a7d5fa5

      SHA1

      7111287a22984b267ae4bb1bf5b1dab87cf5a4e1

      SHA256

      c9d0f9ce18dffd345a161f4c6a3d263b783a3d7e672bc199357c2727061c4967

      SHA512

      47b10405c76e0a6ff3e0eae4e1e0d5e8990053a020079d98ea3b8f79310ca7293fffab2d384a29f0f91febf750e2427ad5a9ece6603f442d6cab444c1fb78468

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml
      Filesize

      1KB

      MD5

      2b29aa25ee90747f05e920706e4dfc4f

      SHA1

      2ec04aa0574178e5b5245362fdb5b1cfbf4ec637

      SHA256

      93e469a8135addc4822f19a7afb7d02baea8242626188ce3e2b039862fc67511

      SHA512

      2a3f6bda5c957eed82b5fdf39bb33d109c68e39a1e096c944bfe725f027757efa87bc44ea037f9baf47426d0335a12639ff67c626aec3fc1c5c430b2efbf44fb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      47KB

      MD5

      670d1014ec5713d005f8ddfefc495a9e

      SHA1

      91362eaf33dc55e4d970fbefbda975be32628d6b

      SHA256

      70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd

      SHA512

      175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f

      Download Submit

    • C:\Windows\System32\drivers\etc\hosts
      Filesize

      1KB

      MD5

      ee9d791fd900430e4d594e5bde5c096a

      SHA1

      25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d

      SHA256

      74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd

      SHA512

      cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb

      Download Submit

    • memory/1184-123-0x0000000002DA0000-0x0000000002DE3000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1184-130-0x0000000002A00000-0x0000000002A16000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1184-128-0x0000000002A00000-0x0000000002A16000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1184-127-0x0000000002E50000-0x0000000002EA7000-memory.dmp

      Filesize

      348KB

      Download

    • memory/1184-125-0x0000000002DA0000-0x0000000002DE3000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1432-205-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1432-206-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/1748-167-0x00000000055A0000-0x000000000565C000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2280-11-0x00000000747B0000-0x0000000074E9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2280-1-0x0000000000300000-0x0000000000312000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2280-2-0x00000000747B0000-0x0000000074E9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2280-0-0x00000000747BE000-0x00000000747BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-159-0x00000000001E0000-0x0000000000232000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2764-177-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2764-179-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2792-33-0x00000000055E0000-0x0000000005642000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2792-16-0x0000000000C20000-0x0000000000C32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2892-190-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2892-191-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2956-166-0x0000000140000000-0x0000000140056000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2956-61-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2992-182-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/2992-169-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download