Overview

overview

10

Static

static

10

70c6d55593...fd.exe

windows7-x64

10

70c6d55593...fd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd.exe

  • Size

    47KB

  • MD5

    670d1014ec5713d005f8ddfefc495a9e

  • SHA1

    91362eaf33dc55e4d970fbefbda975be32628d6b

  • SHA256

    70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd

  • SHA512

    175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f

  • SSDEEP

    768:EuwpFTAY3IQWUe9jqmo2qLPzXR8myUdPIvfc2C0b2lnNPVPUXHyk/UQsS25BDZ8x:EuwpFTA4/2KRx0vfb9bgnTUXHmpS2nd+

Score
10/10
asyncratredlinedefaultdiamotrixcredential_accessdiscoveryexecutioninfostealerpersistenceratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808
Mutex

PWhSiRkcxVoa

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

diamotrix

C2

176.111.174.140:1912

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd.exe
      "C:\Users\Admin\AppData\Local\Temp\70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF5A5.tmp.bat""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2852
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3004
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jurakd.exe"' & exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jurakd.exe"'
              6⤵
              • Loads dropped DLL
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2556
              • C:\Users\Admin\AppData\Local\Temp\jurakd.exe
                "C:\Users\Admin\AppData\Local\Temp\jurakd.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1632
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{6FC1442C7E003158821099}\{6FC1442C7E003158821099}.exe" /sc onstart /f
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2076
                • C:\Windows\system32\relog.exe
                  C:\Windows\system32\relog.exe
                  8⤵
                  • Drops file in Drivers directory
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2832
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2700
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\Identities\Service_Identities.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1172
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\Macromedia\Service_Macromedia.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:944
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\Media Center Programs\Service_Media Center Programs.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1724
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1740
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1332
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "0Zhco0aPIL" /tr "C:\Users\Admin\AppData\Roaming\{6FC1442C7E003158821099}\Service_{6FC1442C7E003158821099}.exe" /sc onstart /f
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:284
    • C:\Users\Admin\AppData\Local\Temp\11CC.tmp.uIZtAux.exe
      "C:\Users\Admin\AppData\Local\Temp\11CC.tmp.uIZtAux.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\37A5.tmp.svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\37A5.tmp.svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2716
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /xml "C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml" /tn WPDR\Config_Error\Version /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2788
    • C:\Users\Admin\AppData\Local\Temp\6328.tmp.zbi.exe
      "C:\Users\Admin\AppData\Local\Temp\6328.tmp.zbi.exe"
      2⤵
      • Executes dropped EXE
      PID:356
    • C:\Users\Admin\AppData\Local\Temp\2EB1.tmp.sahyu.exe
      "C:\Users\Admin\AppData\Local\Temp\2EB1.tmp.sahyu.exe"
      2⤵
        PID:2616
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {582F080B-F198-49B2-9E50-7AEE5CB1905B} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
      1⤵
        PID:1388
        • C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
          C:\Users\Admin\AppData\Roaming\WinZIP_32\servisis.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2004

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      2
      T1552

      Credentials In Files

      2
      T1552.001

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\11CC.tmp.uIZtAux.exe
        Filesize

        300KB

        MD5

        8d14c4ba7260c61ecde30d97fd3c124a

        SHA1

        f60a7243a5160ff0dd60c37e1de43b81cead3549

        SHA256

        6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

        SHA512

        b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2EB1.tmp.sahyu.exe
        Filesize

        547KB

        MD5

        839450f0064947f1e7795de285ced509

        SHA1

        1c0e072859b68237b4cd108aab9080bd4d3b1547

        SHA256

        6569ec5cded72fa46470b29596a710f6003e0945318ce84f01102ffab5a1b084

        SHA512

        cf31946e9ee0743ad9ff47395fb52df96e8df35cf6e4f88ca764971ca4a042e1aed472dc2a004f645dfaf45127a341ccfc2936cc1d409bd9b00e2efc2a9bfe21

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\37A5.tmp.svchost.exe
        Filesize

        321KB

        MD5

        6ddd28445b8fc2485cb72f22d1adc936

        SHA1

        403c02d952120aafc6fb659a0ce0b99b1384442c

        SHA256

        d73a9c06d72b25fc9cc1d3883ba52ba949c91297d20f8cff37481d9b442a7ef7

        SHA512

        9abc68fab4c2a37f6cf07e2d1d7baccf26da411969b6dca4508776b9f57e3ed228dbc1a50e6dc4784791bdb86423d1f20c0f4d118c20d23951906a14ebd4682b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabDB63.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarFB55.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jurakd.exe
        Filesize

        322KB

        MD5

        61c5a8e414a47b8cc2c69e1ac4370a35

        SHA1

        d6d66b31e7ebe3bd032a33fbe35fed2720fae964

        SHA256

        4da3bff89fc796886ca615a29a2595c4109f86fff2a9e699ea1036195719cb3b

        SHA512

        b1d732a280ea6f9e0eca5802016292e9c373a6e6d2c48404bbe00eb67a791427945ec3d1998ffdd8bda603adb9ee6c9312cf2976ed3567ab0a2c7f8494079c92

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpF5A5.tmp.bat
        Filesize

        151B

        MD5

        a3292113d8c13d6aa5018c7357cd9395

        SHA1

        20e4d7e74de4c63574513299a28a25860358ed22

        SHA256

        bc5c36dd157c0d13e447556dfb6fe8647883466a0d3fb14eb858bc619090f068

        SHA512

        5ec80984d926c7149b17b1d67e2b5f14743c6df71d32695c3e5784fa9fff7f5f3199d13adeaabd9618fd69ba17cd58d8e1252e1177d852463a49f59c7c86fa8d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WinZIP_32\version.xml
        Filesize

        1KB

        MD5

        2b29aa25ee90747f05e920706e4dfc4f

        SHA1

        2ec04aa0574178e5b5245362fdb5b1cfbf4ec637

        SHA256

        93e469a8135addc4822f19a7afb7d02baea8242626188ce3e2b039862fc67511

        SHA512

        2a3f6bda5c957eed82b5fdf39bb33d109c68e39a1e096c944bfe725f027757efa87bc44ea037f9baf47426d0335a12639ff67c626aec3fc1c5c430b2efbf44fb

        Download Submit

      • C:\Windows\System32\drivers\etc\hosts
        Filesize

        1KB

        MD5

        ee9d791fd900430e4d594e5bde5c096a

        SHA1

        25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d

        SHA256

        74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd

        SHA512

        cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb

        Download Submit

      • \Users\Admin\AppData\Local\Temp\2EB1.tmp.sahyu.exe
        Filesize

        960KB

        MD5

        0e097ef8e4fe52e39f0c87b8711bf6a3

        SHA1

        a4c30e6e4f697efa6ae3e4ba154c995ed471bee0

        SHA256

        ffa4fff79236786b450ad74312e7d691847b5e01fe5c97abfc63e3658f3b036c

        SHA512

        c8a3d13b0ae8c7a10e14db10f9cacf992e8feab4b9ffc54a18c25caf75c7cb1cfc01a026c5bd057f0460f304e1946b182891d3a9f0b399457f27e97830baa5fd

        Download Submit

      • \Users\Admin\AppData\Local\Temp\6328.tmp.zbi.exe
        Filesize

        5.2MB

        MD5

        0534ab10184891cd61d262bfd79b7b4c

        SHA1

        a13d37959a92bc37f4d3c42eb53d77cc760f448a

        SHA256

        191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b

        SHA512

        381af090cc87f2f2b8583c28a164f8f2e978c2bdffe3161d37fa30e38c5e026b90ae5f45dd13f9ded8ee207e4694abf2a58256deb8986ec11d802b7578f6be9d

        Download Submit

      • \Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        47KB

        MD5

        670d1014ec5713d005f8ddfefc495a9e

        SHA1

        91362eaf33dc55e4d970fbefbda975be32628d6b

        SHA256

        70c6d555938fdc95c03f98a7a3a37b607d1dce623663479082c5b9514caa04fd

        SHA512

        175827b48f35899e89fcbdacd2e98b378b92abc8e7a1c225441f57a46d02fea838104e3d6480a137f401c72e2d7979ff3db7a74d5c52e84a0733246f0fa5384f

        Download Submit

      • memory/1200-133-0x0000000004210000-0x0000000004267000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1200-126-0x0000000002570000-0x0000000002586000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1200-124-0x0000000002570000-0x0000000002586000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1200-131-0x0000000004130000-0x0000000004173000-memory.dmp

        Filesize

        268KB

        Download

      • memory/1200-129-0x0000000004130000-0x0000000004173000-memory.dmp

        Filesize

        268KB

        Download

      • memory/2004-168-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2004-167-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2032-140-0x0000000000940000-0x0000000000992000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2088-2-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2088-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2088-12-0x0000000074B20000-0x000000007520E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2088-1-0x00000000010D0000-0x00000000010E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2716-147-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2716-161-0x0000000000400000-0x00000000004BC000-memory.dmp

        Filesize

        752KB

        Download

      • memory/2832-141-0x0000000140000000-0x0000000140056000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2832-62-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3004-34-0x00000000043B0000-0x0000000004412000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3004-173-0x0000000005120000-0x0000000005188000-memory.dmp

        Filesize

        416KB

        Download

      • memory/3004-16-0x00000000002E0000-0x00000000002F2000-memory.dmp

        Filesize

        72KB

        Download