Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cc38fb3ee3...80.exe

windows7-x64

10

cc38fb3ee3...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2024, 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80.exe

  • Size

    74KB

  • MD5

    4fb681131f7ac7824c4f0afd337986d9

  • SHA1

    c746978c6c091d94f2bbd17b1ad5954c4306bece

  • SHA256

    cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80

  • SHA512

    b5c2c3f6b5fe4845c0462059d9177b0cf56a36fe528745a9ea7f27120fdf2184b44be4dc5195d9e0d98a5a5987b8bc212707b3b4cc5ada9203db61f9859f3868

  • SSDEEP

    1536:EUo0cxhzjBCViPMVXOS0GIkH1b6/20AuQQzcqLVclN:EUlcxhzVCiPMVOkH1b6+/QbBY

Score
10/10
asyncratstormkitty100 rndcollectioncredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

100 RND

C2

91.92.243.191:5401

Mutex

6871a79e-e4f7-4fb3-ae38-dc20c1d657a0

Attributes
  • delay

    1

  • install

    true

  • install_file

    hyperhostvc.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80.exe
    "C:\Users\Admin\AppData\Local\Temp\cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hyperhostvc" /tr '"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "hyperhostvc" /tr '"C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4912
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBF29.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3108
      • C:\Users\Admin\AppData\Roaming\hyperhostvc.exe
        "C:\Users\Admin\AppData\Roaming\hyperhostvc.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1500
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:3780
            • C:\Windows\system32\netsh.exe
              netsh wlan show profile
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:184
            • C:\Windows\system32\findstr.exe
              findstr All
              5⤵
                PID:4884
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\system32\chcp.com
                chcp 65001
                5⤵
                  PID:2792
                • C:\Windows\system32\netsh.exe
                  netsh wlan show networks mode=bssid
                  5⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1692

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        4
        T1012

        System Information Discovery

        3
        T1082

        System Network Configuration Discovery

        1
        T1016

        Wi-Fi Discovery

        1
        T1016.002

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
          Filesize

          2KB

          MD5

          ebeb8fb113b4cbe780d05f579802bdf4

          SHA1

          7c532462cfca2934c9d489ae53475f3efc1162f6

          SHA256

          23bd08d99ec3984f89378acf2cf2579249c4e6fc4651dd0c2c25ceaf3455daa6

          SHA512

          a89590265976b6c2c3ea8dfaa4dc1f2463813883db4cd6b58d06bdc0b43feae8a969048ee91b8575b10f41020846aada4e5620b8c39437be3e863e01f3349f3c

          Download Submit

        • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
          Filesize

          3KB

          MD5

          aa8e8d91895bedd68ebd92e4fdba98d7

          SHA1

          754d5d4e8703a879bb34fdc5a6f87cc20a5da645

          SHA256

          a4e7cfe08c6950f8969f420b357fb3b1fca768ee1d6cc496149396694f819f63

          SHA512

          f173c9b1bbd5a09cc8ca798617b9e4eb9c8a5980518fbd7d39d17fe1d6a8d04f4530645af45f30f4e9005b2d3959d59f3878f846ee759a64c26922518e1d24ff

          Download Submit

        • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          719fa8eea008b806bf52187d774cfeff

          SHA1

          d013e5bd87b59abd66b1274ceb2ac0f91f589eba

          SHA256

          d8a88fd2d2117cdcb4997adb3b42bed0a80b26d79d7cdef96fac7712bf6f4d2b

          SHA512

          41f09541a4e71f3e3573a8c83859f5b0659877e3c02d4bc24e4a6efded6c666f4ce3c459c51466fcc1adf7cc89c7379645500a62956ce9bab7842f88bc79ffd7

          Download Submit

        • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\Admin@KZYBFHMK_en-US\System\Process.txt
          Filesize

          808B

          MD5

          a6eb6a2f38594d3347ac508e6cf78eea

          SHA1

          2a57dd9b23388fea70b6ca62c7207c7babba8093

          SHA256

          443a0906bbdc54fa750a24e97be7b6c645eebc18d0924e7efb2a5a72b157893c

          SHA512

          9ebbe2f92e9864b98891ae4446f97d15c0dcd3a15b2a8e6fc5393cd5cf71843169bf42caf0de504882bb7361592c104974d86312525c853c68afbcf080d7f411

          Download Submit

        • C:\Users\Admin\AppData\Local\1af02931f6a427a6b6e36285307150c0\msgid.dat
          Filesize

          1B

          MD5

          cfcd208495d565ef66e7dff9f98764da

          SHA1

          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

          SHA256

          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

          SHA512

          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpBF29.tmp.bat
          Filesize

          155B

          MD5

          52c89728e34c5a114312669b798fd3a3

          SHA1

          6dd57e3ab4537821fe6fff9f3f8b3f90c1792d16

          SHA256

          0d524331eeafe166fbdedc25680466ac1c92efe860d06eb425a95e0076dfaab6

          SHA512

          9a86068cda179d9179da400682e5d6fe448cba811851050fc914d3882bc37f11eeaf64f231357d11407857f6c28618f33b0de83a86dfae4ddb6a4022adc8989d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpF72D.tmp.dat
          Filesize

          114KB

          MD5

          242b4242b3c1119f1fb55afbbdd24105

          SHA1

          e1d9c1ed860b67b926fe18206038cd10f77b9c55

          SHA256

          2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

          SHA512

          7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpF740.tmp.dat
          Filesize

          160KB

          MD5

          f310cf1ff562ae14449e0167a3e1fe46

          SHA1

          85c58afa9049467031c6c2b17f5c12ca73bb2788

          SHA256

          e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

          SHA512

          1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
          Filesize

          8B

          MD5

          cf759e4c5f14fe3eec41b87ed756cea8

          SHA1

          c27c796bb3c2fac929359563676f4ba1ffada1f5

          SHA256

          c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

          SHA512

          c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\hyperhostvc.exe
          Filesize

          74KB

          MD5

          4fb681131f7ac7824c4f0afd337986d9

          SHA1

          c746978c6c091d94f2bbd17b1ad5954c4306bece

          SHA256

          cc38fb3ee3227606258b1b9ccba885393d6ed4a54a51aefef30a669cdc171e80

          SHA512

          b5c2c3f6b5fe4845c0462059d9177b0cf56a36fe528745a9ea7f27120fdf2184b44be4dc5195d9e0d98a5a5987b8bc212707b3b4cc5ada9203db61f9859f3868

          Download Submit

        • memory/1500-170-0x000000001D060000-0x000000001D0DA000-memory.dmp

          Filesize

          488KB

          Download

        • memory/1500-16-0x000000001C230000-0x000000001C24E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1500-57-0x000000001C150000-0x000000001C172000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1500-58-0x000000001C930000-0x000000001CA64000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1500-59-0x000000001B5B0000-0x000000001B5BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1500-15-0x00000000026F0000-0x00000000026FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1500-18-0x000000001C710000-0x000000001C832000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1500-17-0x0000000002700000-0x000000000270A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1500-14-0x000000001C290000-0x000000001C306000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1500-221-0x000000001D210000-0x000000001D312000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1500-213-0x000000001D110000-0x000000001D194000-memory.dmp

          Filesize

          528KB

          Download

        • memory/4832-3-0x00007FFCC73B0000-0x00007FFCC7E71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4832-0-0x00007FFCC73B3000-0x00007FFCC73B5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4832-1-0x0000000000A50000-0x0000000000A68000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4832-8-0x00007FFCC73B0000-0x00007FFCC7E71000-memory.dmp

          Filesize

          10.8MB

          Download