Overview

overview

10

Static

static

3

License Ac...ms.exe

windows7-x64

10

License Ac...ms.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    License Activator Brute Cams.exe

  • Size

    2.1MB

  • MD5

    58acdc2f6ce279ffae7f09e73159f2fa

  • SHA1

    2f4f864e499cadefef4cef6dcb999d2a74184e08

  • SHA256

    d86c55ca0d9ab94d9e4e67a7781e933e940d41dd9c8e793272a4eb86548fb012

  • SHA512

    6cb9144a84a72bff80bf7ea8a35487807ab55f99ae25ec3e684b5626cf8af209b341495cd091cfbbe1976d92621938ed2558c9213bdcb5282140ff66b2c6d03a

  • SSDEEP

    49152:jhj9o/Ac0XrZdl2xeC2cZZcbythCBERaO2vun0jihwPH:jToxijC9ZZiy7zUO2vk0jiSPH

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7181778686:AAEMnbtaOsmS5ffJlFMYeA9BDuB8mvZ6F8U/sendMessage?chat_id=6528052400
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\License Activator Brute Cams.exe
    "C:\Users\Admin\AppData\Local\Temp\License Activator Brute Cams.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\Activator Svs.exe
      "C:\Users\Admin\AppData\Local\Temp\Activator Svs.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1976
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:2012
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2156
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:752
    • C:\Users\Admin\AppData\Local\Temp\hfs.exe
      "C:\Users\Admin\AppData\Local\Temp\hfs.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Activator Svs.exe
    Filesize

    233KB

    MD5

    98a009db64d4ebc11087234c7347ba61

    SHA1

    5a350ba68f9e90f1df324dba99db7b1ade047d5a

    SHA256

    d2487832d14d57e6894924305e7032e6f534b186e6e48774467c505f84d91c05

    SHA512

    4b6cdc8f265e0db9293590c00b6c4ecdc27198a647e6d136fe161296e3bd030ca62de87f2f4ed3e4a9d9fd61e1b0f5a4bdc8ae9257fcaa88e6d3a3d95647cc37

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hfs.exe
    Filesize

    4.8MB

    MD5

    a52fc9a9bec7f0ed12ed90da1d964714

    SHA1

    4e18854ed1658ce891b2c08877b511c81c4ba666

    SHA256

    cdba1b96718f1538cb31247514ef3d3cfa4eb7e8640016503b7d19cdb0173995

    SHA512

    9a5d1180f076bbfe1a2f581885d8640347ef9eefe7d9c45c610384f5cbb72933a1da5acd4aed3922b3a94d73e3fc65f93b0db911e274e544dfb240a72945062a

    Download Submit

  • memory/1732-100-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1732-1-0x0000000000030000-0x0000000000256000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1732-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-14-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1732-98-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-99-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2336-16-0x0000000000410000-0x0000000000411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2336-15-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2336-103-0x0000000000400000-0x0000000000968000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2336-101-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-17-0x00000000740EE000-0x00000000740EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-21-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3064-102-0x00000000740EE000-0x00000000740EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3064-13-0x0000000000A70000-0x0000000000AB0000-memory.dmp

    Filesize

    256KB

    Download