Overview

overview

10

Static

static

10

Server.exe

windows7-x64

10

Server.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    920KB

  • MD5

    df9eddff9512b4eff624b492bdb8c791

  • SHA1

    aa4623f25c3aa1687cc38b179246ae5874ee017f

  • SHA256

    3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

  • SHA512

    d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e

  • SSDEEP

    12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9niwQiKDKqaAs:4nsJ39LyjbJkQFMhmC+6GD9nhKeFf

Score
10/10
asyncratstormkittydefaultcredential_accessdiscoverymacropersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7409950713:AAGOgqTx-C_IXW4TMVH0D3NzyJW8XztSM_c/sendMessage?chat_id=6059920057
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 9 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 11 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1964
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:1516
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3000
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1944
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          4⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2472
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
            • System Location Discovery: System Language Discovery
            PID:612
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2128
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2520
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2968
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show networks mode=bssid
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1960
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    920KB

    MD5

    df9eddff9512b4eff624b492bdb8c791

    SHA1

    aa4623f25c3aa1687cc38b179246ae5874ee017f

    SHA256

    3ec383f0398d15c4b3f3d7c57bb916523dbafb4929503b4c4adca987b27d1d59

    SHA512

    d5abd0dade4229cda769b5c365dc37e0c2511683b2bd77f6b6bcc1541870280c642a0e24862d8afccff991b346b1fe5a8484328ea3af24acec1c6527253ac91e

    Download Submit

  • C:\Users\Admin\AppData\Local\7c3a51e796a8b0a55008c41db0b4f1d4\msgid.dat
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • C:\Users\Admin\AppData\Local\94a674e90bfc3b8719f7078a6f09e079\Admin@WOUOSVRD_en-US\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gh3LBOuL.xlsm
    Filesize

    31KB

    MD5

    a332adc12b9282f49a3c5f4c74598469

    SHA1

    09125af29f967c50bfcd6f04aac37f4defa5a81d

    SHA256

    0386012900da33fee086953a41030666b0339ab1ab2bde40af536460aa586069

    SHA512

    45789114d8042aaffa26b896fb3d04954b9e02b5bb188bfa5f78211932fb69e888f3bbd8d152d0c02a97fe5637e5947522da30bf2ca393b56d21086a5f97a31e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gh3LBOuL.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gh3LBOuL.xlsm
    Filesize

    29KB

    MD5

    4436d931a6a2aa3da0790177bd3b1df5

    SHA1

    2f0fb379a35cea66abca6ec2dce56082bd1dd177

    SHA256

    dec4574aea0755985ab1a42d748465e35b9e09a66ac130e422cd8aab52f59031

    SHA512

    41d5e6a2828fdafbb2be29379c97b31b511e931edbdda14d4e0baac9fab96f2281746ddd4b20c91e0186c99524bb02b127b16bdbde2de421cfd34cc44bdc71f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gh3LBOuL.xlsm
    Filesize

    24KB

    MD5

    65b1b438f0737f24f917420d821b577d

    SHA1

    cc1a1cd0d0fd263e59fed0363b5d1fa55693ebbd

    SHA256

    0d86aefd134aac6ca70184c45ea37df07b7bd844b20181c321dcce0ac462d3ad

    SHA512

    44c68c20dbe2b0cebff3cb98f60441b25a93738094911bf314b162832cbcf538d0b7dde92abae3e8fcf59cd516da31fb29fa89ee985b0fa1db7c3463439f8318

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gh3LBOuL.xlsm
    Filesize

    26KB

    MD5

    3bcedac63f50131755f0daba069b4a26

    SHA1

    de96ea65216b55a04fb7370bda4293659e9c38d8

    SHA256

    85e4e03603edcb9262563e291afe051e84cc1284628efd3fd0441e996c6e8148

    SHA512

    3d47a73ac3cb2b22e09ba4bb2d59e547d1c2c49ded3fadab11186c29e9d387a3c403bb706201990b24d08e2a801eabae5c8f3aa25d1ce9265a72599ef640f7cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gh3LBOuL.xlsm
    Filesize

    28KB

    MD5

    eadeab8a60688e8b5be451b005895c44

    SHA1

    2309dc6bcf268d770903ee3118ece0c8dc5d97bb

    SHA256

    4d6a9b3bd13b4057969542051dc6a46e64dd3d14c8d9760bebe7690f94b45dbc

    SHA512

    3d8018f71b30e3bad3a672f8a1ad2fbd3e1cc234021514e44fb80dbb9a143a824f4e20bc2a7298150c3c564df7838ce8c454ee59139bfcbdfcb0b7a0e4d6d3f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\places.raw
    Filesize

    5.0MB

    MD5

    8691a71035e8ba85d578cb944c864a93

    SHA1

    4bf9b4ee3c56798a001ba56e80f14f4a23e21385

    SHA256

    1a1c0276d17e3a92faca1511e99fdceaa7f7c389dbb7e476e6d908466ce0a26d

    SHA512

    d3b18883d070a38c4abf7a060460f99f23ee5e2a08081275e324b4b2bd3c76368b80db433b8c58fd8fc69dc148216ce5acf534ba57e486bc7a7a057baac93bf4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBAF8.tmp.dat
    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBAFA.tmp.dat
    Filesize

    92KB

    MD5

    e248975fcae2fff4649630d9421bd44e

    SHA1

    283f382e83b0767a0cd6b2d54bce3c1c315c60d6

    SHA256

    2e7470ccd25b6d7e9606f29643dbda3e3a4ef3f0575b2d074986c80cf8b148d2

    SHA512

    9bd5cf49a7773811d72be905cc8dfc2310f82899553c6f598a52b5dc261fc26191462855fdba8b3a83c8a317faed71a1a134df83f338c6c9442ee792cdf7428f

    Download Submit

  • C:\Users\Admin\Desktop\~$WatchGrant.xlsx
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_Server.exe
    Filesize

    175KB

    MD5

    33d7934b7f436cde6b5f374c179fd228

    SHA1

    0b985932346e625934f2100eab2f62406897dfdf

    SHA256

    f262e3910d40c694d77b77aa4bc9a62abdb0394efed57fab03dd86834c333c96

    SHA512

    501454fdb67cc44ce136bedc3fdc0594bb684ebdca9593e2d462f4c553b6a2efd0874e33963c0ee4e4cef64752c1b4ec3869188b85cb08066c74ffcb85f740b3

    Download Submit

  • memory/2248-29-0x0000000000AF0000-0x0000000000B22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2260-26-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2260-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2712-200-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2712-275-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2712-293-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2712-322-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2748-38-0x0000000000FC0000-0x0000000000FF2000-memory.dmp

    Filesize

    200KB

    Download