Overview

overview

10

Static

static

3

build.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    16s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/10/2024, 20:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    6.7MB

  • MD5

    28ef4cb352cfe60d068b08f677f3689f

  • SHA1

    1efb5e55b13e15ed534c711efee79c62e36c8eea

  • SHA256

    60837ecb4271e7348591ab1d8ee69dabf9071677694fb024493497af43855f25

  • SHA512

    ec16acce2053d91f835c31aa453a4415b281fc041e1d4a23fe90631bc2acaf6c9bf6531f0332e2cf954660ac01d0e3f031c64e74988e06bee0d332814acc639c

  • SSDEEP

    98304:XStzEq9xypvogUuuhDYbkqKTU5QgFFgG6INdOzs:WnTY84QuuG6INys

Score
10/10
asyncratstormkittydiscoverypersistenceratstealer

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5256
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2004
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp54A.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4440
        • C:\Users\Admin\AppData\Roaming\Wihnup.exe
          "C:\Users\Admin\AppData\Roaming\Wihnup.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4268
  • C:\Windows\System32\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp54A.tmp.bat
    Filesize

    149B

    MD5

    31bd6755e4c1256344eb3e2906c87b26

    SHA1

    25f7d1a3c4bbbbce946bc910ecef2e8762794220

    SHA256

    c18e7f0ee9e701ab2d1cdf67aeee4dadf858b400c56963e492689b987e7877f9

    SHA512

    bde99ecafc96a63977f239a3ae44995d770699e25cc1852a3b1353d2a556b95b855092b9f8c9aef9e4b0e37471a920d2dba47a56681c60c983413c29f882dcf4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Wihnup.exe
    Filesize

    2.0MB

    MD5

    749b60ea8762b3bc3494906fd7025497

    SHA1

    1694340ab9fbe2692a95d9b18575c6959b01c7e9

    SHA256

    4458132afc157ed1943f0fee08fb8dce30b46eca73ac07c45026378b47d8be64

    SHA512

    f5879f5b113f2c32e97245f28d6a2a7d1bbacdcd367146c1afdee6e8854b766be45ac2da34bad646cc780f957d95e0033f9ec8831d27fdadc7a6fd50c5002021

    Download Submit

  • memory/4952-20-0x0000000000EE0000-0x000000000112A000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4952-24-0x0000000005E10000-0x00000000063B6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5256-22-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-0-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-14-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-21-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-23-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-18-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-19-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5256-15-0x0000000000514000-0x000000000052D000-memory.dmp

    Filesize

    100KB

    Download

  • memory/5256-17-0x0000000000400000-0x0000000000B22000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/5372-12-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-8-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-7-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-9-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-10-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-11-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-13-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-2-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-1-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5372-3-0x000001C6BD950000-0x000001C6BD951000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.