Resubmissions

12-10-2024 17:33

241012-v4xynasdmd 10

12-10-2024 17:30

241012-v3arqswhjr 3

12-10-2024 16:44

241012-t8t7wszgnf 10

12-10-2024 16:40

241012-t6l4havbqn 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 16:44

General

  • Target

    https://files-ld.s3.us-east-2.amazonaws.com/client.zip

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

New

C2

147.185.221.19:22240

Mutex

komvqogocxtmko

Attributes
  • delay

    1

  • install

    true

  • install_file

    new.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files-ld.s3.us-east-2.amazonaws.com/client.zip
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b00dcc40,0x7ff9b00dcc4c,0x7ff9b00dcc58
      2⤵
        PID:1228
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
        2⤵
          PID:4256
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
          2⤵
            PID:2912
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
            2⤵
              PID:2572
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
              2⤵
                PID:1520
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
                2⤵
                  PID:4964
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
                  2⤵
                    PID:4160
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3900,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
                    2⤵
                      PID:2356
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5148,i,18328928783070375891,3722680833881844453,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1116 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4836
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:672
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:3164
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:4560
                        • C:\Users\Admin\Downloads\client\Client.exe
                          "C:\Users\Admin\Downloads\client\Client.exe"
                          1⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2396
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"' & exit
                            2⤵
                              PID:2292
                              • C:\Windows\system32\schtasks.exe
                                schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"'
                                3⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:3052
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp601C.tmp.bat""
                              2⤵
                                PID:4616
                                • C:\Windows\system32\timeout.exe
                                  timeout 3
                                  3⤵
                                  • Delays execution with timeout.exe
                                  PID:3440
                                • C:\Users\Admin\AppData\Roaming\new.exe
                                  "C:\Users\Admin\AppData\Roaming\new.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4892
                            • C:\Users\Admin\Downloads\client\Client.exe
                              "C:\Users\Admin\Downloads\client\Client.exe"
                              1⤵
                                PID:2008

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

                                Filesize

                                34KB

                                MD5

                                487a9d6044844f9addd0a2379b2ced05

                                SHA1

                                873d6b1ba9a4712295faf82ab138e32746f58d1d

                                SHA256

                                99ff4121626b82849bdacb05e73c4fd747e6853eb3e96e3aec57bb1b8153ce1d

                                SHA512

                                6b46ccb475c810e79b4605a3b49aa6bd955d80b851dd16ea71064cf03b65efacd804d725d4aa717669b2d3fe3c55ed0656d50ad74c8d091b233e6dd96a203cd2

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                Filesize

                                2KB

                                MD5

                                e8519c905369ad8045032187e1181f3f

                                SHA1

                                a197b2b0766fa5f09d90426a43c96807b95ea49b

                                SHA256

                                5731349a8ee5eca98c2666aee2de1c9801d75a38a09d90987cc0ec61277e2ab2

                                SHA512

                                eba6c0b2e5ee4aec4c04998f3eb4dae643118263d757d31489f81cb4228042945ccab4df01b6770ab2460742aefadab9460dbe801e10cfa088a8f57967f8ac0b

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                ab08368b5483b5498bb8d89fd447a5e0

                                SHA1

                                4eba96d34e5f4b6f198c6b8f4af5e2933e3d0306

                                SHA256

                                32981f32385c046aca788cb861efb85d967dba0f6f4610839eb02ec337b7c1eb

                                SHA512

                                5102001cbde32cd4ab62b8f50059d1cbc511b2a5d68774622588914c19f098bdff8c7b11d1a56f40185b6c38356ecb3c972e5f6ad05295fd224572f1986e5a25

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                1b6f958e91f0d35837f7a5464cecf6fe

                                SHA1

                                f681803d8c9a2affcebf9804c3a2d18147ab17bf

                                SHA256

                                21dc79e5eebcdeab32e180ef1c97319b3f9fcaf2d7eaa5a7887876091cb8c624

                                SHA512

                                d79f98470d37aa66f50880372a070ddff8d5b22cc4198fb15a5fb35f6d7ee37573a157640351b6abaa204072ba9d6f5205685e88548abe2932bd23ea5070ce54

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                8bea118025fecdf52d698ff200a28f07

                                SHA1

                                3f2fd4468f71210f9adf3d6f637decd8f73d6fdd

                                SHA256

                                a11c3c958431a291d79725b928e7704bcad380a5a693054ef8a1a7bee2184688

                                SHA512

                                64c3857028c8a05811d3ee3fba595ce1549635e276bbc5f6ce3d62867397bdf05cac709571d914538c25fa9e392a7ffe9ac79742cbf03d38daa2f5c6bb15c680

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                877c6ee3c9112fee0f917f8aff6a0c32

                                SHA1

                                a7d9291eaa5b0d3763f3f86f4bbfa37c69b5c740

                                SHA256

                                6f249ceb882d62d72440497a4233b6d3d70d7f31dd567616ecbee0c71378a25e

                                SHA512

                                2e7c84033a9c35b8b18cb93a8b7ee857ac1bfc61cc46a79d2d0a68edf9444c08c7c20f85f2092e6f3f6aa4f10c4af23c9626e255d82e3720324fe19d14054dec

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                5598c077cd5f92c9a4bb6d9facadde59

                                SHA1

                                93de6f0763c5a94a17181a9523c2f0de5a9fbaa3

                                SHA256

                                6bf534423b07189cda9551fc86cb234bb6271ed0dce4a5d0e25602e6bb75cd30

                                SHA512

                                569c24f173928e454901aa3b56023d0c78f607ded596c7f53b49a6580aa9968f009e6de75366807e1595f81a2237b361df281edfc15cfac654e772387a4e5b12

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                71582c3a110c4b96c7b7d50a1abd0802

                                SHA1

                                99b2196814d10e008437b89fd4e90c7440e5187c

                                SHA256

                                b81ea2e9dd4b6665f6e6a607de6d574e279185060afcad75efba2c0cc5d1e4a7

                                SHA512

                                a8566e2024dbdc228ce9a8c8518afaf61817dfe63b2109c8004b15a37f222336ecaa088f0b67667582a44ead0c2fcdd75e121ac1bcf4b49b62e8b82e83368849

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                793c4acdaf81751b25cdb37d0968773b

                                SHA1

                                470a94fb19c3dc88fb26d22b5b8e4a17716e19bd

                                SHA256

                                c68d731b71b3a8b2b8fb41c5ee80fddab4433dd42cfd99a28bfa0d2dd798b743

                                SHA512

                                492fd4a94162be08d1cd36d708752c14b33f09cf625cd21f637ddd769111e376f6dd56d18aa86353e2e1c0ac41ef92ce4d8d4c1d85e3bc43f9056fcc5219e611

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                dca1045a4b23d7dc6e3b414642c1c175

                                SHA1

                                8e8a4a27f1da7d696c2e8e408a9e53791a63b7ce

                                SHA256

                                8dd22b4b04d0df640d81814a392ea0bb506358e46f0edd16e5afd6b0faf06132

                                SHA512

                                ea2464972f720ae0e6dc57db11b9b270dc4873d3ed017111dfd2ce93702b557e034ae138cd9b810ff2f1562094a02054d122c53be73c1f1a2453b3b5b65d8b87

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                9dc320ba431ce178c4abac7d63ba9857

                                SHA1

                                89a97d949e98d93ceb95cb3abf6c8d6458169eae

                                SHA256

                                2414aa3e240514d8199c4e4c079dc95a1d6231b50a7d8b46af82f864a9291e65

                                SHA512

                                ff8d44087f5f330e27d1fa56ec671d275266e9091ac30a6a63b7958958d823206b85e313f6aa498586b7c5702ff36e2811f049c47a2a0794432a3f029cad2181

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                8KB

                                MD5

                                cc8d566953a93c86d076ff6e943f8c25

                                SHA1

                                7aec70739296c8b86eb1222518582b99293ef8ff

                                SHA256

                                193b31213c90cb9e18b6fb7aaa93a07cf70387f4d453a1b10d1060c76c681410

                                SHA512

                                d731df14b818619e4cf4ce36ea26f1f98351956855a3018c45176556218536e03a425218752d7b7e002349e40b08bbb96a30976fcfe8ce11dfde34d807596fba

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                116KB

                                MD5

                                69f3f0bd1cdf0bccbe1ec616a2416e07

                                SHA1

                                e5194ec9029d4bb716a8234a4f24bea7082b2f66

                                SHA256

                                145a658bc222f5a6932f45be2725b4f91947324ab04b6e94b7df7c9892ce29b6

                                SHA512

                                a869b067a93fbbd03bd17c00d7f1b9c8b85edd2bbe5a19faae8634cf570e4f81579eb6178d8b7bb22f017e6d3c1a16ba88a6e8dad712f2afd20d9e502b82eb29

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                116KB

                                MD5

                                35cff32eaf81ed02a6faf6eb5433381b

                                SHA1

                                881494bd912e3837b4e85aa430297f064eaabb3b

                                SHA256

                                169eb2f4bda6f2427f79daa4319c9220f8404313cf9e77e7711ff8d73af17509

                                SHA512

                                d12587739e5468b07c42884a8a045c4538d80b13f4fe58d961af6f96475b83b5251063237d62aea59707402c063a5a63c418d7d8247321a6931a996c0080ccf1

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                Filesize

                                1KB

                                MD5

                                baf55b95da4a601229647f25dad12878

                                SHA1

                                abc16954ebfd213733c4493fc1910164d825cac8

                                SHA256

                                ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                SHA512

                                24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                              • C:\Users\Admin\AppData\Local\Temp\tmp601C.tmp.bat

                                Filesize

                                147B

                                MD5

                                a19f1cb9153df106cde088933fc4288d

                                SHA1

                                1d439d054e21a07185fbfd148e54c6cba0575145

                                SHA256

                                03e97bb29ad6d6d66e5e7cab4f8f9d2b0d134f225169218904996ff7d643b6eb

                                SHA512

                                707b853380befaf3c37e6a8136b49f90dea4440232a9af02dced5887536b6c8a4d2d7bf6b6f8949600bb4348311bbdf7ff37b8facce5df52cefc0fc98ba98d6d

                              • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

                                Filesize

                                8B

                                MD5

                                cf759e4c5f14fe3eec41b87ed756cea8

                                SHA1

                                c27c796bb3c2fac929359563676f4ba1ffada1f5

                                SHA256

                                c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                SHA512

                                c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                              • C:\Users\Admin\AppData\Roaming\new.exe

                                Filesize

                                74KB

                                MD5

                                7e98ce3829f6afc0318ac2deea0680ad

                                SHA1

                                2f63adade7fa8ada790dd8f30045db1f64ab575d

                                SHA256

                                994a3ffb6fdde0851e076dc9e42262538481e285979c8ead8ed00e7580b61b3b

                                SHA512

                                3507eeb3c8eac5cc1438e6dc9e259553537386b456a0883e13cfa691f80496d0e1b01177848c338d9e134bd40e1455551b5ee36f3a510c4cb2ac3aaf3f98d33b

                              • \??\pipe\crashpad_208_YXZZLGINCHERBTVQ

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/2396-88-0x00007FF99B760000-0x00007FF99C221000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2396-87-0x00007FF99B760000-0x00007FF99C221000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2396-73-0x00007FF99B760000-0x00007FF99C221000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2396-71-0x0000000000030000-0x0000000000048000-memory.dmp

                                Filesize

                                96KB

                              • memory/2396-70-0x00007FF99B763000-0x00007FF99B765000-memory.dmp

                                Filesize

                                8KB