Overview

overview

10

Static

static

10

Infected.exe

windows7-x64

1

Infected.exe

windows10-2004-x64

10

Resubmissions

22-11-2024 05:56

241122-gnhl5svqcv 10

22-11-2024 05:53

241122-glkcysvqbs 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 05:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Infected.exe

  • Size

    63KB

  • MD5

    c8b877cb0d39bd95d7069f5b4c23612a

  • SHA1

    5fb64bfb87b525c12d424baeb3128ddcde85a4de

  • SHA256

    a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

  • SHA512

    0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0

  • SSDEEP

    768:tYtz5i7QHEU78j8C8A+Xi+azcBRL5JTk1+T4KSBGHmDbD/ph0oXcpBSuZCdpqKYC:tGIgE8ddSJYUbdh9XuZCdpqKmY7

Score
10/10
asyncratdefaultdiscoveryratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

consumer-cms.gl.at.ply.gg:2155

Attributes
  • delay

    1

  • install

    true

  • install_file

    SteamWebHelper.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Infected.exe
    "C:\Users\Admin\AppData\Local\Temp\Infected.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4808
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpADA5.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4984
      • C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe
        "C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1096
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd7e16cc40,0x7ffd7e16cc4c,0x7ffd7e16cc58
      2⤵
        PID:4452
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
        2⤵
          PID:2452
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
          2⤵
            PID:2912
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2556 /prefetch:8
            2⤵
              PID:2796
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
              2⤵
                PID:820
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3424 /prefetch:1
                2⤵
                  PID:1384
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
                  2⤵
                    PID:1372
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4880,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
                    2⤵
                      PID:412
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4600,i,17684845734885543803,16122820352383005674,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
                      2⤵
                        PID:4040
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:412
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        1⤵
                          PID:4656
                        • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
                          "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UpdateUnregister.xlsx"
                          1⤵
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of SetWindowsHookEx
                          PID:5048

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                          Filesize

                          649B

                          MD5

                          2416624f7f5c991e5db28829bfbdf85b

                          SHA1

                          bd117617ec169485a8af1be3cae766a1e1174f76

                          SHA256

                          f2054c9b82431aff0aa498f8325ee3f4e0a6e275c945b5dbf68ec0182c3ccfc2

                          SHA512

                          932df971ed596d9928b404a4559bd982adbaad6543fd08b90d3aa3d2879aa67cc562a08e6b1b0f0c03d4a5e2a34708f4fb642995c5241284b3a48ec0623e0200

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\42b262cf-ddef-4215-927d-1b337861943f.tmp
                          Filesize

                          1KB

                          MD5

                          ba0750debee4d0c86451bbf3130ae53d

                          SHA1

                          def2c4d0c8c2e6e7cef8ae7ec4b6f5287532ab66

                          SHA256

                          7468b8fd3a7aa0d05c9121bf41200f4e97bed67b55a5ede7c02d69d592f4a573

                          SHA512

                          896b46b0f87de7434658526508e8ff29fa0c4868ba2874b68daf5beecaa168f2df45cb87b159685c23b3cea8975b2a1fb946dab821b54ff9e1075eda1ce22439

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          356B

                          MD5

                          7686741e4aac06e8e7d64571f3261679

                          SHA1

                          20ccb1157917787dafe8331fa4947747ba184ef1

                          SHA256

                          ade2c1adc55b779feb77fa98e42d7e4fe9738228dd37c9af191f433d15d67b58

                          SHA512

                          826852fe854f1bebe5eb89e6c62ebc4beacafa022e60d338fa7de90c0e8e1b6b8e6ee8a9f77628a16b460570927cd2703306f6230646c709277aa63522ee35c7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          8KB

                          MD5

                          85e94f5cfd274a9b7b59d81ea5444d72

                          SHA1

                          96fab941641cd97f78996f713a285a127a585c69

                          SHA256

                          bfc484328c57694ced9f68102474ee4af839c14d9ad594ed3ec797855c049a95

                          SHA512

                          3d76f9b14987a5ab4236e1f42adaba65afd217ebf18eaca619e90bb74ad5385f4826f007b1f9ce938e83e587c97606e6b5fa4ff17d891a9b9a9dd1557f3ab613

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                          Filesize

                          15KB

                          MD5

                          19f47413b6dd080453a069213f4d518b

                          SHA1

                          bfebc4015e80ff92ab77a30c58b62392e96c030a

                          SHA256

                          0bd8734e6d47b7d151c391903112c623e9f700e71d7f032139487333181b33e0

                          SHA512

                          fcb3941dbbd9e381f241ede4c14e106dc236b37e1ac691403af54058350b71e611e22a3b9c0fc7ab8014cec0b0317896eed0b62b8dd9003e77e0dffbbc600d19

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          234KB

                          MD5

                          b3b3d6e25bcc561ea62ed6634e8459dd

                          SHA1

                          9a4b997c6c6156aacde1cb969a95acdaf16cada8

                          SHA256

                          6dd8a16226e8d98c57a4e579ac77a0816eac2fc388ea3dd81183aaabe8af1738

                          SHA512

                          aabf0d30b16a1fbc1338ddb6c728a5ab6ec12f6f80e728aeddebdbec60716dac7c416ef0b22a0ff0a78391ed2a3a8195703f12148b30b39e8fc2bc272fbfd074

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpADA5.tmp.bat
                          Filesize

                          158B

                          MD5

                          99289c2dc32678e390066195fd75e6de

                          SHA1

                          e05a3f9fc5954327bbf03c5433f1d10057d6ee91

                          SHA256

                          66438e5c3b37a5af89ba00d34f467ce9c61a1567c61760884275a3a82b4daaeb

                          SHA512

                          8c4649d3b7dc3bce1c909a634721c7b8399d65dbae610b9d61c5b74d123c431ba2d994012b1bdc43a0bc54d8d6fbebad3213398084d664b22fa44156f78629f5

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                          Filesize

                          387B

                          MD5

                          4fa754d2bc6992987574292b4d425fd0

                          SHA1

                          f265dea0ffe218ee7b29039c72ea48778cac30de

                          SHA256

                          0525deec6e8dad01d7bc9b16dedde361f861d2a897604066718ae20f51a89a00

                          SHA512

                          0d958327ce9b524f1e6c5bd9d5f6e35df59c6de3a4249da98f5b8dae558d773e7026c9c6faef5a6bb352c56fd3044b04771131b41fe53101500476a3b2dcdfe7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe
                          Filesize

                          63KB

                          MD5

                          c8b877cb0d39bd95d7069f5b4c23612a

                          SHA1

                          5fb64bfb87b525c12d424baeb3128ddcde85a4de

                          SHA256

                          a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

                          SHA512

                          0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0

                          Download Submit

                        • memory/1096-190-0x000000001E650000-0x000000001E6A4000-memory.dmp

                          Filesize

                          336KB

                          Download

                        • memory/1096-191-0x000000001E810000-0x000000001E820000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1096-17-0x000000001DAC0000-0x000000001DADE000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/1096-187-0x000000001D8D0000-0x000000001D902000-memory.dmp

                          Filesize

                          200KB

                          Download

                        • memory/1096-188-0x000000001EFF0000-0x000000001F030000-memory.dmp

                          Filesize

                          256KB

                          Download

                        • memory/1096-16-0x0000000001670000-0x00000000016A4000-memory.dmp

                          Filesize

                          208KB

                          Download

                        • memory/1096-15-0x000000001DB20000-0x000000001DB96000-memory.dmp

                          Filesize

                          472KB

                          Download

                        • memory/1096-140-0x000000001D8A0000-0x000000001D8D4000-memory.dmp

                          Filesize

                          208KB

                          Download

                        • memory/1096-189-0x000000001F030000-0x000000001F062000-memory.dmp

                          Filesize

                          200KB

                          Download

                        • memory/4620-1-0x00000000000D0000-0x00000000000E6000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/4620-2-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4620-0-0x00007FFD857F3000-0x00007FFD857F5000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/4620-7-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/4620-8-0x00007FFD857F0000-0x00007FFD862B1000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/5048-144-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-147-0x00007FFD60F20000-0x00007FFD60F30000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-183-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-184-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-185-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-186-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-146-0x00007FFD60F20000-0x00007FFD60F30000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-142-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-145-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-143-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/5048-141-0x00007FFD63830000-0x00007FFD63840000-memory.dmp

                          Filesize

                          64KB

                          Download