Malware Analysis Report

2025-01-03 06:22

Sample ID 241124-ys45dasqcq
Target EXMservice.exe
SHA256 c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f
Tags
asyncrat stormkitty xworm default discovery persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f

Threat Level: Known bad

The file EXMservice.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty xworm default discovery persistence privilege_escalation rat spyware stealer trojan

Asyncrat family

Xworm

Xworm family

AsyncRat

Stormkitty family

StormKitty payload

StormKitty

Detect Xworm Payload

Async RAT payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 20:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 20:03

Reported

2024-11-24 20:06

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXMservice.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\svchost.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\msedge.exe
PID 812 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\msedge.exe
PID 812 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\msedge.exe
PID 812 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 812 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 812 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 812 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 2516 wrote to memory of 2712 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 2520 wrote to memory of 1760 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1760 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1760 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1760 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1760 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1760 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1760 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1760 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1760 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1760 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1760 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1760 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2520 wrote to memory of 532 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 532 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 532 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 532 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 532 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 532 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 532 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 532 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 532 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 532 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 532 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1420 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\msedge.exe
PID 1420 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\msedge.exe
PID 1420 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\msedge.exe
PID 1420 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\msedge.exe
PID 1420 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\msedge.exe
PID 1420 wrote to memory of 2788 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\EXMservice.exe

"C:\Users\Admin\AppData\Local\Temp\EXMservice.exe"

C:\Users\Admin\msedge.exe

"C:\Users\Admin\msedge.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\taskeng.exe

taskeng.exe {0C5A4F90-1AF8-4551-9999-911ADEE20674} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
US 8.8.8.8:53 upon-forming.gl.at.ply.gg udp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
FR 162.19.58.158:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
FR 162.19.58.160:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 162.19.58.157:443 i.ibb.co tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
FR 162.19.58.156:443 i.ibb.co tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
FR 162.19.58.161:443 i.ibb.co tcp
N/A 127.0.0.1:6606 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
FR 162.19.58.158:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp

Files

memory/812-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

memory/812-1-0x0000000000E90000-0x0000000000EF6000-memory.dmp

C:\Users\Admin\msedge.exe

MD5 f1c2525da4f545e783535c2875962c13
SHA1 92bf515741775fac22690efc0e400f6997eba735
SHA256 9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
SHA512 56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

C:\Users\Admin\svchost.exe

MD5 1bea6c3f126cf5446f134d0926705cee
SHA1 02c49933d0c2cc068402a93578d4768745490d58
SHA256 1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638
SHA512 eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

memory/2516-13-0x0000000000E40000-0x0000000000E6A000-memory.dmp

memory/2520-14-0x0000000000840000-0x000000000087E000-memory.dmp

memory/2516-15-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

C:\Users\Admin\AppData\Local\9810221d33fdc6c8d4eba8d3933542ce\Admin@ZQABOPWE_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2516-99-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

C:\Users\Admin\AppData\Local\ce9aea436b927286bf80dfb3add4f7b5\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2552-108-0x0000000001050000-0x000000000107A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 20:03

Reported

2024-11-24 20:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EXMservice.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EXMservice.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\msedge.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\msedge.exe
PID 4836 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\msedge.exe
PID 4836 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 4836 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 4836 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\EXMservice.exe C:\Users\Admin\svchost.exe
PID 3324 wrote to memory of 2372 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 3324 wrote to memory of 2372 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 1204 wrote to memory of 408 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 408 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 408 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 408 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 408 wrote to memory of 4848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 408 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 408 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 408 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 408 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1204 wrote to memory of 928 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 928 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 928 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 928 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 928 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 928 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\EXMservice.exe

"C:\Users\Admin\AppData\Local\Temp\EXMservice.exe"

C:\Users\Admin\msedge.exe

"C:\Users\Admin\msedge.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

C:\Users\Admin\AppData\Local\msedge.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 i.ibb.co udp
FR 162.19.58.158:443 i.ibb.co tcp
FR 162.19.58.158:443 i.ibb.co tcp
US 8.8.8.8:53 158.58.19.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 upon-forming.gl.at.ply.gg udp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FR 162.19.58.157:443 i.ibb.co tcp
US 8.8.8.8:53 157.58.19.162.in-addr.arpa udp
FR 162.19.58.157:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:7707 tcp
FR 162.19.58.160:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
FR 162.19.58.161:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:8808 tcp
FR 162.19.58.156:443 i.ibb.co tcp
FR 162.19.58.156:443 i.ibb.co tcp
US 8.8.8.8:53 156.58.19.162.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
FR 162.19.58.159:443 i.ibb.co tcp
US 8.8.8.8:53 159.58.19.162.in-addr.arpa udp
FR 162.19.58.159:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
US 147.185.221.24:3865 upon-forming.gl.at.ply.gg tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
FR 162.19.58.158:443 i.ibb.co tcp
N/A 127.0.0.1:7707 tcp
FR 162.19.58.158:443 tcp

Files

memory/4836-0-0x00007FFB76543000-0x00007FFB76545000-memory.dmp

memory/4836-1-0x0000000000F00000-0x0000000000F66000-memory.dmp

C:\Users\Admin\msedge.exe

MD5 f1c2525da4f545e783535c2875962c13
SHA1 92bf515741775fac22690efc0e400f6997eba735
SHA256 9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
SHA512 56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

C:\Users\Admin\svchost.exe

MD5 1bea6c3f126cf5446f134d0926705cee
SHA1 02c49933d0c2cc068402a93578d4768745490d58
SHA256 1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638
SHA512 eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

memory/3324-59-0x00000000000E0000-0x000000000010A000-memory.dmp

memory/3324-62-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

memory/1204-63-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/1204-64-0x0000000000B70000-0x0000000000BAE000-memory.dmp

memory/1204-65-0x0000000005C80000-0x0000000005CE6000-memory.dmp

C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3324-166-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

memory/3324-171-0x000000001AD10000-0x000000001AD20000-memory.dmp

memory/1204-170-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

C:\Users\Admin\AppData\Local\5c690511666ed089a3eccf2e27e3a1b3\Admin@GUMLNLFE_en-US\System\Process.txt

MD5 f6fe594acb7bc50bc9a00e57ae295856
SHA1 90cea08b5c246ba54eab644aa2ad283373763dfa
SHA256 5e5c58a417ae54ce2f90762fa31fc29c7a3e8370284a1e80476d0e633fdba9b4
SHA512 4eaceb8df39f6a669f944391e17fa789d9822cf9977b1d75583c01755028f7ec70e94acd80bf784b7294ce8fd9ab0e1422490435d34ee9aab78bb04d45bb99c6

memory/1204-222-0x00000000065E0000-0x0000000006672000-memory.dmp

memory/1204-223-0x0000000006C30000-0x00000000071D4000-memory.dmp

memory/1204-227-0x00000000067E0000-0x00000000067EA000-memory.dmp

C:\Users\Admin\AppData\Local\5f3b689d64dce34d857c86e2da4217ed\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3324-233-0x000000001AD10000-0x000000001AD20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1