asyncrat | 27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2

Analysis

max time kernel
59s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
Size

757KB
MD5

e4976f1a6bdfac9de40f9b8d5d5f62ba
SHA1

a6003a4e3ff383baa178bd633b6b752d070ba68d
SHA256

27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2
SHA512

d74f211f475487193b7fc5b6cc02ffb758599815da7f2d8fd9ebf5c3deca8f4d02fc2e66531a0b7585fa9ef64ac7fed3fdbf52ee67350257468a2728e5740eb6
SSDEEP

6144:cSncRl18XN6W8mmHPtppXPSi9b4fcSncRlrBoLp7ua9Qd:94UN6qatppXPm4RBYEaw

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I/sendMessage?chat_id=8178371083

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fb-2.dat	family_stormkitty
behavioral1/memory/2564-26-0x0000000000A40000-0x0000000000A70000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00080000000120fb-2.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2564	SERVER BOT.EXE
2080	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
2200	VULNCHECKER.EXE

Loads dropped DLL 9 IoCs

pid	Process
2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe
2844	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\ea158774d24159f20af8e1665dd95e19\Admin@NNYJZAHP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SERVER BOT.EXE
File opened for modification	C:\Users\Admin\AppData\Local\ea158774d24159f20af8e1665dd95e19\Admin@NNYJZAHP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\ea158774d24159f20af8e1665dd95e19\Admin@NNYJZAHP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\ea158774d24159f20af8e1665dd95e19\Admin@NNYJZAHP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\ea158774d24159f20af8e1665dd95e19\Admin@NNYJZAHP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SERVER BOT.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2844	2200	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VULNCHECKER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1320	cmd.exe
1756	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SERVER BOT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SERVER BOT.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000014e460481b7bdd479f8fdaed55d483df00000000020000000000106600000001000020000000ccfd276095bcf3d7a3aa1d2c91e033a226f7a0ba74a8876a57c70c340a175630000000000e80000000020000200000000802447b1de0c51ab0d0a449bbb763eef79e5d4af901f37e6eceb022f7cb3c8320000000ccc807a543782c0cf486ca87ee904be5734915c5cb2619be0ade10518037805840000000a4adf2dd9b0b975c18fe948bd5f582bb8e39ec677f39e5a0948cd9da278266fa5c6cc10ccac692f4c36aeef3dadf8837f561671859ccb91e944eb4ac3e015a60	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB2BC451-B275-11EF-80BD-DAEE53C76889} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809167d18246db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000014e460481b7bdd479f8fdaed55d483df0000000002000000000010660000000100002000000081c20ecb5e38164811e2e082cd317e8a542accc2a6d85fd3a7448985fc8bec87000000000e800000000200002000000097d90e320303f2c6c719366a767e7aced38f621d268d105e7f0c15657000545f90000000b62b08ece605068302cdfa08c5b17706b2134c5929c7b6b6475d46cbe9e2f7dcb7570ccab50c3ade269935455db5ac87a2b1b01529b37b6b2236c306bd8668f5d3e6857e60789b7d5ef01c7dc7fe11dc425ef19e39e0115f4e622cc143e771a6dd379b2ee02ac96156f301ef049197d304b8e6e29ee76350db57ab7b1b7bf29f0e3a19c5fd268044bc8c8489bd354060400000000a95a42c7f04f50d130481c3d5f0825ca0911e59df271e1ceb309b772c6c2e21134649678784bc1c0dea053264f5f04ce05e775d29d7f0ac8786e8109b9462e2	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2564	SERVER BOT.EXE
2564	SERVER BOT.EXE
2564	SERVER BOT.EXE
2564	SERVER BOT.EXE
2564	SERVER BOT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	SERVER BOT.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	iexplore.exe
2816	iexplore.exe
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2564	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	30
PID 2280 wrote to memory of 2564	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	30
PID 2280 wrote to memory of 2564	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	30
PID 2280 wrote to memory of 2564	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	30
PID 2280 wrote to memory of 2080	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	31
PID 2280 wrote to memory of 2080	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	31
PID 2280 wrote to memory of 2080	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	31
PID 2280 wrote to memory of 2080	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	31
PID 2280 wrote to memory of 2200	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	32
PID 2280 wrote to memory of 2200	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	32
PID 2280 wrote to memory of 2200	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	32
PID 2280 wrote to memory of 2200	2280	27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe	32
PID 2080 wrote to memory of 2816	2080	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2080 wrote to memory of 2816	2080	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2080 wrote to memory of 2816	2080	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2080 wrote to memory of 2816	2080	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2816 wrote to memory of 2804	2816	iexplore.exe	35
PID 2816 wrote to memory of 2804	2816	iexplore.exe	35
PID 2816 wrote to memory of 2804	2816	iexplore.exe	35
PID 2816 wrote to memory of 2804	2816	iexplore.exe	35
PID 2200 wrote to memory of 2844	2200	VULNCHECKER.EXE	36
PID 2200 wrote to memory of 2844	2200	VULNCHECKER.EXE	36
PID 2200 wrote to memory of 2844	2200	VULNCHECKER.EXE	36
PID 2200 wrote to memory of 2844	2200	VULNCHECKER.EXE	36
PID 2564 wrote to memory of 1320	2564	SERVER BOT.EXE	39
PID 2564 wrote to memory of 1320	2564	SERVER BOT.EXE	39
PID 2564 wrote to memory of 1320	2564	SERVER BOT.EXE	39
PID 2564 wrote to memory of 1320	2564	SERVER BOT.EXE	39
PID 1320 wrote to memory of 1876	1320	cmd.exe	41
PID 1320 wrote to memory of 1876	1320	cmd.exe	41
PID 1320 wrote to memory of 1876	1320	cmd.exe	41
PID 1320 wrote to memory of 1876	1320	cmd.exe	41
PID 1320 wrote to memory of 1756	1320	cmd.exe	42
PID 1320 wrote to memory of 1756	1320	cmd.exe	42
PID 1320 wrote to memory of 1756	1320	cmd.exe	42
PID 1320 wrote to memory of 1756	1320	cmd.exe	42
PID 1320 wrote to memory of 1628	1320	cmd.exe	43
PID 1320 wrote to memory of 1628	1320	cmd.exe	43
PID 1320 wrote to memory of 1628	1320	cmd.exe	43
PID 1320 wrote to memory of 1628	1320	cmd.exe	43
PID 2564 wrote to memory of 1388	2564	SERVER BOT.EXE	44
PID 2564 wrote to memory of 1388	2564	SERVER BOT.EXE	44
PID 2564 wrote to memory of 1388	2564	SERVER BOT.EXE	44
PID 2564 wrote to memory of 1388	2564	SERVER BOT.EXE	44
PID 1388 wrote to memory of 1548	1388	cmd.exe	46
PID 1388 wrote to memory of 1548	1388	cmd.exe	46
PID 1388 wrote to memory of 1548	1388	cmd.exe	46
PID 1388 wrote to memory of 1548	1388	cmd.exe	46
PID 1388 wrote to memory of 1384	1388	cmd.exe	47
PID 1388 wrote to memory of 1384	1388	cmd.exe	47
PID 1388 wrote to memory of 1384	1388	cmd.exe	47
PID 1388 wrote to memory of 1384	1388	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe
"C:\Users\Admin\AppData\Local\Temp\27634323ec85c5d553d7346b1a4d7f0ee31ac2a33d755f2700db0fb9474975d2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1876
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1548
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1384
- C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
  "C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2804
- C:\Users\Admin\AppData\Local\Temp\VULNCHECKER.EXE
  "C:\Users\Admin\AppData\Local\Temp\VULNCHECKER.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 540
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ac482e92f5e54bcf5d3906e11c8c0b7

SHA1
952bba156a55c35f7faa2e4e7164e47f7e962e85

SHA256
a02a7e08ea7eab3517722a22e8dd0c1c6d5cae7543b429dcdbaca9c35a2ea0e8

SHA512
c24ae4264091d2510af198ba69c6016421b653273182284e4530efc7dbfd945e13f1e4a2b684f5d928b9c53023ffc06f433ac059b7c6ebe56153dc96b186c60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab30d3831a3aa9d170a8965765e08544

SHA1
652bcf6a0b6b465e9380f9a56bb4fc0df59426fb

SHA256
63842eecd66449373b50ba4ea28d286619280118dba070d6008c5ce0b8e35df3

SHA512
9432eaed3ce37e651fdc51255e659dc6ff731d92663adc1572ad718cd378c56b072ecab05b7f1191f02f1ad534190dd4c264549ebc8caebe45577522d48e708d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17cc2c49a2e8034cf3eb1274b70ae90e

SHA1
9d497a4d67fc85879c470bdf40b55960cb95cb3e

SHA256
94cd0406a09f936a6ecc40e729fba6ad4a709742e388a8f7aa6eb7b58105a794

SHA512
653e5b7871a0cf14aa1f03fdbd22bdbadd31f45d1a63e158ab92c986ec8ddd02ddf04ab65ae4e3dd1732ff25eccc926bd9897bacb2b3b5fb9749ca07845e9d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49f65e5f3f8415e8b37ef477adad881c

SHA1
5284df191e128328325c510bafe5d69301f82065

SHA256
5d2f74aaa2d77a96d58d6d997d907599e608b1d79fa1b3a58a0c6de97c600f04

SHA512
e2557afb6d36984699439413017ce12df073cd9bc589c87fae800d8b9611518a0b646731da86b82f3358f7d17704f4ea73b7ba8037dbb03cb0f868785fb08023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0ca2704604d2658a1142948a39837b3

SHA1
420d4409aa5234844c50c6aa188a9bfea7414cf2

SHA256
e87acb7c3949cdb9e0d161c264dcfc9da066cfe6845e0ca93974dbaf95589744

SHA512
ba147a2b7f3044ff3c23bbe10c87fe419607cb1a0ac5e3136f06c64bab2cc71620f8fbc1ae57fbefdb956ae433a0de024ded923b102856995d0765522c2e6a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
949bf354cde20826cbf6e97acdc725b2

SHA1
786de4b28abe2f1ca1a99295a3609c3bf89d877b

SHA256
aa33b9dea3ee46234da7ed80ce9fb0fab5ce4bf81f823f01105068cfbdfd0160

SHA512
0b4ac553f8ad8a59a3c1dedee8ac0caad785d4720f738ad70c85dd6b0d82a67e08c33aa2177302133833f2701fe5e25b5bb69c77d4e6142d8b74c231d126b173

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221e6a00de5828f3a4ca0eaf000fe8ff

SHA1
7d2e4d9e1406b8560b34f079715d5fc2e03a850a

SHA256
8058935e365d210e0d38b6d52ae6ef4bdbc7679a755407377d142f98d5834fde

SHA512
aec4502bab1e9088b5725a90b8c8084f11008a31a2f086e4ffcb72135e3ca8f11db86f4a15b18c16cca63bf31c21bc06275d7019526c68a9203c7423b5b06b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9dcf1e9511452f93f1b895ff5766e92

SHA1
3547518d310efd26929620909fe55f1bda6a20e1

SHA256
20b011d8282e4ed88f15d9c891379559a7d4cd83d7fdd2cf1936ea4adecd5def

SHA512
ecf368100696553d09c56103859b15a08816bd6f3a41677c5304d37bf66f0722dfaafe9c828dd6b730149bb84bd6cd2a8b5fd5a0395ff09ab39759aed54f64ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80c0c8d488ef5b90717854d0c9077167

SHA1
a051321737721a87629295fd8bdd2822e6984438

SHA256
a33dd07471753cd314424a254ed6f91a4cde26d96d1b9edf9e2c6196470ca895

SHA512
06cc8b918f0f64cd9b0b0fa1ad20d5cfe41457ba2ac055d0331b94caee93fad358810fd17ee57aa122f072edd73d15108b2409aebb3311d4e74f140106f4f609

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB118.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML

Filesize
466KB

MD5
f9035161bd488986f5bac378372168cf

SHA1
7e6ceaffefb0529e72c1ded8c3b98230e85e2842

SHA256
17677889889bf300ebceb7b998ffef915ce1d7ae74ba106783afb569c8ec92d4

SHA512
cf1a25f5f728a4145e5f64c0f14f87beb5e6da8de8647330eb9322e9f4f15e0cb9b1f2d3aae72221e8359f747621d273f67755babf04dc8270122c273dd1da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1E7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VULNCHECKER.EXE

Filesize
14KB

MD5
92da48f7613ad5ff3ac84b24b21c23f2

SHA1
b8826c7315d5906eccd553a10d6ba741466d7de2

SHA256
ab53fbdc9e8408e303501c56f7f7a263d02876088791d9ea87b78463ccf90854

SHA512
ef5f610fcde55e1028767a5b848fc0f9e6a99b547f695e7c9d70f55acd1efa0cdb5f65c3aa699237ddbedd2fea9d84b091f6087b6ce7048a8274dda04638f4f6

Download Submit
C:\Users\Admin\AppData\Local\ea158774d24159f20af8e1665dd95e19\Admin@NNYJZAHP_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\f780ce1b944d69c29f3a1ba9990b3ddf\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE

Filesize
170KB

MD5
2e7cb0a4c91b31337f17742a2f73aaf7

SHA1
08b2db3956a4af5671d374f62e753fdbeeb94d36

SHA256
c92ccebe416798a16a22f1f45978df59988b4219d118eb9d2100fabe2eb78c3b

SHA512
7487c1f068a3edf4ae74f08a27fde66888703b3ee5883f88774e477c7b645eff1b6a950354f391239aca82a5cf0b9d28a1ad8adbac4159cfd92dc31fa34fbcb2

Download Submit
\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE

Filesize
519KB

MD5
7c908443c3e7c8713df4d3482adc6a89

SHA1
545145ded60fd817d329062b6df4e12818c530d3

SHA256
f06f72d8206e8476e7bf3261b18d19a6ddd7e02aed0b69cc932c261a9da2b620

SHA512
76d90435d08992ac4343f4b1cb01944f2713dc67691bb7038643fc8b05f73bed75515a4d1000a6e44ad2c2a37508af7128c4e50b8c3064e0786e84099903c951

Download Submit
memory/2200-25-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2564-26-0x0000000000A40000-0x0000000000A70000-memory.dmp

Filesize
192KB

Download