Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-12-2024 01:07
General
-
Target
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1.exe
-
Size
2.2MB
-
MD5
3541c1ac26eb5bbb87f01c20fd9f8824
-
SHA1
bf5d136c911491f59bdeb3bf37b8f1a155fd3a97
-
SHA256
b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
-
SHA512
babc17723d2389919acd96f977821d57bdd737f01a9598209efafa72ae0418e914a5d229f196d80cb5ba70ce82b0f340b18aa255bbe4ed77d821a432d5794a93
-
SSDEEP
49152:pHx/9iRLusgfLziEqFhJ5v96Adh3BeNHdbOTPixC30tP0MQ:DURLyU95JdhGda7wcM
Malware Config
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1.exe"C:\Users\Admin\AppData\Local\Temp\b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FE9.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Wihnup.exe"C:\Users\Admin\AppData\Roaming\Wihnup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5ffabcc262fb699998b6191d7656c8805
SHA1fd3ea79a8550b14e9cc75fb831fd7a141964a714
SHA256f46e4a7de978baceec5f64cbc9fa1f1e772e864fa3310045cd19d77264698cde
SHA51279b2e21a9111b16b0f67ae5d1cc40a25773b847d3f4cf78711a8dfd8b67c30beec332ed65ac008c9dca62c84de891eff20d7c6050bc868bce77a17fe56da61ba
-
Filesize
150B
MD5df9ab7eb279615cbe671c0c3958eedd2
SHA1f00bf67fff8b7dff3f39ebf6fee6a292e2f403d3
SHA25678f1af2251a718299f7c5dfa3bf3798b4959b30cd2cb911eb544f12f94fdcac4
SHA51297716a4c91a3dea3a90962acd137af8ce914c67032e3978118d553a309fb46a8d94cae5861f534884738c8505e796185b13b4ca48db37a5ea0c218836ae41129
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.4MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.4MB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
256KB
-
Filesize
104KB
-
Filesize
1.4MB
-
Filesize
7.7MB
-
Filesize
3.0MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB