Overview

overview

10

Static

static

3

ca3c0d446c...bN.exe

windows7-x64

10

ca3c0d446c...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe

  • Size

    601KB

  • MD5

    bc46bbd5fe4f4757b7ad1a5d21c206e0

  • SHA1

    a27abe34871d10067cf7584abe42a8f39a5f7f5c

  • SHA256

    ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70b

  • SHA512

    a839e50825b0098736baba544ee345764160ebc3d35d5f966dcfe621217edf0753bba96677e3d1f2f1782cb78c3b7d2a0107b9d5ac1a0e1eb34d6a08848aa162

  • SSDEEP

    6144:EYM2tZrIHSGn6MCInzvZEgpEIQIl4yLA8bBHP4+m46RtHK:EIrIHFnfCyhEqll4wAJ+mXRtH

Score
10/10
asyncratstormkittydefaultdiscoveryexecutionpersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5048659266:AAFJQRcRFhUzXFoT4Bj40d1LFuM0IyNZ7y4/sendMessage?chat_id=5038570348
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe
    "C:\Users\Admin\AppData\Local\Temp\ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70bN.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBFE5.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2892
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A7071B48-EEB6-4ABF-A8B3-CC28150DF60B} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Roaming\SearchApp.exe
      C:\Users\Admin\AppData\Roaming\SearchApp.exe
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2628
          • C:\Windows\system32\netsh.exe
            netsh wlan show profile
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:396
          • C:\Windows\system32\findstr.exe
            findstr All
            4⤵
              PID:2596
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1768
            • C:\Windows\system32\chcp.com
              chcp 65001
              4⤵
                PID:2288
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                4⤵
                • Event Triggered Execution: Netsh Helper DLL
                PID:1916

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\652307a61cc0458b6d86878c31512a79\msgid.dat
          Filesize

          1B

          MD5

          cfcd208495d565ef66e7dff9f98764da

          SHA1

          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

          SHA256

          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

          SHA512

          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

          Download Submit

        • C:\Users\Admin\AppData\Local\9e499e3fea56ef224d09d8bee80fd77b\Admin@PIDEURYY_en-US\Browsers\Firefox\Bookmarks.txt
          Filesize

          105B

          MD5

          2e9d094dda5cdc3ce6519f75943a4ff4

          SHA1

          5d989b4ac8b699781681fe75ed9ef98191a5096c

          SHA256

          c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

          SHA512

          d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

          Download Submit

        • C:\Users\Admin\AppData\Local\9e499e3fea56ef224d09d8bee80fd77b\Admin@PIDEURYY_en-US\System\Process.txt
          Filesize

          1KB

          MD5

          7814eca448ff38a5e441c5733708502e

          SHA1

          6786e1e387bdd35ff2f3d2d73fa83ad48470a43f

          SHA256

          89be88ff712fbc1d55d2774e94d57b29fbb97734a8c0f8163ae51c88558b4428

          SHA512

          dd810cc6671fe1d3c2dfa19bcd58a69df3733e8dd08ad4c6c9a08468cc5d5591f4be314f698539d542f598e849e122694b8da2283114fa7286cbcaad05f04b1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpBFE5.tmp.bat
          Filesize

          217B

          MD5

          f55b9f577f49261d69cbcc785a173438

          SHA1

          c803a503e042aa2b4836b90913ce68ce75bce447

          SHA256

          2b42bb5a1f3c0662cc116ed8ba55245ce90349d550b2d3b4c356c04ec734b93a

          SHA512

          6b6c4e65039559335841b1d8aa5a438eba1fab285a937ea138f300ec2dcd98ddeb963302c61bb8f82c162b1c2a88ecd40844f368fbac09ef375d4d3a9e88d928

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          9e3af005895d5aa6213aaac52e4d6f4c

          SHA1

          e51e5f20687a4f818acc9599e1675df4b80dc8fb

          SHA256

          c9923ab6a634222b3ab90ac11ae513bad0d7b374b2428f5335fd494e5096b720

          SHA512

          aa5772b9197455c6b4210e7f703585397afc76c091c1f0c11d516fe13d6f013a0ea5a206bf9d91d6869b4335bad4184bda6f45d99e533ea953a8a5e228303d44

          Download Submit

        • C:\Users\Admin\AppData\Roaming\SearchApp.exe
          Filesize

          601KB

          MD5

          bc46bbd5fe4f4757b7ad1a5d21c206e0

          SHA1

          a27abe34871d10067cf7584abe42a8f39a5f7f5c

          SHA256

          ca3c0d446c24ff7deec82756789d84b6e33b0f8c7d5b0100c31afb30663ee70b

          SHA512

          a839e50825b0098736baba544ee345764160ebc3d35d5f966dcfe621217edf0753bba96677e3d1f2f1782cb78c3b7d2a0107b9d5ac1a0e1eb34d6a08848aa162

          Download Submit

        • memory/672-7-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/672-8-0x00000000026E0000-0x00000000026E8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2356-31-0x00000000009D0000-0x0000000000A6C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2356-32-0x00000000006A0000-0x00000000006D2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2524-18-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2524-27-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2524-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2524-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2524-1-0x0000000000A20000-0x0000000000ABC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3008-15-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3008-14-0x000000001B750000-0x000000001BA32000-memory.dmp

          Filesize

          2.9MB

          Download