Analysis

  • max time kernel
    121s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 09:12

General

  • Target

    Your file name without extension goes here.exe

  • Size

    378KB

  • MD5

    fbf8e3dc8cbcf036474e0a43a27aa8bd

  • SHA1

    ae8404bdaa3c6a8e115f208f4a63d971061045f9

  • SHA256

    8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e

  • SHA512

    4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa

  • SSDEEP

    6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH

Malware Config

Extracted

Family

xworm

Version

5.0

C2

69.174.100.131:7000

Mutex

MruG8tu9BvvVUsIA

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detect Xworm Payload 5 IoCs
  • UAC bypass 3 TTPs 4 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe
    "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\duuuph.exe
        "C:\Users\Admin\AppData\Local\Temp\duuuph.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\duuuph.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1648
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1116
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2160 -s 768
          4⤵
          • Loads dropped DLL
          PID:1744
      • C:\Users\Admin\AppData\Local\Temp\upiblc.exe
        "C:\Users\Admin\AppData\Local\Temp\upiblc.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\upiblc.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
          4⤵
            PID:2880
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1804
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xtietw.exe"' & exit
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2516
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xtietw.exe"'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1568
                • C:\Users\Admin\AppData\Local\Temp\xtietw.exe
                  "C:\Users\Admin\AppData\Local\Temp\xtietw.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of SetThreadContext
                  • System policy modification
                  PID:2500
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\xtietw.exe" -Force
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:344
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                    8⤵
                      PID:2004
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2028
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 2500 -s 792
                      8⤵
                      • Loads dropped DLL
                      PID:2888
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9AE5.tmp.bat""
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2060
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:1836
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 1984 -s 780
              4⤵
              • Loads dropped DLL
              PID:1356
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1836 -s 808
          2⤵
            PID:2172

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          d6d70e05419bf6ca6bf37b23212e896e

          SHA1

          b637fb02f8cf9cacc30713e6768a33df789ad814

          SHA256

          199e47d4cc31caa69eecb573f677489a2f57808aaf147b7d85e3f63ad92cee05

          SHA512

          ce94c6663a419804cdcd787613a7bd7acf08e24c9cbf7ebdc669174ddd66e6cbcfbdb5c878967b8d56905d9dd09bb5a92251222c72a4c1d8e336b12199b2348b

        • C:\Users\Admin\AppData\Local\Temp\Cab4AA9.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\Tar5391.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\Users\Admin\AppData\Local\Temp\tmp9AE5.tmp.bat

          Filesize

          175B

          MD5

          381389df12468cb40d84cc0887a13203

          SHA1

          ae3c39951e7f4b49f6adf088c77451cf6bedda01

          SHA256

          d5569f8e2f24647c3d54550f662b644f559e3453e3c133033009d12f58e74ac7

          SHA512

          f15084e8a7edfc9d357fbc8d4a27b5c0d3b7149cb19f94e71f2c52fc90c2e951888e1465388b9e0ae4e17f51d523af64e2126617b9a0e624f7b966a8b5c270f1

        • C:\Users\Admin\AppData\Local\Temp\upiblc.exe

          Filesize

          411KB

          MD5

          6dd1839d773d8a3103d2f0fc787ddbbe

          SHA1

          d22899d1ae01359e7c08fbda233d16b850da0a9e

          SHA256

          ef8a0def4681e3cd0c7e17f942f6621d7bc2d5f10481f228dbdd1b03349b0fdd

          SHA512

          a1a84832066080e37ec663b4e305ead319a74223f566c0a0a48d50dc4f10e8fc043bf185fe58f6e0e90a073641ed4a38656f3de5218744d084b6a89e73fc8514

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0SU22SSTRHRD747BSVKG.temp

          Filesize

          7KB

          MD5

          27497b2010e98a5640cc430698b90941

          SHA1

          b1391a33d7c3f0505a1f47b070e94ae445c5cb33

          SHA256

          6e149e26af8aee20784382f53e9db608f4034b39a06efc85ef697a2d7bba22d3

          SHA512

          d1dcdf1cf896a0048541179c942afed3c644fbe2843effd45259a4a97e4334947f27cf43013810812151e72af43c36a6ae40ee56bdb085fb044acb0896745ae4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          75066196bac90ed9d2a15406d258fd3e

          SHA1

          90ebfd30509c94b1edca471ebe7a2fcac8d17a3a

          SHA256

          bf4d7e0e0cd0e91058c976da3993c1ad8bd67136ff79b32818d8c59ce062e367

          SHA512

          8df729f9afc08f41bf16ec6b6a93dcfc7c9d0fe4e009caa34dbae897697c2208d0450610b1f22ef150fd0edec36106231e7477cafe131ec15db27689f4c54541

        • \Users\Admin\AppData\Local\Temp\duuuph.exe

          Filesize

          617KB

          MD5

          06b3d03afc084f00d61aa01e4f3fc80f

          SHA1

          e7d831548c5ddf575ecc0d635b00186565f93650

          SHA256

          79e062981eefa719b51f0be14bb9e86650e406e92b448ff40748b04244823e9b

          SHA512

          7accc0b3836b29e3d0bccde1d3ea5b9437468ffe76d83f27af730b84fa87a38cca1258ced530aae96a0772b181f9cbd01c0504fad7c182f5fe7cf2c004bf1903

        • memory/344-180-0x0000000001E10000-0x0000000001E18000-memory.dmp

          Filesize

          32KB

        • memory/1032-15-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1032-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1032-13-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1032-11-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1032-9-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1032-19-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1032-25-0x00000000004E0000-0x00000000004EE000-memory.dmp

          Filesize

          56KB

        • memory/1032-20-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1032-21-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

        • memory/1116-47-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1116-45-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1116-53-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1116-43-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1116-54-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1116-52-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1116-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1116-49-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

        • memory/1648-66-0x0000000002290000-0x0000000002298000-memory.dmp

          Filesize

          32KB

        • memory/1648-65-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

          Filesize

          2.9MB

        • memory/1804-107-0x0000000006120000-0x00000000061BC000-memory.dmp

          Filesize

          624KB

        • memory/1804-84-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1804-128-0x0000000004EF0000-0x0000000004F52000-memory.dmp

          Filesize

          392KB

        • memory/1804-126-0x0000000000760000-0x00000000007A0000-memory.dmp

          Filesize

          256KB

        • memory/1804-127-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

          Filesize

          40KB

        • memory/1804-76-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1804-78-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1804-80-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1804-83-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1804-74-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1804-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/1804-85-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1836-3-0x0000000000270000-0x00000000002D0000-memory.dmp

          Filesize

          384KB

        • memory/1836-23-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

          Filesize

          9.9MB

        • memory/1836-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

          Filesize

          4KB

        • memory/1836-1-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

          Filesize

          24KB

        • memory/1836-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

          Filesize

          9.9MB

        • memory/1984-42-0x00000000004F0000-0x0000000000554000-memory.dmp

          Filesize

          400KB

        • memory/1984-41-0x0000000000220000-0x000000000022C000-memory.dmp

          Filesize

          48KB

        • memory/2028-176-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2160-33-0x0000000000290000-0x000000000032C000-memory.dmp

          Filesize

          624KB

        • memory/2160-32-0x0000000000370000-0x0000000000376000-memory.dmp

          Filesize

          24KB

        • memory/2288-22-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

          Filesize

          32KB

        • memory/2288-8-0x00000000029E0000-0x0000000002A60000-memory.dmp

          Filesize

          512KB

        • memory/2288-17-0x000000001B750000-0x000000001BA32000-memory.dmp

          Filesize

          2.9MB

        • memory/2500-162-0x0000000000B80000-0x0000000000B8C000-memory.dmp

          Filesize

          48KB

        • memory/2892-73-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

          Filesize

          32KB

        • memory/2892-72-0x000000001B7A0000-0x000000001BA82000-memory.dmp

          Filesize

          2.9MB