Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 09:12

General

  • Target

    Your file name without extension goes here.exe

  • Size

    378KB

  • MD5

    fbf8e3dc8cbcf036474e0a43a27aa8bd

  • SHA1

    ae8404bdaa3c6a8e115f208f4a63d971061045f9

  • SHA256

    8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e

  • SHA512

    4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa

  • SSDEEP

    6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH

Malware Config

Extracted

Family

xworm

Version

5.0

C2

69.174.100.131:7000

Mutex

MruG8tu9BvvVUsIA

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detect Xworm Payload 1 IoCs
  • UAC bypass 3 TTPs 4 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Windows security bypass 2 TTPs 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe
    "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      2⤵
        PID:3640
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe
          "C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe"
          3⤵
          • UAC bypass
          • Windows security bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3532
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
              PID:3832
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2324
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hprogd.exe"' & exit
                5⤵
                • System Location Discovery: System Language Discovery
                PID:4500
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hprogd.exe"'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1596
                  • C:\Users\Admin\AppData\Local\Temp\hprogd.exe
                    "C:\Users\Admin\AppData\Local\Temp\hprogd.exe"
                    7⤵
                    • UAC bypass
                    • Windows security bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Suspicious use of SetThreadContext
                    • System policy modification
                    PID:4860
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\hprogd.exe" -Force
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4376
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                      8⤵
                        PID:3940
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3804
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                        8⤵
                          PID:3924
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F90.tmp.bat""
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:3872
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 2
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:1652
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
                  4⤵
                    PID:2464
                • C:\Users\Admin\AppData\Local\Temp\eigjvr.exe
                  "C:\Users\Admin\AppData\Local\Temp\eigjvr.exe"
                  3⤵
                  • UAC bypass
                  • Windows security bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Windows security modification
                  • Checks whether UAC is enabled
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2340
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\eigjvr.exe" -Force
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3196
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    4⤵
                      PID:4416
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                      4⤵
                        PID:1248
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                        4⤵
                        • Accesses Microsoft Outlook profiles
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • outlook_office_path
                        • outlook_win_path
                        PID:1264
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                        4⤵
                          PID:2080
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                      2⤵
                        PID:3840

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      944B

                      MD5

                      38a2262fb16df934106a14acb53aaeb0

                      SHA1

                      44995f3ecfeef1136485135b0818ae7b6a11fee3

                      SHA256

                      3f1f739bf5742b5962a330560d14b95ebdbdf8c4704e5852a4deddc01fce5dc1

                      SHA512

                      43dccc1860a4dc260f5aa0fa1fcb3723836a7459e69649ce6482c8f360a8a0b674f0e461d2f82f437104c13e1e96c2d7806d72016162361a440ac59ccd9090d4

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      15KB

                      MD5

                      733721e025f300c5a1713019ca255cf9

                      SHA1

                      fe25c79e8dbccbe9a31ed37b8f5dbd81215573d0

                      SHA256

                      771242f1addc7487ff4a38aff81191cc583efe3e771e77ba805bc2567e6d198f

                      SHA512

                      2298a1a5440cf71b649da78a66fd1ea78f7ec4f5fceb712b30173a6cbb2e9e116c3f4274155c2040accbdd9065e4ba8a6a18e995a46bbdcb8155d8d78c45acaa

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      944B

                      MD5

                      6d3e9c29fe44e90aae6ed30ccf799ca8

                      SHA1

                      c7974ef72264bbdf13a2793ccf1aed11bc565dce

                      SHA256

                      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                      SHA512

                      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      944B

                      MD5

                      67e8893616f805af2411e2f4a1411b2a

                      SHA1

                      39bf1e1a0ddf46ce7c136972120f512d92827dcd

                      SHA256

                      ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

                      SHA512

                      164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bms00v0h.jwv.ps1

                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    • C:\Users\Admin\AppData\Local\Temp\eigjvr.exe

                      Filesize

                      617KB

                      MD5

                      06b3d03afc084f00d61aa01e4f3fc80f

                      SHA1

                      e7d831548c5ddf575ecc0d635b00186565f93650

                      SHA256

                      79e062981eefa719b51f0be14bb9e86650e406e92b448ff40748b04244823e9b

                      SHA512

                      7accc0b3836b29e3d0bccde1d3ea5b9437468ffe76d83f27af730b84fa87a38cca1258ced530aae96a0772b181f9cbd01c0504fad7c182f5fe7cf2c004bf1903

                    • C:\Users\Admin\AppData\Local\Temp\fnhvmp.exe

                      Filesize

                      411KB

                      MD5

                      6dd1839d773d8a3103d2f0fc787ddbbe

                      SHA1

                      d22899d1ae01359e7c08fbda233d16b850da0a9e

                      SHA256

                      ef8a0def4681e3cd0c7e17f942f6621d7bc2d5f10481f228dbdd1b03349b0fdd

                      SHA512

                      a1a84832066080e37ec663b4e305ead319a74223f566c0a0a48d50dc4f10e8fc043bf185fe58f6e0e90a073641ed4a38656f3de5218744d084b6a89e73fc8514

                    • C:\Users\Admin\AppData\Local\Temp\tmp5F90.tmp.bat

                      Filesize

                      171B

                      MD5

                      6fa10e887c9389d888614b8bece7fdd5

                      SHA1

                      26f7db98803dbaf265142407673c929aed6277e0

                      SHA256

                      92fb2ee3534954ca158ccc3404b1bda4351736840fa7fa658afc40b29bc38bf5

                      SHA512

                      869c2e28735441bb45a3a14e186af10693488d83b60e12147e87e2df58a94da3783851ad8972198048e854058ac30d1ca17c7dd3a38f6dac54792c563ce8b7c7

                    • memory/632-8-0x000001CE62740000-0x000001CE62762000-memory.dmp

                      Filesize

                      136KB

                    • memory/632-18-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/632-7-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/632-22-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/632-6-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/980-42-0x00000289A6710000-0x00000289A6774000-memory.dmp

                      Filesize

                      400KB

                    • memory/980-41-0x00000289A4B60000-0x00000289A4B6C000-memory.dmp

                      Filesize

                      48KB

                    • memory/1264-91-0x0000000006A10000-0x0000000006A1A000-memory.dmp

                      Filesize

                      40KB

                    • memory/1264-80-0x0000000000400000-0x000000000044A000-memory.dmp

                      Filesize

                      296KB

                    • memory/1264-83-0x0000000006F30000-0x000000000745C000-memory.dmp

                      Filesize

                      5.2MB

                    • memory/1264-82-0x00000000066D0000-0x0000000006720000-memory.dmp

                      Filesize

                      320KB

                    • memory/1264-81-0x0000000006830000-0x00000000069F2000-memory.dmp

                      Filesize

                      1.8MB

                    • memory/1596-113-0x0000000006440000-0x000000000645E000-memory.dmp

                      Filesize

                      120KB

                    • memory/1596-101-0x0000000005D70000-0x0000000005DD6000-memory.dmp

                      Filesize

                      408KB

                    • memory/1596-116-0x00000000074F0000-0x000000000750A000-memory.dmp

                      Filesize

                      104KB

                    • memory/1596-115-0x0000000007570000-0x0000000007606000-memory.dmp

                      Filesize

                      600KB

                    • memory/1596-99-0x00000000054F0000-0x0000000005B18000-memory.dmp

                      Filesize

                      6.2MB

                    • memory/1596-114-0x00000000064E0000-0x000000000652C000-memory.dmp

                      Filesize

                      304KB

                    • memory/1596-98-0x0000000004E80000-0x0000000004EB6000-memory.dmp

                      Filesize

                      216KB

                    • memory/1596-111-0x0000000005FC0000-0x0000000006314000-memory.dmp

                      Filesize

                      3.3MB

                    • memory/1596-117-0x0000000007540000-0x0000000007562000-memory.dmp

                      Filesize

                      136KB

                    • memory/1596-100-0x0000000005CD0000-0x0000000005CF2000-memory.dmp

                      Filesize

                      136KB

                    • memory/2020-19-0x0000000000400000-0x000000000040E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2020-26-0x0000000006490000-0x0000000006522000-memory.dmp

                      Filesize

                      584KB

                    • memory/2020-37-0x0000000006A20000-0x0000000006A2E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2020-25-0x0000000005970000-0x00000000059D6000-memory.dmp

                      Filesize

                      408KB

                    • memory/2020-27-0x0000000006AE0000-0x0000000007084000-memory.dmp

                      Filesize

                      5.6MB

                    • memory/2020-23-0x0000000005290000-0x000000000532C000-memory.dmp

                      Filesize

                      624KB

                    • memory/2324-88-0x00000000064A0000-0x00000000064BE000-memory.dmp

                      Filesize

                      120KB

                    • memory/2324-86-0x00000000064C0000-0x0000000006536000-memory.dmp

                      Filesize

                      472KB

                    • memory/2324-92-0x0000000006960000-0x00000000069C2000-memory.dmp

                      Filesize

                      392KB

                    • memory/2324-67-0x0000000000400000-0x0000000000412000-memory.dmp

                      Filesize

                      72KB

                    • memory/2324-90-0x00000000067F0000-0x00000000067FA000-memory.dmp

                      Filesize

                      40KB

                    • memory/2324-89-0x0000000006850000-0x0000000006890000-memory.dmp

                      Filesize

                      256KB

                    • memory/2324-87-0x0000000006740000-0x00000000067DC000-memory.dmp

                      Filesize

                      624KB

                    • memory/2340-54-0x000001F709570000-0x000001F70960C000-memory.dmp

                      Filesize

                      624KB

                    • memory/2340-53-0x000001F7079B0000-0x000001F7079B6000-memory.dmp

                      Filesize

                      24KB

                    • memory/3132-0-0x00007FFEC95C3000-0x00007FFEC95C5000-memory.dmp

                      Filesize

                      8KB

                    • memory/3132-4-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/3132-2-0x000001E633E10000-0x000001E633E86000-memory.dmp

                      Filesize

                      472KB

                    • memory/3132-3-0x000001E632450000-0x000001E63246E000-memory.dmp

                      Filesize

                      120KB

                    • memory/3132-5-0x000001E632470000-0x000001E6324D0000-memory.dmp

                      Filesize

                      384KB

                    • memory/3132-24-0x00007FFEC95C0000-0x00007FFECA081000-memory.dmp

                      Filesize

                      10.8MB

                    • memory/3132-1-0x000001E632060000-0x000001E632066000-memory.dmp

                      Filesize

                      24KB