Overview

overview

10

Static

static

3

Your file ...re.exe

windows7-x64

10

Your file ...re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Your file name without extension goes here.exe

  • Size

    378KB

  • MD5

    fbf8e3dc8cbcf036474e0a43a27aa8bd

  • SHA1

    ae8404bdaa3c6a8e115f208f4a63d971061045f9

  • SHA256

    8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e

  • SHA512

    4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa

  • SSDEEP

    6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH

Score
10/10
asyncratvipkeyloggerxwormdefaultcollectiondiscoveryevasionexecutionkeyloggerratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

69.174.100.131:7000

Mutex

MruG8tu9BvvVUsIA

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 5 IoCs
  • UAC bypass 3 TTPs 4 IoCs
    evasiontrojan
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 21 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe
    "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Users\Admin\AppData\Local\Temp\xxpyxg.exe
        "C:\Users\Admin\AppData\Local\Temp\xxpyxg.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2844
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\xxpyxg.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1932
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
          4⤵
            PID:2416
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
            4⤵
              PID:2240
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              4⤵
              • Accesses Microsoft Outlook profiles
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1768
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2844 -s 884
              4⤵
              • Loads dropped DLL
              PID:2336
          • C:\Users\Admin\AppData\Local\Temp\dzdtrr.exe
            "C:\Users\Admin\AppData\Local\Temp\dzdtrr.exe"
            3⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2176
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dzdtrr.exe" -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1640
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2128
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\shcfrz.exe"' & exit
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2672
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\shcfrz.exe"'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3048
                  • C:\Users\Admin\AppData\Local\Temp\shcfrz.exe
                    "C:\Users\Admin\AppData\Local\Temp\shcfrz.exe"
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of SetThreadContext
                    • System policy modification
                    PID:2980
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shcfrz.exe" -Force
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2876
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1244
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 2980 -s 808
                      8⤵
                      • Loads dropped DLL
                      PID:900
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp13AC.tmp.bat""
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2688
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:2652
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2176 -s 764
              4⤵
              • Loads dropped DLL
              PID:2296
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1596 -s 812
          2⤵
            PID:2460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          68b4099b2b0cbe77c17cb06296c00b9c

          SHA1

          6b1baa9616c7433e43edd34b51c1fed65a9b00d0

          SHA256

          cf25766fef8cc1a78727c673cc2ce653a866f6cad9545db911bcea4503ce29b7

          SHA512

          d1f9f500db0ca5fff08c8925f2cbe97fb2f6524b4e048bbc88a1f198910dcb4dba9f5961645094f45c0a455a19eb4f4c1f0ff6530927af76edebf4df4924962c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CabCD01.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarE2F5.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp13AC.tmp.bat
          Filesize

          178B

          MD5

          a737984f921b85032260077ffafe00fe

          SHA1

          1aa9525ea98a931bb3ffcc771afecc55442d87cb

          SHA256

          12b63ffdeabb2f38cc8bd1cfccce9f372b6e4d4ce57b7d9d9ff6cd3fd76dec6e

          SHA512

          ec47f8207f85bc851771ef1cb8fcd218f31d8b0a82cf168498b867dce89fddd2bed119b590ed797fa7cfe20b721d453cf6c6b2eeaa1ffbf862d8b521aa49f236

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6HL5O2BGHXI0XDVD9DS.temp
          Filesize

          7KB

          MD5

          9a27a6b03f3e3e9746fadeb806ac9141

          SHA1

          66dbb966f9694a4aae06c83e326e09b047790ee9

          SHA256

          e4e7995b36a4c1d4288e9089511eb40446515f5c100c4c30d6d0963548886b84

          SHA512

          654aa1b12a820c2f10c4aee7f89645be6d81e51130503a8820b3b9c8051fe94d90283a277d4aeb3c349c3f540170e14a00e74245eb5344bf7cfc91fa494bb0cd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\dzdtrr.exe
          Filesize

          411KB

          MD5

          6dd1839d773d8a3103d2f0fc787ddbbe

          SHA1

          d22899d1ae01359e7c08fbda233d16b850da0a9e

          SHA256

          ef8a0def4681e3cd0c7e17f942f6621d7bc2d5f10481f228dbdd1b03349b0fdd

          SHA512

          a1a84832066080e37ec663b4e305ead319a74223f566c0a0a48d50dc4f10e8fc043bf185fe58f6e0e90a073641ed4a38656f3de5218744d084b6a89e73fc8514

          Download Submit

        • \Users\Admin\AppData\Local\Temp\xxpyxg.exe
          Filesize

          617KB

          MD5

          06b3d03afc084f00d61aa01e4f3fc80f

          SHA1

          e7d831548c5ddf575ecc0d635b00186565f93650

          SHA256

          79e062981eefa719b51f0be14bb9e86650e406e92b448ff40748b04244823e9b

          SHA512

          7accc0b3836b29e3d0bccde1d3ea5b9437468ffe76d83f27af730b84fa87a38cca1258ced530aae96a0772b181f9cbd01c0504fad7c182f5fe7cf2c004bf1903

          Download Submit

        • memory/1244-171-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1596-1-0x00000000011B0000-0x00000000011B6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1596-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1596-3-0x0000000000260000-0x00000000002C0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1596-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1596-23-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/1640-90-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1640-89-0x000000001B760000-0x000000001BA42000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1768-59-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1768-61-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1768-50-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1768-52-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1768-54-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1768-56-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1768-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1768-60-0x0000000000400000-0x000000000044A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1932-48-0x000000001B7A0000-0x000000001BA82000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1932-49-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2128-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2128-67-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-128-0x0000000005590000-0x00000000055F2000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2128-127-0x00000000006B0000-0x00000000006BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2128-126-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2128-107-0x0000000006260000-0x00000000062FC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2128-69-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-71-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-76-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-78-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-77-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2128-73-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2176-41-0x0000000001160000-0x000000000116C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2176-42-0x0000000000480000-0x00000000004E4000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2260-8-0x0000000002D40000-0x0000000002DC0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2260-21-0x000000001B630000-0x000000001B912000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2260-22-0x0000000001E80000-0x0000000001E88000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2844-32-0x0000000000F10000-0x0000000000F16000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2844-33-0x000000001A770000-0x000000001A80C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2876-186-0x0000000001E90000-0x0000000001E98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2876-185-0x000000001B730000-0x000000001BA12000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2904-11-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-24-0x00000000003E0000-0x00000000003EE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-20-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-13-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-15-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-9-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2904-18-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2904-19-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2980-162-0x0000000000F90000-0x0000000000F9C000-memory.dmp

          Filesize

          48KB

          Download