Analysis

  • max time kernel
    127s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 09:19

General

  • Target

    Your file name without extension goes here.exe

  • Size

    378KB

  • MD5

    fbf8e3dc8cbcf036474e0a43a27aa8bd

  • SHA1

    ae8404bdaa3c6a8e115f208f4a63d971061045f9

  • SHA256

    8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e

  • SHA512

    4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa

  • SSDEEP

    6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH

Malware Config

Extracted

Family

xworm

Version

5.0

C2

69.174.100.131:7000

Mutex

MruG8tu9BvvVUsIA

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detect Xworm Payload 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Windows security bypass 2 TTPs 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 5 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe
    "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4120
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Users\Admin\AppData\Local\Temp\lwtofp.exe
        "C:\Users\Admin\AppData\Local\Temp\lwtofp.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2540
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\lwtofp.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1724
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:3684
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          4⤵
            PID:4244
        • C:\Users\Admin\AppData\Local\Temp\kombhd.exe
          "C:\Users\Admin\AppData\Local\Temp\kombhd.exe"
          3⤵
          • UAC bypass
          • Windows security bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kombhd.exe" -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4660
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
              PID:316
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
              4⤵
                PID:3300
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4172
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                4⤵
                  PID:1036
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              2⤵
                PID:1496

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              944B

              MD5

              77d622bb1a5b250869a3238b9bc1402b

              SHA1

              d47f4003c2554b9dfc4c16f22460b331886b191b

              SHA256

              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

              SHA512

              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              232B

              MD5

              5fb40c2d4e526e57f24d6bc2022a39e9

              SHA1

              d7a6c5d08af0c2f5bf02e0943b79bc763d27b0f1

              SHA256

              7678d3c0b4f13b796ebb344b3817741991d3ff815d01586e94120a890a97530a

              SHA512

              7f26bb7a68c2723c0d9354584827476ea157ce2811e7b81fc28120bd7a186db4a84fdcdecfc8bf04b0b676e72b707c61c131d357f7c3aa84d332d7ca1fe29ba4

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gm0z4uf.130.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\kombhd.exe

              Filesize

              411KB

              MD5

              6dd1839d773d8a3103d2f0fc787ddbbe

              SHA1

              d22899d1ae01359e7c08fbda233d16b850da0a9e

              SHA256

              ef8a0def4681e3cd0c7e17f942f6621d7bc2d5f10481f228dbdd1b03349b0fdd

              SHA512

              a1a84832066080e37ec663b4e305ead319a74223f566c0a0a48d50dc4f10e8fc043bf185fe58f6e0e90a073641ed4a38656f3de5218744d084b6a89e73fc8514

            • C:\Users\Admin\AppData\Local\Temp\lwtofp.exe

              Filesize

              617KB

              MD5

              06b3d03afc084f00d61aa01e4f3fc80f

              SHA1

              e7d831548c5ddf575ecc0d635b00186565f93650

              SHA256

              79e062981eefa719b51f0be14bb9e86650e406e92b448ff40748b04244823e9b

              SHA512

              7accc0b3836b29e3d0bccde1d3ea5b9437468ffe76d83f27af730b84fa87a38cca1258ced530aae96a0772b181f9cbd01c0504fad7c182f5fe7cf2c004bf1903

            • memory/376-31-0x0000000006810000-0x000000000681E000-memory.dmp

              Filesize

              56KB

            • memory/376-6-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

            • memory/376-28-0x0000000006A40000-0x0000000006FE4000-memory.dmp

              Filesize

              5.6MB

            • memory/376-27-0x00000000063F0000-0x0000000006482000-memory.dmp

              Filesize

              584KB

            • memory/376-19-0x0000000005300000-0x000000000539C000-memory.dmp

              Filesize

              624KB

            • memory/376-21-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

              Filesize

              4KB

            • memory/376-26-0x0000000005A10000-0x0000000005A76000-memory.dmp

              Filesize

              408KB

            • memory/440-55-0x0000022CA8EC0000-0x0000022CA8F24000-memory.dmp

              Filesize

              400KB

            • memory/440-53-0x0000022CA71A0000-0x0000022CA71AC000-memory.dmp

              Filesize

              48KB

            • memory/2540-42-0x0000015DFDBA0000-0x0000015DFDBA6000-memory.dmp

              Filesize

              24KB

            • memory/2540-54-0x0000015D98340000-0x0000015D983DC000-memory.dmp

              Filesize

              624KB

            • memory/3684-56-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

            • memory/3684-81-0x0000000006480000-0x0000000006642000-memory.dmp

              Filesize

              1.8MB

            • memory/3684-82-0x0000000006300000-0x0000000006350000-memory.dmp

              Filesize

              320KB

            • memory/3684-83-0x0000000006B80000-0x00000000070AC000-memory.dmp

              Filesize

              5.2MB

            • memory/3684-90-0x0000000006450000-0x000000000645A000-memory.dmp

              Filesize

              40KB

            • memory/4120-20-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

              Filesize

              10.8MB

            • memory/4120-18-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

              Filesize

              10.8MB

            • memory/4120-7-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

              Filesize

              10.8MB

            • memory/4120-17-0x000001CA5F940000-0x000001CA5F962000-memory.dmp

              Filesize

              136KB

            • memory/4120-24-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

              Filesize

              10.8MB

            • memory/4172-87-0x0000000006770000-0x000000000680C000-memory.dmp

              Filesize

              624KB

            • memory/4172-80-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

            • memory/4172-86-0x00000000066F0000-0x0000000006766000-memory.dmp

              Filesize

              472KB

            • memory/4172-88-0x00000000066D0000-0x00000000066EE000-memory.dmp

              Filesize

              120KB

            • memory/4172-89-0x0000000006880000-0x00000000068E2000-memory.dmp

              Filesize

              392KB

            • memory/4960-2-0x0000021873150000-0x00000218731C6000-memory.dmp

              Filesize

              472KB

            • memory/4960-1-0x0000021871520000-0x0000021871526000-memory.dmp

              Filesize

              24KB

            • memory/4960-3-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

              Filesize

              10.8MB

            • memory/4960-0-0x00007FF865413000-0x00007FF865415000-memory.dmp

              Filesize

              8KB

            • memory/4960-25-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

              Filesize

              10.8MB

            • memory/4960-4-0x0000021871900000-0x000002187191E000-memory.dmp

              Filesize

              120KB

            • memory/4960-5-0x0000021871920000-0x0000021871980000-memory.dmp

              Filesize

              384KB