Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 09:10

General

  • Target

    Payment.exe

  • Size

    940KB

  • MD5

    ad45a46cc2809a1244ba4a05b2411096

  • SHA1

    873324976c33ea8870e5fd68a5913a924b2932ae

  • SHA256

    1ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b

  • SHA512

    e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26

  • SSDEEP

    24576:fu6J33O0c+JY5UZ+XC0kGso6FaCSS4R1WY:pu0c++OCvkGs9FaCSSTY

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Start PowerShell.

  • Suspicious use of SetThreadContext 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\ophiolatrous\phytographic.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"'
            5⤵
            • Loads dropped DLL
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2116
            • C:\Users\Admin\AppData\Local\Temp\vmubku.exe
              "C:\Users\Admin\AppData\Local\Temp\vmubku.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\Users\Admin\AppData\Local\roundup\hepatoduodenostomy.exe
                "C:\Users\Admin\AppData\Local\Temp\vmubku.exe"
                7⤵
                • Drops startup file
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:896
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Users\Admin\AppData\Local\Temp\vmubku.exe"
                  8⤵
                  • Accesses Microsoft Outlook profiles
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • outlook_office_path
                  • outlook_win_path
                  PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"'
            5⤵
            • Loads dropped DLL
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2188
            • C:\Users\Admin\AppData\Local\Temp\scpvgi.exe
              "C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:1792
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                "C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp67A9.tmp.bat""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5ebbaafc8b0a75286372412c9d2614f6

    SHA1

    3102be2cf3768e969a746edfb369ddaa3bacf3b4

    SHA256

    7ee859c6ec72508a4c9be52da9a55196bffa1407358efec09e73a92c0af291af

    SHA512

    95dd217d84620c6361333f66feae377f095dfb790e0e0c39046711f0cfa9eb5f052650e965d018452eebef4a3bf5e5cf260cb80d89b8a300280f697897940445

  • C:\Users\Admin\AppData\Local\Temp\CabE9A6.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF6C3.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\Wauseon

    Filesize

    45KB

    MD5

    4ebe3ecfa13ab54ec69f2f8aaf00147a

    SHA1

    02fcf24b7d8f574ccc2fcfc1137c186d8e30da4c

    SHA256

    fc968dcdac320c093d44d8d0f525e6c2c8aca24b4a963bba6b670d6a9b967e68

    SHA512

    953ad63bfdcc4ddb5740d41acc190807a164ad26a664928a6920461bcaaf7049207d337adf93b61fc0e55f743d5d2b08a8b43d1b29531535bc1a86a6930486eb

  • C:\Users\Admin\AppData\Local\Temp\aut68B2.tmp

    Filesize

    39KB

    MD5

    80285e6f5b3e501c9b58bdf7ca4744d6

    SHA1

    7a70a2f1957d7455cf917f7d968a279380fc8ad9

    SHA256

    b8fbfa44b152cb808a734dcd6c37fc32bc93a303038d5ba2103bcf96a4799831

    SHA512

    cb507bda241cd7dda4939d63a65329360e0f628e399407b2f66644cc314ab56e09453cb9f84e7589a9ed9ab48f563d071e54974f777a4a3102af2cc4ce398d37

  • C:\Users\Admin\AppData\Local\Temp\tmp67A9.tmp.bat

    Filesize

    171B

    MD5

    38084a264710cdf29e305885092f8c37

    SHA1

    c7c49a9997ef98608473b4e01e8baee3c9f5cbfe

    SHA256

    7fa7f74e664e5be842831844b67f9d8b02a7fd1c59cb9a800fc372d2b2863f42

    SHA512

    ee33c93f2275daac61ce4026cbc21424479a659b01be022c43d5330a15782b44b6777e1a20fd288f20c16cff802649be6c5c10d8cfb41821e04af36db15626b2

  • C:\Users\Admin\AppData\Local\Temp\vmubku.exe

    Filesize

    1.0MB

    MD5

    91dfac40de4fd2cc6c25c18821b1c32d

    SHA1

    d7aecab54b47e33237f4c471818e575e249b6ed3

    SHA256

    9e556bd58e397196b9056af3aa2477a11d5e67bfc0aaa8d42ab0f6b7d337559b

    SHA512

    795af30d6ce51e878ba1f9488c0d5470e2fe97a6b91fc90e371390f7d24b70b69f86ffdf4a4fb45648fcae104b04c1426e4e9e65405b31e3966575e3d73a3f8e

  • C:\Users\Admin\AppData\Local\ophiolatrous\phytographic.exe

    Filesize

    940KB

    MD5

    ad45a46cc2809a1244ba4a05b2411096

    SHA1

    873324976c33ea8870e5fd68a5913a924b2932ae

    SHA256

    1ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b

    SHA512

    e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    7b2088961a53eff460b43030160d55da

    SHA1

    ca1f3a5f5e9328ab8f5d7e45f1baf798177cf1f7

    SHA256

    4a588fd86e4bde018834ba0b35f31a4bcd2debf5de7d2b5fb28c15bd61f8e829

    SHA512

    e1b21d075bd92d01b10152fd1bb3a22c784855c6caa4eb6ad8b90731da76b5805f9db0d906c1758d7052b01c3e94eaa7c40bd5c154166f209a81cc3ec66b5a64

  • memory/2112-24-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2112-142-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

  • memory/2112-29-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

  • memory/2112-65-0x00000000041C0000-0x0000000004200000-memory.dmp

    Filesize

    256KB

  • memory/2112-66-0x0000000000B10000-0x0000000000B1A000-memory.dmp

    Filesize

    40KB

  • memory/2112-67-0x0000000074080000-0x000000007476E000-memory.dmp

    Filesize

    6.9MB

  • memory/2112-68-0x0000000005490000-0x00000000054F2000-memory.dmp

    Filesize

    392KB

  • memory/2112-28-0x000000007408E000-0x000000007408F000-memory.dmp

    Filesize

    4KB

  • memory/2112-26-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2112-27-0x000000007408E000-0x000000007408F000-memory.dmp

    Filesize

    4KB

  • memory/2112-46-0x0000000006010000-0x00000000060AC000-memory.dmp

    Filesize

    624KB

  • memory/2112-22-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2384-6-0x0000000000BB0000-0x0000000000FB0000-memory.dmp

    Filesize

    4.0MB

  • memory/2464-114-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/2464-115-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/2464-113-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/3032-20-0x0000000000C60000-0x0000000001060000-memory.dmp

    Filesize

    4.0MB