asyncrat | 09bba91a3346b026387e05f996f39b76e6c0e36596626640d436ee21c08acfe5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creative_Brift_Marketing/Potential products want to increase sales/job.ps1
Size

30.6MB
MD5

f01f7141f5dcb2161ee0701949f91e70
SHA1

28d2427ee1cd5f4c2a17f020bfaea95daece07d6
SHA256

68225e21f08b08bd1890e8e0a5d1b379cd9692a2c4a43bffd7ea6bee5e5b409d
SHA512

6cd177e2d4b385365eb9f549d2f869f1a40483e1c8a4fe0655146c7ca28090cdf14ac9c2a8a1cb7c385f6f824fe2da422b1714cb2ca851a0d1a18cb3be2a31e1
SSDEEP

49152:/0p9Wz0S8ygXipUpxf2H21a1RFvpB8ciXBXsdO6QKUP+Vzfcw3S6T3G4n/1kbC9z:5

Score

10^/10

asyncrat stormkitty discovery execution persistence rat stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral3/memory/2608-51-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral3/memory/2608-50-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty
behavioral3/memory/2608-49-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 1 IoCs

pid	Process
2808	ChromeServices.exe

Loads dropped DLL 3 IoCs

pid	Process
2388	powershell.exe
2736	Process not Found
2808	ChromeServices.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeServices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\ChromeServices\" \"C:\\Users\\Public\\Downloads\\ChromeServices\\ChromeServices.exe\""	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2608	2808	ChromeServices.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2260	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2608	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	2608	AddInProcess32.exe
Token: SeSecurityPrivilege	2608	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	2608	AddInProcess32.exe
Token: SeLoadDriverPrivilege	2608	AddInProcess32.exe
Token: SeSystemProfilePrivilege	2608	AddInProcess32.exe
Token: SeSystemtimePrivilege	2608	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	2608	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	2608	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	2608	AddInProcess32.exe
Token: SeBackupPrivilege	2608	AddInProcess32.exe
Token: SeRestorePrivilege	2608	AddInProcess32.exe
Token: SeShutdownPrivilege	2608	AddInProcess32.exe
Token: SeDebugPrivilege	2608	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	2608	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	2608	AddInProcess32.exe
Token: SeUndockPrivilege	2608	AddInProcess32.exe
Token: SeManageVolumePrivilege	2608	AddInProcess32.exe
Token: 33	2608	AddInProcess32.exe
Token: 34	2608	AddInProcess32.exe
Token: 35	2608	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	2608	AddInProcess32.exe
Token: SeSecurityPrivilege	2608	AddInProcess32.exe
Token: SeTakeOwnershipPrivilege	2608	AddInProcess32.exe
Token: SeLoadDriverPrivilege	2608	AddInProcess32.exe
Token: SeSystemProfilePrivilege	2608	AddInProcess32.exe
Token: SeSystemtimePrivilege	2608	AddInProcess32.exe
Token: SeProfSingleProcessPrivilege	2608	AddInProcess32.exe
Token: SeIncBasePriorityPrivilege	2608	AddInProcess32.exe
Token: SeCreatePagefilePrivilege	2608	AddInProcess32.exe
Token: SeBackupPrivilege	2608	AddInProcess32.exe
Token: SeRestorePrivilege	2608	AddInProcess32.exe
Token: SeShutdownPrivilege	2608	AddInProcess32.exe
Token: SeDebugPrivilege	2608	AddInProcess32.exe
Token: SeSystemEnvironmentPrivilege	2608	AddInProcess32.exe
Token: SeRemoteShutdownPrivilege	2608	AddInProcess32.exe
Token: SeUndockPrivilege	2608	AddInProcess32.exe
Token: SeManageVolumePrivilege	2608	AddInProcess32.exe
Token: 33	2608	AddInProcess32.exe
Token: 34	2608	AddInProcess32.exe
Token: 35	2608	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2260	AcroRd32.exe
2260	AcroRd32.exe
2260	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2260	2388	powershell.exe	31
PID 2388 wrote to memory of 2260	2388	powershell.exe	31
PID 2388 wrote to memory of 2260	2388	powershell.exe	31
PID 2388 wrote to memory of 2260	2388	powershell.exe	31
PID 2388 wrote to memory of 2808	2388	powershell.exe	32
PID 2388 wrote to memory of 2808	2388	powershell.exe	32
PID 2388 wrote to memory of 2808	2388	powershell.exe	32
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34
PID 2808 wrote to memory of 2608	2808	ChromeServices.exe	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Creative_Brift_Marketing\Potential products want to increase sales\job.ps1"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe
  "C:\Users\Public\Downloads\ChromeServices\ChromeServices.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d79186d3db5108c98facdc4fb0ed182f

SHA1
284015117786674052ca0d859b6d52119d48b337

SHA256
e942638a22dcd140fc8f2c66cbed5490e1d6476d63667b472f688d7466c45583

SHA512
314b18b2dd9749418bf49d716e737eb7ab3974da5b2f11ef5110ac4f146473513dacd28a254177bd40c8e1c13ffa95081c38c8b51119357e691a1be08f67a1fe

Download Submit
C:\Users\Admin\Downloads\Creative Brift Marketing Sneaker Daily Deal.pdf

Filesize
91KB

MD5
897417cce1edbd4222c6c8c5e0f1f7c8

SHA1
c52b4982eecbcc5e5491fac2aaf4d2fbbda1335c

SHA256
28b4bdc732553037551c304fe459634011011be7dcc4ed81979d4a07647e7cc8

SHA512
63b484dfc9ecaa485c666ec463113e1a5fa608283e993a1761d1ed905634602090339e68ea9e87616ed7c3a645538ba0d9e50427e62a4b646558bc57122cd4e5

Download Submit
C:\Users\Public\Downloads\ChromeServices\concrt140e.dll

Filesize
3.0MB

MD5
aab7a3b67b71bf0439627158323b502e

SHA1
db7eae4731c4749d21c6cc54a364bcf20c04934c

SHA256
39c9693c36f38a1b691eb3584c18f8550c08eb6a983c46cd46b476c8126ce8cc

SHA512
543fbb82d5e73c3df0dd19f4b71a2c19b78b3250192be5c1191a0c4d53348ca84fd975dbc938226b67a1aab9dcdeb2aa16eb8c39982215aef2bb6f857f2cf162

Download Submit
C:\Users\Public\Downloads\ChromeServices\libpsl-5.dll

Filesize
2.8MB

MD5
ebcf17abb78a21d5f3904c00a60e1e0a

SHA1
ec6525d3de6ebd4eedb8193707f24aba232581d7

SHA256
1099a52ceec00e3db7f704c5f0cea8c23af02490ade25243b7c90f1e870c2614

SHA512
5b965213f03406a22d9ffcfd18a716fee8851ca366960b888631f695fc74daf9dc33276004f00ef6df5ec5513a7409446d1104dbb3c872e614efbf2cdbd04fbd

Download Submit
\Users\Public\Downloads\ChromeServices\ChromeServices.exe

Filesize
67KB

MD5
d82b8f0cb601039af7c1968b0c92d09f

SHA1
b0105f082e10791e6703abbc064904be073dc79b

SHA256
962c0f879de9a12a78ea81536e7223ec7a7c8a9d5828871b6fdd26e649401755

SHA512
be063f8590951e8d4b6f1e69cac57a95d90d3ab96576545afe4141979d376c322047d0b73169140b22ef6d24a7e9c5b4fe09771a4fedfd36ce544befafa65e33

Download Submit
memory/2388-9-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-8-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-4-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

Filesize
4KB

Download
memory/2388-7-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2388-47-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2608-51-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2608-50-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2608-49-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/2808-52-0x000000013F2E0000-0x000000013F2F4000-memory.dmp

Filesize
80KB

Download