asyncrat | e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096

Analysis

max time kernel
59s
max time network
27s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
Size

807KB
MD5

4b8e7f6468b4a846bfef152f20ad625c
SHA1

de6aba8a287228b428e40decb325c45fbe66c1ee
SHA256

e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096
SHA512

3280848a0fc1bfb29a0ed5e1a913f04d463a8b06039e02b5c88230ab5717059e0f1cb974d0bdb86643595b0640c16dbcf14e10eaf44b0bd1204b9375f9a58f80
SSDEEP

6144:iSncRl5sSeGlR9o1Re8XN6W8mmHPtppXPSi9b4fcSncRlrBoLp7ua9Q:P4IGlR9o1RrN6qatppXPm4RBYEa

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I/sendMessage?chat_id=8178371083

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001756b-8.dat	family_stormkitty
behavioral1/memory/2676-25-0x00000000008D0000-0x0000000000900000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000900000001756b-8.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2868	PROXYCHECKER-MASTERZ8.EXE
2676	SERVER BOT.EXE
2900	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE

Loads dropped DLL 4 IoCs

pid	Process
2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SERVER BOT.EXE
File opened for modification	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SERVER BOT.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PROXYCHECKER-MASTERZ8.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3024	cmd.exe
1948	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SERVER BOT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SERVER BOT.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06c51525b4edb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000921a16d580f144a2c114358586baef834b0822df26a19aafaf010a0dbe89b721000000000e800000000200002000000060e2b853ef375eca9896f16036daa5d1e8e9aa840aa480e8af2e5547f8c81b8b9000000020b43b569d33e0016e8004f57cc1cdcfa28d046c381d4f22ed4853013c083fc21c5dc308e8675f684ec67ff299df3e7b6fc22550f2d4e6ad2f463e527c127120a63479b10b3a37a26e3bad1ce6efe3737e93fa24b65ca5b3cc20f6e600e24111d93622792e38be3f4c384eb7527acfd2d812069e7ae4d384201dff1daa1356a2e821ea6021b5018e4c779d637d95b42040000000256e35fe71000e33c1aa350b67ff7321e6fe4a85bd5482bed2bfb1654a63c0ec72cbc1ed5d87df96cd9cbfd97f14ce6d9fe20a8227b2e0d4c01596f8c6916258	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000009ec7a7dafde58d958d7b4201dac290db462b5edc023dd2676b85d0c3a2fa91a7000000000e80000000020000200000006830670b39c92e047f4c3861cf7e5c10c1f8440f91162687d75d3fdfa4ba183320000000dade68f0f6fc6211fba2dec4296f2aaea8ef98ce098c1782d2929e43cc0d152d40000000b22771af164f59008991598fd094b0050177e76bc75576a0163d5a0072a51f8c976dc3db0a55e46147826d016fbc7ef4f22fa067162eb93ebe0720393bfb2569	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D1B8651-BA4E-11EF-B4AF-66AD3A2062CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2676	SERVER BOT.EXE
2676	SERVER BOT.EXE
2676	SERVER BOT.EXE
2676	SERVER BOT.EXE
2676	SERVER BOT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	SERVER BOT.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2668	iexplore.exe
2668	iexplore.exe
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2868	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2500 wrote to memory of 2868	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2500 wrote to memory of 2868	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2500 wrote to memory of 2868	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2500 wrote to memory of 2676	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2500 wrote to memory of 2676	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2500 wrote to memory of 2676	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2500 wrote to memory of 2676	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2500 wrote to memory of 2900	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2500 wrote to memory of 2900	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2500 wrote to memory of 2900	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2500 wrote to memory of 2900	2500	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2900 wrote to memory of 2668	2900	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2900 wrote to memory of 2668	2900	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2900 wrote to memory of 2668	2900	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2900 wrote to memory of 2668	2900	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2668 wrote to memory of 2720	2668	iexplore.exe	35
PID 2668 wrote to memory of 2720	2668	iexplore.exe	35
PID 2668 wrote to memory of 2720	2668	iexplore.exe	35
PID 2668 wrote to memory of 2720	2668	iexplore.exe	35
PID 2676 wrote to memory of 3024	2676	SERVER BOT.EXE	38
PID 2676 wrote to memory of 3024	2676	SERVER BOT.EXE	38
PID 2676 wrote to memory of 3024	2676	SERVER BOT.EXE	38
PID 2676 wrote to memory of 3024	2676	SERVER BOT.EXE	38
PID 3024 wrote to memory of 2176	3024	cmd.exe	40
PID 3024 wrote to memory of 2176	3024	cmd.exe	40
PID 3024 wrote to memory of 2176	3024	cmd.exe	40
PID 3024 wrote to memory of 2176	3024	cmd.exe	40
PID 3024 wrote to memory of 1948	3024	cmd.exe	41
PID 3024 wrote to memory of 1948	3024	cmd.exe	41
PID 3024 wrote to memory of 1948	3024	cmd.exe	41
PID 3024 wrote to memory of 1948	3024	cmd.exe	41
PID 3024 wrote to memory of 1656	3024	cmd.exe	42
PID 3024 wrote to memory of 1656	3024	cmd.exe	42
PID 3024 wrote to memory of 1656	3024	cmd.exe	42
PID 3024 wrote to memory of 1656	3024	cmd.exe	42
PID 2676 wrote to memory of 648	2676	SERVER BOT.EXE	43
PID 2676 wrote to memory of 648	2676	SERVER BOT.EXE	43
PID 2676 wrote to memory of 648	2676	SERVER BOT.EXE	43
PID 2676 wrote to memory of 648	2676	SERVER BOT.EXE	43
PID 648 wrote to memory of 524	648	cmd.exe	45
PID 648 wrote to memory of 524	648	cmd.exe	45
PID 648 wrote to memory of 524	648	cmd.exe	45
PID 648 wrote to memory of 524	648	cmd.exe	45
PID 648 wrote to memory of 2020	648	cmd.exe	46
PID 648 wrote to memory of 2020	648	cmd.exe	46
PID 648 wrote to memory of 2020	648	cmd.exe	46
PID 648 wrote to memory of 2020	648	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
"C:\Users\Admin\AppData\Local\Temp\e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE
  "C:\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1948
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:524
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2020
- C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
  "C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e8b02935d93c6bb00b8e6f1d575f2d

SHA1
f9d82f6082ebfdaf36c36a399823f65c9572299b

SHA256
b3a184a2e51e91c0529597f798d1ba6cdbcdea7ebb3986a653ac08199c0177d4

SHA512
093020ae67c1d51788e37035237be8432fa1ca91412a9a327ba0ed7bae8d0a2e32cae2885fef7fe328864ad95fc54ea8f926894034aee8895f24cff367994908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90dd083edd50cf886c6a85c2f78ac01c

SHA1
ac36ff263a11cd06d0fc4bc098e1969cfb48d9e4

SHA256
269a5f351929da394d0cbb47289e0f9489690db19c7552bb3e8f09760973447b

SHA512
e3cc8e8a9a98ccdf7dd619588e4c1b46785843ae058acb07f2a212e81dff5509918e68d470d96410c90f67b7c6a38f9562d98a9682f1783ab9bd4c1dac8160e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
898dd51414b198faaf47a06796b5b0fd

SHA1
4050618764e090af3898abf2492638248f7f4364

SHA256
2146b10f48936bc7cdc4ccc0ea02acc8e6883b2f8052b8dac37edff6699ea4c2

SHA512
f8a5957e384e43f8a4e3e3acf9acc0fbc5918109233e41eb8582380eab122a68a958c504188df543f9566d1c38a4c043ea6246b9ae3bbf6d1a6f5c2da486e177

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db13b0ab98065693c344495e270fc807

SHA1
ee2a822ff643b4fdb2b2ef3acaf2a3ab7dc1039e

SHA256
3dc16a07b8ad4d3e07e3f3bb56b21887b0ee14197ab117ed27a2a3c51bbfb210

SHA512
32e6c0f49f0b3dcf91a8937736bece9469f26ecd7ab190c082f89cc8227b5b3d48b989e8b0ecf2276ff46b8c593a530530a014847559b3aba168ec49e1231fef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27c1ad3a945a15f64ca2d927757dd85b

SHA1
7292f74f3c0d270e99a54cdcfae9d6ab26c32757

SHA256
56f68f4a59433fd1428b96c507f742101eac818f30d9575dad015c10bcf61f40

SHA512
7f60a892937d75be956c8b0db2e6b0dfb9625a4c2e92ae55efab56c77625a9fd0a3bbed5269b05ff9e6251c10208d85197d0aad0f99cb366ef064e48ec4d25d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b54917d7d6e423e516b3a255565514ae

SHA1
ade7bffa11687972778515e8708ad6b6383028db

SHA256
d673cc1315671e85498df73526e72115dbe93b2b434656971902f3e836767cc7

SHA512
47bca669f97d044bd147e80a46ddfe2f07536a02a9609f9fa43b96530eb579762bae1b68c626e4ffbb9db47cb16b0d68437d4cef47c3ddc0787891e22331c566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
677202e299617324f73820dd81e3ffb3

SHA1
5b5f6247e8caa09aae93d36cc0b46a2f187048d4

SHA256
1f902694a1d436a05b7b58714f75180c6974176c9bb45e7d7f2bca1b649a4ce3

SHA512
4bb99cc4a29be8e2f00903bfb9c89f97c36d6f09e05b0fbc6dcd18adb0592488aae673cf82133b5ae4a1bf74bed7bb05570b345401d6298a0ca71e2447929c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fa6445d667e70eb9203541333e101ae

SHA1
94bc20004c6e88cfc1aee5d6e82a492e5309cfc6

SHA256
b3ab80141d943ed7894324ec54d0e624eab5e973f6224604f68d31947f9517ef

SHA512
d433e4fd10208fa7f5a8db5bd92615e3c6691ae749a84539fdf1368d77c9369cd287f2bbd8df523b693ae4e57ba36be3071dccb6491547913e839a06d81036bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8886cc89898683da2641981678fca82

SHA1
f585a3ed318f0bc68c43fd084c1a695a7c05846f

SHA256
abfb0a60779eeecd653e05d431572a58f92dac598fdba6f116fd293451c778b7

SHA512
6787a059b28e3bcf3f7b4c40b9c7ba1aa28935fefd78d18060691b9cdf405ee317b832187db4a77e91740210cc784e998073a4d60b3e30888254d6da23c45799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f04c4d333d2576319826f99b14289710

SHA1
4d25fd9d7803b964f6d5def98fc2b5b70fc29b9d

SHA256
1aba0308b1cfcbda4c937d8b3087542b3fde2876ce697f73b08a8ea71f647733

SHA512
a9eeba837b5a74f89a37f176b1495703e8b2603095e2377a37b32e863ec272875db3a9c26e937f2f53417dd3c1fe3e17a9a7f59486d9d36c506011c8fca12632

Download Submit
C:\Users\Admin\AppData\Local\63cc077a421cf2b870fcc7cfd7f12271\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7428.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML

Filesize
466KB

MD5
f9035161bd488986f5bac378372168cf

SHA1
7e6ceaffefb0529e72c1ded8c3b98230e85e2842

SHA256
17677889889bf300ebceb7b998ffef915ce1d7ae74ba106783afb569c8ec92d4

SHA512
cf1a25f5f728a4145e5f64c0f14f87beb5e6da8de8647330eb9322e9f4f15e0cb9b1f2d3aae72221e8359f747621d273f67755babf04dc8270122c273dd1da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7519.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE

Filesize
65KB

MD5
047b902ab5e9a317eef11e6dcf4cfa8d

SHA1
e4212a9c195b85fd3409cd7dbba80dac9f66abfd

SHA256
e023315bebd54dbf73c6e2e92466edb8cc108e2c8b0658f3762d32447f6fd553

SHA512
900dcbe105b4b899afa9cfa92de0aa37bb05ad11fc425bb53ad6d3ed8dcebc9b6b67e2060fca78bddffb206c34fa5ebfe5fbf20996cfac0cc5aba7b1d5cf48fa

Download Submit
\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE

Filesize
170KB

MD5
2e7cb0a4c91b31337f17742a2f73aaf7

SHA1
08b2db3956a4af5671d374f62e753fdbeeb94d36

SHA256
c92ccebe416798a16a22f1f45978df59988b4219d118eb9d2100fabe2eb78c3b

SHA512
7487c1f068a3edf4ae74f08a27fde66888703b3ee5883f88774e477c7b645eff1b6a950354f391239aca82a5cf0b9d28a1ad8adbac4159cfd92dc31fa34fbcb2

Download Submit
\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE

Filesize
519KB

MD5
7c908443c3e7c8713df4d3482adc6a89

SHA1
545145ded60fd817d329062b6df4e12818c530d3

SHA256
f06f72d8206e8476e7bf3261b18d19a6ddd7e02aed0b69cc932c261a9da2b620

SHA512
76d90435d08992ac4343f4b1cb01944f2713dc67691bb7038643fc8b05f73bed75515a4d1000a6e44ad2c2a37508af7128c4e50b8c3064e0786e84099903c951

Download Submit
memory/2676-25-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/2868-24-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/2868-27-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download