asyncrat | e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096

Analysis

max time kernel
148s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
Size

807KB
MD5

4b8e7f6468b4a846bfef152f20ad625c
SHA1

de6aba8a287228b428e40decb325c45fbe66c1ee
SHA256

e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096
SHA512

3280848a0fc1bfb29a0ed5e1a913f04d463a8b06039e02b5c88230ab5717059e0f1cb974d0bdb86643595b0640c16dbcf14e10eaf44b0bd1204b9375f9a58f80
SSDEEP

6144:iSncRl5sSeGlR9o1Re8XN6W8mmHPtppXPSi9b4fcSncRlrBoLp7ua9Q:P4IGlR9o1RrN6qatppXPm4RBYEa

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7557878970:AAGK-77Z__cCdoMjeFBTGoWLVAg2XPHco-I/sendMessage?chat_id=8178371083

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d69-8.dat	family_stormkitty
behavioral1/memory/2276-26-0x0000000000C70000-0x0000000000CA0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000016d69-8.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
3000	PROXYCHECKER-MASTERZ8.EXE
2276	SERVER BOT.EXE
2976	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE

Loads dropped DLL 4 IoCs

pid	Process
2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SERVER BOT.EXE
File opened for modification	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	SERVER BOT.EXE
File created	C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	SERVER BOT.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PROXYCHECKER-MASTERZ8.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER BOT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2988	cmd.exe
3068	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SERVER BOT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SERVER BOT.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109dda315c4edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C778471-BA4F-11EF-A723-5ADFF6BE2048} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003c8b3914412897be33868d17d9e0a3a3748a21e6560c565313118664f510d2df000000000e80000000020000200000008f04fa80599ade75b999cf8301f5da617b88b32efdae1f4dc829b24328e7b26520000000e6d6b6498dbe56dadb875cc0cef488f8a4399ff7e04e5b7ed1cb4128870e7e0340000000c6f9e8e9d946cb454cc7f0fba8424293a027c1b56b1cac1739268883157c460576078b2053408bfc03d652a1bd547dd07cddeee749a3de283ff61685cae290df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000f2b9382c1b6fb81521f493329aa966b73cc5671af48dd5281245c36fab7465d1000000000e8000000002000020000000e4efe9f3557a7da88de4a2342c37431cf42691542e31adff96f040334acff54590000000e0897e9d553585616c8db56cf6bd47f23200af36246318b8c79a93339839061896c83db24e9884918f0b53e2a4f19ff46baebce36fa5bc189cbcdfa609381356bec3eea8aee39374bed7bc912e472e7c4541eef1ca8a31ab209b636a7e69df0804ef1519d0799c88065bd97d63a75f507951496e4f7dccdb3b8441604534ab6f624ba97e7f56aac09d75e6625d399a59400000005734efe1b1ceb6f5287d6a6a162b3dff2360a141fad2e3bbf6cec4416a8c458ef89dcd00107e58ad97aa513ef98408690b5a25e905a71898a33770876002ecdf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440365418"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2276	SERVER BOT.EXE
2276	SERVER BOT.EXE
2276	SERVER BOT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	SERVER BOT.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2944	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2944	iexplore.exe
2944	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3000	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2820 wrote to memory of 3000	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2820 wrote to memory of 3000	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2820 wrote to memory of 3000	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	30
PID 2820 wrote to memory of 2276	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2820 wrote to memory of 2276	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2820 wrote to memory of 2276	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2820 wrote to memory of 2276	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	32
PID 2820 wrote to memory of 2976	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2820 wrote to memory of 2976	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2820 wrote to memory of 2976	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2820 wrote to memory of 2976	2820	e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe	33
PID 2976 wrote to memory of 2944	2976	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2976 wrote to memory of 2944	2976	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2976 wrote to memory of 2944	2976	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2976 wrote to memory of 2944	2976	TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE	34
PID 2944 wrote to memory of 2628	2944	iexplore.exe	35
PID 2944 wrote to memory of 2628	2944	iexplore.exe	35
PID 2944 wrote to memory of 2628	2944	iexplore.exe	35
PID 2944 wrote to memory of 2628	2944	iexplore.exe	35
PID 2276 wrote to memory of 2988	2276	SERVER BOT.EXE	38
PID 2276 wrote to memory of 2988	2276	SERVER BOT.EXE	38
PID 2276 wrote to memory of 2988	2276	SERVER BOT.EXE	38
PID 2276 wrote to memory of 2988	2276	SERVER BOT.EXE	38
PID 2988 wrote to memory of 3020	2988	cmd.exe	40
PID 2988 wrote to memory of 3020	2988	cmd.exe	40
PID 2988 wrote to memory of 3020	2988	cmd.exe	40
PID 2988 wrote to memory of 3020	2988	cmd.exe	40
PID 2988 wrote to memory of 3068	2988	cmd.exe	41
PID 2988 wrote to memory of 3068	2988	cmd.exe	41
PID 2988 wrote to memory of 3068	2988	cmd.exe	41
PID 2988 wrote to memory of 3068	2988	cmd.exe	41
PID 2988 wrote to memory of 2908	2988	cmd.exe	42
PID 2988 wrote to memory of 2908	2988	cmd.exe	42
PID 2988 wrote to memory of 2908	2988	cmd.exe	42
PID 2988 wrote to memory of 2908	2988	cmd.exe	42
PID 2276 wrote to memory of 2404	2276	SERVER BOT.EXE	43
PID 2276 wrote to memory of 2404	2276	SERVER BOT.EXE	43
PID 2276 wrote to memory of 2404	2276	SERVER BOT.EXE	43
PID 2276 wrote to memory of 2404	2276	SERVER BOT.EXE	43
PID 2404 wrote to memory of 928	2404	cmd.exe	45
PID 2404 wrote to memory of 928	2404	cmd.exe	45
PID 2404 wrote to memory of 928	2404	cmd.exe	45
PID 2404 wrote to memory of 928	2404	cmd.exe	45
PID 2404 wrote to memory of 1348	2404	cmd.exe	46
PID 2404 wrote to memory of 1348	2404	cmd.exe	46
PID 2404 wrote to memory of 1348	2404	cmd.exe	46
PID 2404 wrote to memory of 1348	2404	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe
"C:\Users\Admin\AppData\Local\Temp\e88ccd1e7f73f9371fbc1347e0fca0cf902fff7c3cb0c9ea1a71714135af7096.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE
  "C:\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:3020
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3068
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      System Location Discovery: System Language Discovery
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:928
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1348
- C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE
  "C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f5616d590b1862bdc2c97a1b7447868

SHA1
8b0742d5a892b7b4de6d577058ef449b8a818438

SHA256
5a9e600b4bc12adae0eee5fc26d36d0860b8acb6cb84adfc82ba0ade81210348

SHA512
42fd4234cc15222a539c2fe1532d13d6d4d14d5a038db12a451c7f9522183c849fff5863d87908d167cfdeb6658b23ecfc1acb129789761c31c74f1aa7b86236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc795e469d463e1e04736f35c1fb9d26

SHA1
456c3b1a42ba7f4ec0f34faf62bff2608807b2e2

SHA256
7a3c8b3887ba5a7abd67f812f749209d900dbceeb661330eddb67ff519b79f09

SHA512
2c9e1c152d99326f5cae83cf161e89eb07672f360d6ce947b1b5fdad4f8aa22f3e0555b532d410c09e11537efca1812d5d21a304506d6497d181f0b859c1a669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fb8a4616a811939d828bbc822e4d214

SHA1
3a252f99508696c6c9eb7abdf93d0cb5597937c3

SHA256
a32e4232455cb7fe06a147ca83cbc671cb45ded995bbea7ed0469647361844d8

SHA512
ebcf8e1dc2f2f723c289f879123c282c39879d1c7fb002cdeb162e94072bbcdeff101a6334f5a2cdd0aee273efbdf27332be2b58dcaf1648fc96af7392b8b6c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa42a0c068ae0528737356ab9e475460

SHA1
aa06ad1850971722dd2d9f6def727d65b85449e5

SHA256
7c14898d65757bbf012c50a3f48511979dbe79b5f1c4445cece2f74450d25850

SHA512
f5a5963cbc7edaf08dc42d11ec0981a745e5efaffa5be5522cedd4064b665b2bc9f6b9024f136d67150d1c70258c7f32ef6dc9fc16e7a739437972f968871faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4a587d0a48ef207b171f807799b6a49

SHA1
8966939fab1e69919269a82bcf9c49a42fc8a348

SHA256
532600ec8bccff9de75b4cf981b42c1754f918949ee447454c89beef404c8506

SHA512
e238452b7a259fb6bc464cd1030874ff4f037ba59198c0406add1f26d9f80c078e1e2a5ea40e1c8f0692c1fe01935956fb2eb962c88ea5f7fac7fe9d8f22bf90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a80744ce2142a6a4a25ca1ae18f01842

SHA1
cdde8145d3f81204f3f099d9bceee8ebef1aa9e6

SHA256
bcabf827cf0f0b7168c1c5e933ff979885ce62dc6a26ac82f9270b62a6434b3f

SHA512
c034cc5d2dfa9691eaf3791060bc53f13ee7b7f2bc98e2d4ee77c3e1a359f108af2bf791bbd6a162b1b4c422e52f931815b982411b41a057bf5a0fb9817f9adf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c930b170e31cfaa98cac403200281296

SHA1
6de0deef3e821b3e58203f8f50d9179cc88e3957

SHA256
240771a9635b121de30573db19d4e84846c79ee8b4e11fc692b2ed1e4b972cf4

SHA512
c85bc96589b8092d00600f7e6f13fc53ca74759fcb3e835bedfe64ad76ba583acc26307b8d62fc2757fc63333fb5ec64fb69cd9dd5e94def704c971f93a8e19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5aab8a38db0caf9f0a57a3c3174b1497

SHA1
7621674042eacf2df52db6268155a361cbeec444

SHA256
4b8de547fa2ff1ee4efaaded2ddb95eedca4b6550921ef9bb4f96b85f707fd13

SHA512
e3507e10164e4463020b9cc646f6ce5782ee15b54278661580fb2d77230f49f7c223ad8e3186cf7bb557839a8d6cc7588ab0039b0a83cc00aaf893e6a6268008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
108788e7356b0eaa96d84a53579140ce

SHA1
c719079819751557d7e9acab210f628783cac2df

SHA256
5192a6a8dc14ffcc9393088008990263c07b81793ad8208d13a6bd45d190dce5

SHA512
f24e3e8d3d15cd577f1d33010945cd5b2da4b8037145bafb340a35fbd555118a0d707c6ea6ed47c4948c39a82ec608aaeaa85a0372147882f42a73740b4b2038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b05c1fb50e9288983835bbed1e5e24be

SHA1
380ae78ac456e5c1a744907304a96295db0596dd

SHA256
f9476c8ab7421746d61104d2d826e5fb6e9785d79a76f5abe0e115359779eeef

SHA512
7d6f1150841689680752fd2126df5b8d7776d73b869532241f67b6ff7e2da6fe16a418b18ab03bcc3c8644fbeabf1d7d5a1172f3f1d1727b0fda13eda47fa3f9

Download Submit
C:\Users\Admin\AppData\Local\63cc077a421cf2b870fcc7cfd7f12271\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE967.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML

Filesize
466KB

MD5
f9035161bd488986f5bac378372168cf

SHA1
7e6ceaffefb0529e72c1ded8c3b98230e85e2842

SHA256
17677889889bf300ebceb7b998ffef915ce1d7ae74ba106783afb569c8ec92d4

SHA512
cf1a25f5f728a4145e5f64c0f14f87beb5e6da8de8647330eb9322e9f4f15e0cb9b1f2d3aae72221e8359f747621d273f67755babf04dc8270122c273dd1da85

Download Submit
C:\Users\Admin\AppData\Local\Temp\TELEGRAM_ CONTACT @AMRNET1VIP1.MHTML.EXE

Filesize
519KB

MD5
7c908443c3e7c8713df4d3482adc6a89

SHA1
545145ded60fd817d329062b6df4e12818c530d3

SHA256
f06f72d8206e8476e7bf3261b18d19a6ddd7e02aed0b69cc932c261a9da2b620

SHA512
76d90435d08992ac4343f4b1cb01944f2713dc67691bb7038643fc8b05f73bed75515a4d1000a6e44ad2c2a37508af7128c4e50b8c3064e0786e84099903c951

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA65.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\d07d8c794729ba403f10dda7a29708c9\Admin@BCXRJFKE_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
\Users\Admin\AppData\Local\Temp\PROXYCHECKER-MASTERZ8.EXE

Filesize
65KB

MD5
047b902ab5e9a317eef11e6dcf4cfa8d

SHA1
e4212a9c195b85fd3409cd7dbba80dac9f66abfd

SHA256
e023315bebd54dbf73c6e2e92466edb8cc108e2c8b0658f3762d32447f6fd553

SHA512
900dcbe105b4b899afa9cfa92de0aa37bb05ad11fc425bb53ad6d3ed8dcebc9b6b67e2060fca78bddffb206c34fa5ebfe5fbf20996cfac0cc5aba7b1d5cf48fa

Download Submit
\Users\Admin\AppData\Local\Temp\SERVER BOT.EXE

Filesize
170KB

MD5
2e7cb0a4c91b31337f17742a2f73aaf7

SHA1
08b2db3956a4af5671d374f62e753fdbeeb94d36

SHA256
c92ccebe416798a16a22f1f45978df59988b4219d118eb9d2100fabe2eb78c3b

SHA512
7487c1f068a3edf4ae74f08a27fde66888703b3ee5883f88774e477c7b645eff1b6a950354f391239aca82a5cf0b9d28a1ad8adbac4159cfd92dc31fa34fbcb2

Download Submit
memory/2276-26-0x0000000000C70000-0x0000000000CA0000-memory.dmp

Filesize
192KB

Download
memory/3000-27-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/3000-25-0x0000000000040000-0x0000000000056000-memory.dmp

Filesize
88KB

Download