Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-12-2024 04:28
General
-
Target
ee7f82c8e4206ef5684612a8bb87659e3de3ec3a6360fa4445c6ba7b09555089.exe
-
Size
1.1MB
-
MD5
0333b88f46c3307fc9f81e49879a713a
-
SHA1
71d9774c6655d70b6bfdde93537ab8a71871f720
-
SHA256
ee7f82c8e4206ef5684612a8bb87659e3de3ec3a6360fa4445c6ba7b09555089
-
SHA512
e58bff9a4bf38298c16c1eeb03dd30308ac83c78bacb6109a8a3323a22266e6b1bd4567baffb361def5942a966314ce1c632f1169a33be321d5dcddc7fd24540
-
SSDEEP
24576:FsZLTFNaRFTbOuOVopBeTy5/9sYfel4nVTGqBJyIkZL:FQLTmTbOJGTmPl4ViNIOL
Malware Config
Extracted
xworm
5.0
45.202.35.187:7812
aKdQYeM96lmotCU8
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.252.232.158:7812
64.23.232.116:7812
vsvf
-
delay
1
-
install
true
-
install_file
Windows Security Health Service.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
2.1.0.0
Office05
45.202.35.187:7812
VNM_MUTEX_huos54NyApqBwZbqPa
-
encryption_key
KtASenD3qm2g9omdsHwb
-
install_name
Windows Security Service.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security Update
-
subdirectory
SubDir2
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Venomrat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Async RAT payload 2 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 8 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee7f82c8e4206ef5684612a8bb87659e3de3ec3a6360fa4445c6ba7b09555089.exe"C:\Users\Admin\AppData\Local\Temp\ee7f82c8e4206ef5684612a8bb87659e3de3ec3a6360fa4445c6ba7b09555089.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir2\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\SubDir2\Windows Security Service.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Security Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir2\Windows Security Service.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DI8SiqAIkf1l.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Roaming\crack.exe"C:\Users\Admin\AppData\Roaming\crack.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp979C.tmp.cmd""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\Cracked.exe"C:\Users\Admin\AppData\Roaming\Cracked.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp926C.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5451af08450a72fa37474b2cd93b08919
SHA1dd8e1d5fea4ae838e819dea6ea5068bef68612c5
SHA256eaec62ed5f4d6790489bd25856d58a3a8c09c41408e994f2f820082da942324a
SHA51299301492aaa01d26f446d50de6ace2c3e697674f69cb488fffaf4f0ea68556b2534cef04b550ebbf80ec8bfb45b29537cba257dfd4f4ed56bff5a7fa5f6e119c
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
Filesize
218B
MD50e323b78396568d9f36123de98e90a91
SHA1ec0f2e7e1e1b8a0e4e0768427309861646aa6e4b
SHA2569c27a2318c2575b4677ce69d119e83cad3342b44acf2aa9dd316b3ed88f99519
SHA51240e0cc7f8d29fb47f26742ea8a390aa3a0b5c6b057c645a0983f03cbcf89e535575ec9ee0f92b8a1d19f6a04c7da2219b2c0a465ea01ebe655021d22f9fd8998
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD548a487bd3544c6fb62a830c256dc7699
SHA131b692f6973298aa7d19ad1b42de00e2cc5d9053
SHA25696f59d96ad8f469b549fab4ef1794e9db70987ca0aa915fd0eb7381302f8c2df
SHA51262c2910a3f10f7dfb0b54b952662a7e85e5cd5cdb9e81725b3e27750e70cf16542a4a5520b73e74b2554a1ab205fb84ca3c402383f5d3a91ef99cdb25e1a76e4
-
Filesize
175B
MD5a4073e7447ec00d8395fc658255abad4
SHA193d437e378eacad11daabc736e19dca97c5e3f2e
SHA25600bfbd09869530bd31a9fc6f4d2477fc979610b89314e02f8760e24b41eefb6c
SHA5128f81cb26489c0c84d8bbec0b924e5a503dd2b39f524b18d8c2c1b0fb0baa57e2a5e8079e643a9b64cb91632b5b48402f9bf2a369ae003ca65897b26921b4c0d9
-
Filesize
151B
MD5da9eb53d68e47a2e224eb0a9b5ec2fb9
SHA13a974d0cc17aacff6761fd001704cddf3d3f51b9
SHA2564ce1864f484f9248f8ba3ce9649971446fc92a94cc5d1a1d37b1f6e070b8f4e7
SHA5126e9875e39da5204b40b1ddb901210a536166762415aacd6228dd222c97e5e860c41d52834b71667514e4adc7795757fb31b0f5acc7def199e6ed9dab60b08201
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
4KB
MD5755e8007324eac9c284d86cec441a1a6
SHA1f8c295bbc311cb0f0647fba3111eae2d600fd60c
SHA256a62229ebca12c7b00522ea4b30fdc2b86c3572278ffb6eba034bdd9fa5b49be8
SHA5126f4429fac4411a4023e0875c2776c0180ced5cd8b8099a39d14deec978ea8cde209859149e6fa72995431b638f76e35af7a851f56398d3b03fb5e30894bba5e2
-
Filesize
74KB
MD50dfa83a82f6418c73406d78296de61be
SHA1dd7eceef8a434c43e0751e180bf714e08771d336
SHA2568d27369ffa8b29d561fa9daf485be14d2fc00287bb1c69d4c84d514891c8db5e
SHA5129a4b026250b18c29ab7dd48203f321c2ef2f12695bd2dcb52ebbc15001c8ddf019d5a7e04da056c50c1881ce269d1810259bf6d04b61f471e8751b7192fc73d4
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
534KB
MD5eb9cf25d3f3bc264b5927d1be3e09579
SHA1aff9680717e14a4ae93e6622fc6deb9681f23945
SHA256111a92e5754a8a994f11891304c04aa7c5f8ec96000a6a1329a0b6a1a93973c9
SHA5120e817256eb3573aa5408874658101277d4167d795c10ac3a88086c9983e312a3b08149546cda1adc0beb4ad82d6bd3abf5d94867f470b87962ab223ce1e1de01
-
Filesize
170KB
MD536e79d9c029304417b9e0a142eb22a42
SHA1ec3e50b99c320bf80cf990558da8707fbb52edab
SHA256b9b3b3630d78ed68c6cca1fb41fe51fa1626c6a58bd62387d824e344b8e451bb
SHA512d2732de13b780eff3c14a4122410f02395a2d1cc36f7c28f9d8a58f07cc20528860ff169d35ba72cb64f0f0d58ca98f5a8bd962447c33f637ef9e8a0fc3ae9c8
-
Filesize
8KB
MD59215015740c937980b6b53cee5087769
SHA1a0bfe95486944f1548620d4de472c3758e95d36a
SHA256a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541
SHA5125b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2
-
Filesize
39KB
MD5d096b08e3b57c69c0c81b01d9af46f4d
SHA17fb490fdd0f6487c5b092b70123a78cdada29e8a
SHA2566a796b999890a10382a379a729da532b5b80d5983e66b2d797acf24b34a8e415
SHA512c8fba202b4abb19b83a565b2516ec3f1599f26dc50325dd893e221fec6fe7e9a7fca7c96786aa9ca7b0fadb6f13d4fcf4d69eb0fe1351ec08548f172b4348d26
-
Filesize
40KB
-
Filesize
96KB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
560KB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB