Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe
Resource
win7-20240903-en
General
-
Target
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe
-
Size
810KB
-
MD5
87c051a77edc0cc77a4d791ef72367d1
-
SHA1
5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
-
SHA256
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
-
SHA512
259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c
-
SSDEEP
12288:FCxMe2dk7YgL+OsQdFGHjaRYf9bquEZ68ufU3wqB2ydPsW/w0bvf:FsMe2KYIDpSO5vZ68FwqB2aPsW3
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
47.238.55.14:4449
rqwcncaesrdtlckoweu
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1280 created 3436 1280 Thermal.pif 56 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1280 Thermal.pif 1764 RegAsm.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4596 tasklist.exe 3488 tasklist.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\ReceptorsTeeth b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\PorcelainExhaust b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\MonsterRaymond b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\FirewireBros b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\PortugalCharges b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\PgJune b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Thermal.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif 1764 RegAsm.exe 1764 RegAsm.exe 1764 RegAsm.exe 1764 RegAsm.exe 1764 RegAsm.exe 1764 RegAsm.exe 1764 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4596 tasklist.exe Token: SeDebugPrivilege 3488 tasklist.exe Token: SeDebugPrivilege 1764 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1280 Thermal.pif 1280 Thermal.pif 1280 Thermal.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1764 RegAsm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4444 wrote to memory of 1700 4444 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 83 PID 4444 wrote to memory of 1700 4444 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 83 PID 4444 wrote to memory of 1700 4444 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 83 PID 1700 wrote to memory of 4596 1700 cmd.exe 85 PID 1700 wrote to memory of 4596 1700 cmd.exe 85 PID 1700 wrote to memory of 4596 1700 cmd.exe 85 PID 1700 wrote to memory of 3424 1700 cmd.exe 86 PID 1700 wrote to memory of 3424 1700 cmd.exe 86 PID 1700 wrote to memory of 3424 1700 cmd.exe 86 PID 1700 wrote to memory of 3488 1700 cmd.exe 88 PID 1700 wrote to memory of 3488 1700 cmd.exe 88 PID 1700 wrote to memory of 3488 1700 cmd.exe 88 PID 1700 wrote to memory of 2640 1700 cmd.exe 89 PID 1700 wrote to memory of 2640 1700 cmd.exe 89 PID 1700 wrote to memory of 2640 1700 cmd.exe 89 PID 1700 wrote to memory of 1108 1700 cmd.exe 90 PID 1700 wrote to memory of 1108 1700 cmd.exe 90 PID 1700 wrote to memory of 1108 1700 cmd.exe 90 PID 1700 wrote to memory of 1680 1700 cmd.exe 91 PID 1700 wrote to memory of 1680 1700 cmd.exe 91 PID 1700 wrote to memory of 1680 1700 cmd.exe 91 PID 1700 wrote to memory of 1168 1700 cmd.exe 92 PID 1700 wrote to memory of 1168 1700 cmd.exe 92 PID 1700 wrote to memory of 1168 1700 cmd.exe 92 PID 1700 wrote to memory of 1280 1700 cmd.exe 93 PID 1700 wrote to memory of 1280 1700 cmd.exe 93 PID 1700 wrote to memory of 1280 1700 cmd.exe 93 PID 1700 wrote to memory of 3752 1700 cmd.exe 94 PID 1700 wrote to memory of 3752 1700 cmd.exe 94 PID 1700 wrote to memory of 3752 1700 cmd.exe 94 PID 1280 wrote to memory of 1968 1280 Thermal.pif 95 PID 1280 wrote to memory of 1968 1280 Thermal.pif 95 PID 1280 wrote to memory of 1968 1280 Thermal.pif 95 PID 1280 wrote to memory of 1764 1280 Thermal.pif 104 PID 1280 wrote to memory of 1764 1280 Thermal.pif 104 PID 1280 wrote to memory of 1764 1280 Thermal.pif 104 PID 1280 wrote to memory of 1764 1280 Thermal.pif 104 PID 1280 wrote to memory of 1764 1280 Thermal.pif 104
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe"C:\Users\Admin\AppData\Local\Temp\b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3488
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7245984⤵
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "WowLiberalCalOfficer" Weight4⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y4⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pifThermal.pif y4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:3752
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\Admin\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
254KB
MD5a65498ab3a69a64ead790db5bb2f48aa
SHA1eb8cd723dab355ff507b356b9286f09b9ffcd968
SHA2569ad27753646f1eec5009be7ed43bcdfc4e9ab8dffc6fe3ff4adc558a1f32f5cd
SHA5129cfcb7873c3bad12109a85516eaf62393aa905b5a7fa93e8bc808ef0911070ea89f0e41953e67b45b74409bf0ac046fd7f4a12ab612edf7bf01a46c459ba1cef
-
Filesize
90KB
MD5975bfc19287c2c5b74a1b228f30f14b0
SHA18f5feec00b337529a7e193f452c45f6063ad37a1
SHA25691e28eface5e10865887b9a13420b1bfd3a8673255785e3bfc65745da63d1322
SHA51218d8c41ebcba5667cb3ac3fa1270d78cad2fd9e8fc69dd32969b693fedc6354e3de12f74830e68b55c6aa7c5a0fbb388599f827cb94d71732231f4ebbf580f85
-
Filesize
58KB
MD501d7374bf51507454392d1081d9b309e
SHA1034378159b5f4b6089a95064aec9ff210da7c3df
SHA256eecdd8dfd2dd6d9d1c55077ee6515a9c59d3046112d014b7a5e87fdabb8157a2
SHA512de64b35bfd2c279a77d552f7c518421bffcf2f5d14e78fa3f80e21b97aeb5dc287340452d61ca19c9aa5ce426c61ec6605786727d844282aa5457a1d8c4f94f4
-
Filesize
17KB
MD5f15a876fe95af76d09e4f26593b4502e
SHA153d14a9f7b44de6fd9aba018e0f4738175a4e3a0
SHA2564ddf695422db24b6917750a923db6d55e9973a4463cf3b60f0c732d34f7728d1
SHA512cbc944366518fea910cc685c6ac99caafa20ffd91ba8572b5e33feeb9529cea6684e83365c5851d6798bcd3dc265e9157ae80e60f56f061c2b78e6c935e48741
-
Filesize
865KB
MD5260377b64080b872ffd57234ff7d097e
SHA1f9ea953f328a1ec1cac31ac05a6353ae27519238
SHA25629826de3343c0a6f753f3cdcc551e755e12059e79b0658be1048e5f893e1c0d3
SHA512a01a781d352ac7cb98fd17f91db6114147188519819106d27a183f8bc114713de8d0e78524dcab8833187e365f2207da5e4cd77fc8d787f63b48a04bf17b6de5
-
Filesize
10KB
MD5b5a2ce2534752d3a6033f59c8436d7b6
SHA18e184055af6e0f7dcd83d832bd565e784a7b8e80
SHA256c142ebc3005012c982b366c6e4b03db5b477c721eed245592a6f2c585ec314c3
SHA512c2f5480e23fcd32ac7111fc9e507b7660ee551477a1dc18f188bd5796bf29bc93cc10926908f9f6483e906bfc07dde07be7223bc0b4b4c5dbc0fa1c0f2d43f2c
-
Filesize
7KB
MD54192ba712a2fdc09914b07d144f06e20
SHA10a3320eea12b490fd589b9f2cb878579108be555
SHA256265661fdddd79aefcfba0fc456cf864c05439b8281da8345d200283f5664a229
SHA512543248b976f061c835329adbccbb249922ebeb671bb158d7a0e70284e0fe9d723c18e8a2e4f198202cfa20dc3d0f341efd4e78c64f4d5e56e8d2a08745417948
-
Filesize
96KB
MD5b7c64d91870c30f6d27b86c9294ca361
SHA141ea994169f7bea9752f6bd40d9833d6577ede49
SHA25691a57858547382fa34e5aad2a6c8546c4eaeaa32b515693e42e84ad190149a6a
SHA512d6d3625a28a8ab2aad5e5e80cb10798d3602e0e189d521e4fecbee4f4015f07e7d2c6f9cdbec4c9efcc5c903c3ebaaf9b6abbf30d615748316992a5c398bc1b6