Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 14:20
Static task
static1
Behavioral task
behavioral1
Sample
PureRcs Adv Token Grabbernls..scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PureRcs Adv Token Grabbernls..scr
Resource
win10v2004-20241007-en
General
-
Target
PureRcs Adv Token Grabbernls..scr
-
Size
3.0MB
-
MD5
29ee9836013142f0f63c6813944c7021
-
SHA1
90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78
-
SHA256
7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1
-
SHA512
482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e
-
SSDEEP
49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8
Malware Config
Extracted
asyncrat
0.5.7B
MetaMask
51.103.217.70:6677
MetaMask
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Google Chrome
51.103.217.70:8585
Google Chrome
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Windows Defender
51.103.217.70:8585
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Expoler
51.103.217.70:6677
Expoler
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk EDGE.EXE -
Executes dropped EXE 5 IoCs
pid Process 1916 EDGE.EXE 1652 GOOGLE CHROME.EXE 3052 RUNING.EXE 2940 METAMASK.EXE 1896 EDGE.EXE -
Loads dropped DLL 5 IoCs
pid Process 2292 PureRcs Adv Token Grabbernls..scr 2292 PureRcs Adv Token Grabbernls..scr 2292 PureRcs Adv Token Grabbernls..scr 2292 PureRcs Adv Token Grabbernls..scr 1916 EDGE.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MetaMask = "C:\\Users\\Admin\\AppData\\Roaming\\MetaMask\\MetaMask.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google Chrome.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runing = "C:\\Users\\Admin\\AppData\\Roaming\\Runing\\Runing.exe" powershell.exe -
pid Process 2712 powershell.exe 2776 powershell.exe 2696 powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1916 set thread context of 1896 1916 EDGE.EXE 32 PID 1652 set thread context of 2732 1652 GOOGLE CHROME.EXE 41 PID 2940 set thread context of 2788 2940 METAMASK.EXE 40 PID 3052 set thread context of 2544 3052 RUNING.EXE 42 PID 2544 set thread context of 1676 2544 RegAsm.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PureRcs Adv Token Grabbernls..scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOOGLE CHROME.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDGE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDGE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language METAMASK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3052 RUNING.EXE 2940 METAMASK.EXE 1652 GOOGLE CHROME.EXE 2940 METAMASK.EXE 3052 RUNING.EXE 2940 METAMASK.EXE 3052 RUNING.EXE 1652 GOOGLE CHROME.EXE 1652 GOOGLE CHROME.EXE 3052 RUNING.EXE 3052 RUNING.EXE 2776 powershell.exe 2712 powershell.exe 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3052 RUNING.EXE Token: SeDebugPrivilege 1652 GOOGLE CHROME.EXE Token: SeDebugPrivilege 2940 METAMASK.EXE Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2544 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1916 2292 PureRcs Adv Token Grabbernls..scr 28 PID 2292 wrote to memory of 1916 2292 PureRcs Adv Token Grabbernls..scr 28 PID 2292 wrote to memory of 1916 2292 PureRcs Adv Token Grabbernls..scr 28 PID 2292 wrote to memory of 1916 2292 PureRcs Adv Token Grabbernls..scr 28 PID 2292 wrote to memory of 1652 2292 PureRcs Adv Token Grabbernls..scr 29 PID 2292 wrote to memory of 1652 2292 PureRcs Adv Token Grabbernls..scr 29 PID 2292 wrote to memory of 1652 2292 PureRcs Adv Token Grabbernls..scr 29 PID 2292 wrote to memory of 1652 2292 PureRcs Adv Token Grabbernls..scr 29 PID 2292 wrote to memory of 2940 2292 PureRcs Adv Token Grabbernls..scr 30 PID 2292 wrote to memory of 2940 2292 PureRcs Adv Token Grabbernls..scr 30 PID 2292 wrote to memory of 2940 2292 PureRcs Adv Token Grabbernls..scr 30 PID 2292 wrote to memory of 2940 2292 PureRcs Adv Token Grabbernls..scr 30 PID 2292 wrote to memory of 3052 2292 PureRcs Adv Token Grabbernls..scr 31 PID 2292 wrote to memory of 3052 2292 PureRcs Adv Token Grabbernls..scr 31 PID 2292 wrote to memory of 3052 2292 PureRcs Adv Token Grabbernls..scr 31 PID 2292 wrote to memory of 3052 2292 PureRcs Adv Token Grabbernls..scr 31 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1916 wrote to memory of 1896 1916 EDGE.EXE 32 PID 1652 wrote to memory of 2712 1652 GOOGLE CHROME.EXE 33 PID 1652 wrote to memory of 2712 1652 GOOGLE CHROME.EXE 33 PID 1652 wrote to memory of 2712 1652 GOOGLE CHROME.EXE 33 PID 1652 wrote to memory of 2712 1652 GOOGLE CHROME.EXE 33 PID 2940 wrote to memory of 2776 2940 METAMASK.EXE 35 PID 2940 wrote to memory of 2776 2940 METAMASK.EXE 35 PID 2940 wrote to memory of 2776 2940 METAMASK.EXE 35 PID 2940 wrote to memory of 2776 2940 METAMASK.EXE 35 PID 3052 wrote to memory of 2696 3052 RUNING.EXE 34 PID 3052 wrote to memory of 2696 3052 RUNING.EXE 34 PID 3052 wrote to memory of 2696 3052 RUNING.EXE 34 PID 3052 wrote to memory of 2696 3052 RUNING.EXE 34 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 1652 wrote to memory of 2732 1652 GOOGLE CHROME.EXE 41 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2608 3052 RUNING.EXE 39 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 3052 wrote to memory of 2544 3052 RUNING.EXE 42 PID 2940 wrote to memory of 2788 2940 METAMASK.EXE 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\PureRcs Adv Token Grabbernls..scr"C:\Users\Admin\AppData\Local\Temp\PureRcs Adv Token Grabbernls..scr" /S1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896
-
-
-
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome' -Value '"C:\Users\Admin\AppData\Roaming\Google Chrome\Google Chrome.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask' -Value '"C:\Users\Admin\AppData\Roaming\MetaMask\MetaMask.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing' -Value '"C:\Users\Admin\AppData\Roaming\Runing\Runing.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵PID:2608
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57820977c8b4d71e342f1a9500c1c631d
SHA1d7e474fbe898efce9d91fa0efe8d9c5819377ad8
SHA256b7a375b496836bdb609b2ad063a8909dd3f35e045a6e75f951d3d7f5d224c945
SHA512ec4060c357f2b690b93ae27e6b9662cb50ee4149964418d6fb957fc9f613909cc01fe50a133d737057ff540335dd6979f2cef383df534fef07c60ba0b2d10713
-
Filesize
79KB
MD5a19ec34df640568c43c292a89c383ee1
SHA123753f88ff613085e363fed6246a3b08a78bf1df
SHA2569b4298ad3fef1f609e9c34fa9471fc2b76bd6f5542823b66ace638b8c2edb079
SHA512735f633aa99b70b486b895421841c5b7dd88e475e8c7e120d9b4054fad0989a23c61c13519a10fca9b575ec92949f7475065af34983606f4ba551e82b76e3f91
-
Filesize
79KB
MD5fa838d62246223fa79f7a7358691584c
SHA123d6f3ae392937a6c28d2159cc816dc5ee96d82a
SHA25624e0ae5106103bb66889229dd18b796f4923727093113ca289c7039189bda19c
SHA512b9a2ad7eb1f415f492e68fab97b302cd56e6ac1f0f4523a46078b8fbd5d22ac2178b9d5968a0abe9fb3855ac33ef26421b760dbdfb962343cbd291fa6a2a4b8c
-
Filesize
189KB
MD531c7b3f88bae3c9072ceb9c78cef1281
SHA143a5bd5efc6d7d91ccd41041f4532ad7813c5a57
SHA2569dd3d01dc695d1e89ee6b31df506edb50d986bfae0f9082f945d0d802901cc24
SHA512a9273ef41c7f4677bd6c2d328bd47cc57219eb36c04d96acc10c4da16d3525183fe2ba08ff91a7067a50d8be5623240ca3d09fc645576b4b1dedd16277ebadf9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59e3fdfd76b8cbf124c0b5a8f210fabf8
SHA1036d142d3eb06e6a1ff1bbca34d48cad3c973f7b
SHA256c1fa04bd121a20d78571a52709fb4b65a8bbaa0a56dad2a613db0730c5c368da
SHA512a216742d84ec80688ba049025c62c95f8c61842688e4bc1a8b06d45515a4c6fec639877849a46e3b9b6871518079b693d4b6d958cc7dfff1936779832ad982cd