Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 14:20
Static task
static1
Behavioral task
behavioral1
Sample
PureRcs Adv Token Grabbernls..scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PureRcs Adv Token Grabbernls..scr
Resource
win10v2004-20241007-en
General
-
Target
PureRcs Adv Token Grabbernls..scr
-
Size
3.0MB
-
MD5
29ee9836013142f0f63c6813944c7021
-
SHA1
90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78
-
SHA256
7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1
-
SHA512
482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e
-
SSDEEP
49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8
Malware Config
Extracted
asyncrat
0.5.7B
MetaMask
51.103.217.70:6677
MetaMask
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Google Chrome
51.103.217.70:8585
Google Chrome
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Windows Defender
51.103.217.70:8585
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation PureRcs Adv Token Grabbernls..scr -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk EDGE.EXE -
Executes dropped EXE 6 IoCs
pid Process 4396 EDGE.EXE 2072 GOOGLE CHROME.EXE 1700 METAMASK.EXE 3648 RUNING.EXE 2740 EDGE.EXE 760 EDGE.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google Chrome.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runing = "C:\\Users\\Admin\\AppData\\Roaming\\Runing\\Runing.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MetaMask = "C:\\Users\\Admin\\AppData\\Roaming\\MetaMask\\MetaMask.exe" powershell.exe -
pid Process 1000 powershell.exe 3092 powershell.exe 2776 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4396 set thread context of 760 4396 EDGE.EXE 87 PID 1700 set thread context of 1484 1700 METAMASK.EXE 90 PID 2072 set thread context of 1900 2072 GOOGLE CHROME.EXE 91 PID 3648 set thread context of 2004 3648 RUNING.EXE 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PureRcs Adv Token Grabbernls..scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDGE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDGE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOOGLE CHROME.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language METAMASK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3648 RUNING.EXE 2072 GOOGLE CHROME.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 3648 RUNING.EXE 3648 RUNING.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 1700 METAMASK.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 3648 RUNING.EXE 3648 RUNING.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 2072 GOOGLE CHROME.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE 3648 RUNING.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3648 RUNING.EXE Token: SeDebugPrivilege 2072 GOOGLE CHROME.EXE Token: SeDebugPrivilege 1700 METAMASK.EXE Token: SeDebugPrivilege 4396 EDGE.EXE Token: SeDebugPrivilege 2004 RegAsm.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 4316 wrote to memory of 4396 4316 PureRcs Adv Token Grabbernls..scr 82 PID 4316 wrote to memory of 4396 4316 PureRcs Adv Token Grabbernls..scr 82 PID 4316 wrote to memory of 4396 4316 PureRcs Adv Token Grabbernls..scr 82 PID 4316 wrote to memory of 2072 4316 PureRcs Adv Token Grabbernls..scr 83 PID 4316 wrote to memory of 2072 4316 PureRcs Adv Token Grabbernls..scr 83 PID 4316 wrote to memory of 2072 4316 PureRcs Adv Token Grabbernls..scr 83 PID 4316 wrote to memory of 1700 4316 PureRcs Adv Token Grabbernls..scr 84 PID 4316 wrote to memory of 1700 4316 PureRcs Adv Token Grabbernls..scr 84 PID 4316 wrote to memory of 1700 4316 PureRcs Adv Token Grabbernls..scr 84 PID 4316 wrote to memory of 3648 4316 PureRcs Adv Token Grabbernls..scr 85 PID 4316 wrote to memory of 3648 4316 PureRcs Adv Token Grabbernls..scr 85 PID 4316 wrote to memory of 3648 4316 PureRcs Adv Token Grabbernls..scr 85 PID 4396 wrote to memory of 2740 4396 EDGE.EXE 86 PID 4396 wrote to memory of 2740 4396 EDGE.EXE 86 PID 4396 wrote to memory of 2740 4396 EDGE.EXE 86 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 4396 wrote to memory of 760 4396 EDGE.EXE 87 PID 1700 wrote to memory of 1000 1700 METAMASK.EXE 88 PID 1700 wrote to memory of 1000 1700 METAMASK.EXE 88 PID 1700 wrote to memory of 1000 1700 METAMASK.EXE 88 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 2072 wrote to memory of 3092 2072 GOOGLE CHROME.EXE 89 PID 2072 wrote to memory of 3092 2072 GOOGLE CHROME.EXE 89 PID 2072 wrote to memory of 3092 2072 GOOGLE CHROME.EXE 89 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 1700 wrote to memory of 1484 1700 METAMASK.EXE 90 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 2072 wrote to memory of 1900 2072 GOOGLE CHROME.EXE 91 PID 3648 wrote to memory of 2776 3648 RUNING.EXE 94 PID 3648 wrote to memory of 2776 3648 RUNING.EXE 94 PID 3648 wrote to memory of 2776 3648 RUNING.EXE 94 PID 3648 wrote to memory of 4452 3648 RUNING.EXE 95 PID 3648 wrote to memory of 4452 3648 RUNING.EXE 95 PID 3648 wrote to memory of 4452 3648 RUNING.EXE 95 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 3648 wrote to memory of 2004 3648 RUNING.EXE 97 PID 2004 wrote to memory of 2516 2004 RegAsm.exe 98 PID 2004 wrote to memory of 2516 2004 RegAsm.exe 98 PID 2004 wrote to memory of 2516 2004 RegAsm.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\PureRcs Adv Token Grabbernls..scr"C:\Users\Admin\AppData\Local\Temp\PureRcs Adv Token Grabbernls..scr" /S1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"3⤵
- Executes dropped EXE
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760
-
-
-
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome' -Value '"C:\Users\Admin\AppData\Roaming\Google Chrome\Google Chrome.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask' -Value '"C:\Users\Admin\AppData\Roaming\MetaMask\MetaMask.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
-
C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing' -Value '"C:\Users\Admin\AppData\Roaming\Runing\Runing.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵PID:4452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:2516
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fb1df442f2cee34456c6ed9064318559
SHA1729e8f61f181b303d25e1f709399db242d82c6c2
SHA25675207b26127c0778928b2c0ce51d371a1b4f5a4c47596902f88dbff9ddd16a79
SHA512d6df1b8e17733d65ae332d20a22fcbc2cdec8df38a705b694b4d87b2f0c9c287378791c3da2cb2142e95f31df1b4209e01a17a83eabfcb2175f38a9207ad0294
-
Filesize
2.6MB
MD57820977c8b4d71e342f1a9500c1c631d
SHA1d7e474fbe898efce9d91fa0efe8d9c5819377ad8
SHA256b7a375b496836bdb609b2ad063a8909dd3f35e045a6e75f951d3d7f5d224c945
SHA512ec4060c357f2b690b93ae27e6b9662cb50ee4149964418d6fb957fc9f613909cc01fe50a133d737057ff540335dd6979f2cef383df534fef07c60ba0b2d10713
-
Filesize
79KB
MD5a19ec34df640568c43c292a89c383ee1
SHA123753f88ff613085e363fed6246a3b08a78bf1df
SHA2569b4298ad3fef1f609e9c34fa9471fc2b76bd6f5542823b66ace638b8c2edb079
SHA512735f633aa99b70b486b895421841c5b7dd88e475e8c7e120d9b4054fad0989a23c61c13519a10fca9b575ec92949f7475065af34983606f4ba551e82b76e3f91
-
Filesize
79KB
MD5fa838d62246223fa79f7a7358691584c
SHA123d6f3ae392937a6c28d2159cc816dc5ee96d82a
SHA25624e0ae5106103bb66889229dd18b796f4923727093113ca289c7039189bda19c
SHA512b9a2ad7eb1f415f492e68fab97b302cd56e6ac1f0f4523a46078b8fbd5d22ac2178b9d5968a0abe9fb3855ac33ef26421b760dbdfb962343cbd291fa6a2a4b8c
-
Filesize
189KB
MD531c7b3f88bae3c9072ceb9c78cef1281
SHA143a5bd5efc6d7d91ccd41041f4532ad7813c5a57
SHA2569dd3d01dc695d1e89ee6b31df506edb50d986bfae0f9082f945d0d802901cc24
SHA512a9273ef41c7f4677bd6c2d328bd47cc57219eb36c04d96acc10c4da16d3525183fe2ba08ff91a7067a50d8be5623240ca3d09fc645576b4b1dedd16277ebadf9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82