Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 14:35
Static task
static1
Behavioral task
behavioral1
Sample
PureRcsAdvTokenGrabbernls..scr
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
PureRcsAdvTokenGrabbernls..scr
Resource
win10v2004-20241007-en
General
-
Target
PureRcsAdvTokenGrabbernls..scr
-
Size
3.0MB
-
MD5
29ee9836013142f0f63c6813944c7021
-
SHA1
90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78
-
SHA256
7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1
-
SHA512
482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e
-
SSDEEP
49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8
Malware Config
Extracted
asyncrat
0.5.7B
MetaMask
51.103.217.70:6677
MetaMask
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Google Chrome
51.103.217.70:8585
Google Chrome
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Expoler
51.103.217.70:6677
Expoler
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
Windows Defender
51.103.217.70:8585
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation PureRcsAdvTokenGrabbernls..scr -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk EDGE.EXE -
Executes dropped EXE 5 IoCs
pid Process 3692 EDGE.EXE 4500 GOOGLE CHROME.EXE 4880 METAMASK.EXE 412 RUNING.EXE 4244 EDGE.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MetaMask = "C:\\Users\\Admin\\AppData\\Roaming\\MetaMask\\MetaMask.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google Chrome.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runing = "C:\\Users\\Admin\\AppData\\Roaming\\Runing\\Runing.exe" powershell.exe -
pid Process 3312 powershell.exe 4632 powershell.exe 2996 powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3692 set thread context of 4244 3692 EDGE.EXE 86 PID 4500 set thread context of 3284 4500 GOOGLE CHROME.EXE 92 PID 412 set thread context of 2328 412 RUNING.EXE 93 PID 2328 set thread context of 3372 2328 RegAsm.exe 94 PID 4880 set thread context of 2724 4880 METAMASK.EXE 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDGE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PureRcsAdvTokenGrabbernls..scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language METAMASK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDGE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOOGLE CHROME.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4880 METAMASK.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4500 GOOGLE CHROME.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 412 RUNING.EXE 3312 powershell.exe 2996 powershell.exe 3312 powershell.exe 2996 powershell.exe 4880 METAMASK.EXE 4880 METAMASK.EXE 4880 METAMASK.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4500 GOOGLE CHROME.EXE Token: SeDebugPrivilege 4880 METAMASK.EXE Token: SeDebugPrivilege 412 RUNING.EXE Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 2328 RegAsm.exe Token: SeDebugPrivilege 4632 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3692 4856 PureRcsAdvTokenGrabbernls..scr 82 PID 4856 wrote to memory of 3692 4856 PureRcsAdvTokenGrabbernls..scr 82 PID 4856 wrote to memory of 3692 4856 PureRcsAdvTokenGrabbernls..scr 82 PID 4856 wrote to memory of 4500 4856 PureRcsAdvTokenGrabbernls..scr 83 PID 4856 wrote to memory of 4500 4856 PureRcsAdvTokenGrabbernls..scr 83 PID 4856 wrote to memory of 4500 4856 PureRcsAdvTokenGrabbernls..scr 83 PID 4856 wrote to memory of 4880 4856 PureRcsAdvTokenGrabbernls..scr 84 PID 4856 wrote to memory of 4880 4856 PureRcsAdvTokenGrabbernls..scr 84 PID 4856 wrote to memory of 4880 4856 PureRcsAdvTokenGrabbernls..scr 84 PID 4856 wrote to memory of 412 4856 PureRcsAdvTokenGrabbernls..scr 85 PID 4856 wrote to memory of 412 4856 PureRcsAdvTokenGrabbernls..scr 85 PID 4856 wrote to memory of 412 4856 PureRcsAdvTokenGrabbernls..scr 85 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 3692 wrote to memory of 4244 3692 EDGE.EXE 86 PID 412 wrote to memory of 3312 412 RUNING.EXE 87 PID 412 wrote to memory of 3312 412 RUNING.EXE 87 PID 412 wrote to memory of 3312 412 RUNING.EXE 87 PID 4500 wrote to memory of 2996 4500 GOOGLE CHROME.EXE 88 PID 4500 wrote to memory of 2996 4500 GOOGLE CHROME.EXE 88 PID 4500 wrote to memory of 2996 4500 GOOGLE CHROME.EXE 88 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 412 wrote to memory of 2392 412 RUNING.EXE 91 PID 412 wrote to memory of 2392 412 RUNING.EXE 91 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 412 wrote to memory of 2392 412 RUNING.EXE 91 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 4500 wrote to memory of 3284 4500 GOOGLE CHROME.EXE 92 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 412 wrote to memory of 2328 412 RUNING.EXE 93 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 2328 wrote to memory of 3372 2328 RegAsm.exe 94 PID 4880 wrote to memory of 4632 4880 METAMASK.EXE 95 PID 4880 wrote to memory of 4632 4880 METAMASK.EXE 95 PID 4880 wrote to memory of 4632 4880 METAMASK.EXE 95 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96 PID 4880 wrote to memory of 2724 4880 METAMASK.EXE 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\PureRcsAdvTokenGrabbernls..scr"C:\Users\Admin\AppData\Local\Temp\PureRcsAdvTokenGrabbernls..scr" /S1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244
-
-
-
C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome' -Value '"C:\Users\Admin\AppData\Roaming\Google Chrome\Google Chrome.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
PID:3284
-
-
-
C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask' -Value '"C:\Users\Admin\AppData\Roaming\MetaMask\MetaMask.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
-
C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing' -Value '"C:\Users\Admin\AppData\Roaming\Runing\Runing.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵PID:2392
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3372
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323B
MD54af72c00db90b95c23cc32823c5b0453
SHA180f3754f05c09278987cba54e34b76f1ddbee5fd
SHA2565a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d
SHA51247aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef
-
Filesize
2KB
MD59faf6f9cd1992cdebfd8e34b48ea9330
SHA1ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA2560c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA51205b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97
-
Filesize
19KB
MD5508a91a2094b619949f2c7d66afb44ac
SHA1658d06224ef98ef6bbcd434ced56a8d6817b3ebd
SHA256d4f856dae5a6aa8755f14c90f496bcca544d1e6f99c0f9e9cefa9ed5c62be012
SHA512818cd1dc8f882397a39abcb9025e9394fe608ad6884acebf5caa0a19afdbbc36d2def9cffea33610b18e9ff831de8375e8be75edbf3da3507b21822529bdcb07
-
Filesize
19KB
MD527cb8831db17531025418f161d761139
SHA13f4377a7addf84043d7111b0579c87b9cdec8e3a
SHA2564b44bda621a3ab7017fc9699c0caae5a1abb62518bab83d22965c83e8d90e01f
SHA512892682e72e0b592f4caa6c656b403dad508fe49903fb691fda724a1307952df7de059e1b68326bec813941d41e8c1a1b44d203b2771da5fe065c989d6f7aeb49
-
Filesize
2.6MB
MD57820977c8b4d71e342f1a9500c1c631d
SHA1d7e474fbe898efce9d91fa0efe8d9c5819377ad8
SHA256b7a375b496836bdb609b2ad063a8909dd3f35e045a6e75f951d3d7f5d224c945
SHA512ec4060c357f2b690b93ae27e6b9662cb50ee4149964418d6fb957fc9f613909cc01fe50a133d737057ff540335dd6979f2cef383df534fef07c60ba0b2d10713
-
Filesize
79KB
MD5a19ec34df640568c43c292a89c383ee1
SHA123753f88ff613085e363fed6246a3b08a78bf1df
SHA2569b4298ad3fef1f609e9c34fa9471fc2b76bd6f5542823b66ace638b8c2edb079
SHA512735f633aa99b70b486b895421841c5b7dd88e475e8c7e120d9b4054fad0989a23c61c13519a10fca9b575ec92949f7475065af34983606f4ba551e82b76e3f91
-
Filesize
79KB
MD5fa838d62246223fa79f7a7358691584c
SHA123d6f3ae392937a6c28d2159cc816dc5ee96d82a
SHA25624e0ae5106103bb66889229dd18b796f4923727093113ca289c7039189bda19c
SHA512b9a2ad7eb1f415f492e68fab97b302cd56e6ac1f0f4523a46078b8fbd5d22ac2178b9d5968a0abe9fb3855ac33ef26421b760dbdfb962343cbd291fa6a2a4b8c
-
Filesize
189KB
MD531c7b3f88bae3c9072ceb9c78cef1281
SHA143a5bd5efc6d7d91ccd41041f4532ad7813c5a57
SHA2569dd3d01dc695d1e89ee6b31df506edb50d986bfae0f9082f945d0d802901cc24
SHA512a9273ef41c7f4677bd6c2d328bd47cc57219eb36c04d96acc10c4da16d3525183fe2ba08ff91a7067a50d8be5623240ca3d09fc645576b4b1dedd16277ebadf9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82