Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 14:35

General

  • Target

    PureRcsAdvTokenGrabbernls..scr

  • Size

    3.0MB

  • MD5

    29ee9836013142f0f63c6813944c7021

  • SHA1

    90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78

  • SHA256

    7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1

  • SHA512

    482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e

  • SSDEEP

    49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MetaMask

C2

51.103.217.70:6677

Mutex

MetaMask

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Google Chrome

C2

51.103.217.70:8585

Mutex

Google Chrome

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Expoler

C2

51.103.217.70:6677

Mutex

Expoler

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Windows Defender

C2

51.103.217.70:8585

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PureRcsAdvTokenGrabbernls..scr
    "C:\Users\Admin\AppData\Local\Temp\PureRcsAdvTokenGrabbernls..scr" /S
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Local\Temp\EDGE.EXE
      "C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Users\Admin\AppData\Local\Temp\EDGE.EXE
        "C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4244
    • C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE
      "C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome' -Value '"C:\Users\Admin\AppData\Roaming\Google Chrome\Google Chrome.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2996
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3284
    • C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE
      "C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask' -Value '"C:\Users\Admin\AppData\Roaming\MetaMask\MetaMask.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
    • C:\Users\Admin\AppData\Local\Temp\RUNING.EXE
      "C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing' -Value '"C:\Users\Admin\AppData\Roaming\Runing\Runing.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        3⤵
          PID:2392
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          #cmd
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

      Filesize

      323B

      MD5

      4af72c00db90b95c23cc32823c5b0453

      SHA1

      80f3754f05c09278987cba54e34b76f1ddbee5fd

      SHA256

      5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

      SHA512

      47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      9faf6f9cd1992cdebfd8e34b48ea9330

      SHA1

      ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

      SHA256

      0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

      SHA512

      05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      19KB

      MD5

      508a91a2094b619949f2c7d66afb44ac

      SHA1

      658d06224ef98ef6bbcd434ced56a8d6817b3ebd

      SHA256

      d4f856dae5a6aa8755f14c90f496bcca544d1e6f99c0f9e9cefa9ed5c62be012

      SHA512

      818cd1dc8f882397a39abcb9025e9394fe608ad6884acebf5caa0a19afdbbc36d2def9cffea33610b18e9ff831de8375e8be75edbf3da3507b21822529bdcb07

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      19KB

      MD5

      27cb8831db17531025418f161d761139

      SHA1

      3f4377a7addf84043d7111b0579c87b9cdec8e3a

      SHA256

      4b44bda621a3ab7017fc9699c0caae5a1abb62518bab83d22965c83e8d90e01f

      SHA512

      892682e72e0b592f4caa6c656b403dad508fe49903fb691fda724a1307952df7de059e1b68326bec813941d41e8c1a1b44d203b2771da5fe065c989d6f7aeb49

    • C:\Users\Admin\AppData\Local\Temp\EDGE.EXE

      Filesize

      2.6MB

      MD5

      7820977c8b4d71e342f1a9500c1c631d

      SHA1

      d7e474fbe898efce9d91fa0efe8d9c5819377ad8

      SHA256

      b7a375b496836bdb609b2ad063a8909dd3f35e045a6e75f951d3d7f5d224c945

      SHA512

      ec4060c357f2b690b93ae27e6b9662cb50ee4149964418d6fb957fc9f613909cc01fe50a133d737057ff540335dd6979f2cef383df534fef07c60ba0b2d10713

    • C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE

      Filesize

      79KB

      MD5

      a19ec34df640568c43c292a89c383ee1

      SHA1

      23753f88ff613085e363fed6246a3b08a78bf1df

      SHA256

      9b4298ad3fef1f609e9c34fa9471fc2b76bd6f5542823b66ace638b8c2edb079

      SHA512

      735f633aa99b70b486b895421841c5b7dd88e475e8c7e120d9b4054fad0989a23c61c13519a10fca9b575ec92949f7475065af34983606f4ba551e82b76e3f91

    • C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE

      Filesize

      79KB

      MD5

      fa838d62246223fa79f7a7358691584c

      SHA1

      23d6f3ae392937a6c28d2159cc816dc5ee96d82a

      SHA256

      24e0ae5106103bb66889229dd18b796f4923727093113ca289c7039189bda19c

      SHA512

      b9a2ad7eb1f415f492e68fab97b302cd56e6ac1f0f4523a46078b8fbd5d22ac2178b9d5968a0abe9fb3855ac33ef26421b760dbdfb962343cbd291fa6a2a4b8c

    • C:\Users\Admin\AppData\Local\Temp\RUNING.EXE

      Filesize

      189KB

      MD5

      31c7b3f88bae3c9072ceb9c78cef1281

      SHA1

      43a5bd5efc6d7d91ccd41041f4532ad7813c5a57

      SHA256

      9dd3d01dc695d1e89ee6b31df506edb50d986bfae0f9082f945d0d802901cc24

      SHA512

      a9273ef41c7f4677bd6c2d328bd47cc57219eb36c04d96acc10c4da16d3525183fe2ba08ff91a7067a50d8be5623240ca3d09fc645576b4b1dedd16277ebadf9

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twuwqcvh.o2a.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/412-53-0x00000000006A0000-0x00000000006D6000-memory.dmp

      Filesize

      216KB

    • memory/2328-68-0x0000000002A70000-0x0000000002A7A000-memory.dmp

      Filesize

      40KB

    • memory/2328-64-0x0000000000400000-0x0000000000432000-memory.dmp

      Filesize

      200KB

    • memory/2724-124-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/2996-154-0x0000000007F90000-0x0000000007FB2000-memory.dmp

      Filesize

      136KB

    • memory/2996-126-0x0000000008310000-0x000000000898A000-memory.dmp

      Filesize

      6.5MB

    • memory/2996-143-0x0000000007F50000-0x0000000007F58000-memory.dmp

      Filesize

      32KB

    • memory/2996-127-0x0000000007A20000-0x0000000007A3A000-memory.dmp

      Filesize

      104KB

    • memory/2996-140-0x0000000007E60000-0x0000000007E6E000-memory.dmp

      Filesize

      56KB

    • memory/2996-141-0x0000000007E70000-0x0000000007E84000-memory.dmp

      Filesize

      80KB

    • memory/2996-69-0x0000000005B30000-0x0000000006158000-memory.dmp

      Filesize

      6.2MB

    • memory/2996-110-0x0000000070130000-0x000000007017C000-memory.dmp

      Filesize

      304KB

    • memory/2996-142-0x0000000007F70000-0x0000000007F8A000-memory.dmp

      Filesize

      104KB

    • memory/2996-82-0x0000000006340000-0x0000000006694000-memory.dmp

      Filesize

      3.3MB

    • memory/3284-62-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/3312-109-0x0000000007A10000-0x0000000007AB3000-memory.dmp

      Filesize

      652KB

    • memory/3312-98-0x0000000070130000-0x000000007017C000-memory.dmp

      Filesize

      304KB

    • memory/3312-70-0x0000000005860000-0x0000000005882000-memory.dmp

      Filesize

      136KB

    • memory/3312-95-0x0000000006810000-0x000000000682E000-memory.dmp

      Filesize

      120KB

    • memory/3312-96-0x0000000006850000-0x000000000689C000-memory.dmp

      Filesize

      304KB

    • memory/3312-97-0x0000000006DF0000-0x0000000006E22000-memory.dmp

      Filesize

      200KB

    • memory/3312-108-0x0000000006E30000-0x0000000006E4E000-memory.dmp

      Filesize

      120KB

    • memory/3312-128-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

      Filesize

      40KB

    • memory/3312-72-0x00000000061A0000-0x0000000006206000-memory.dmp

      Filesize

      408KB

    • memory/3312-71-0x0000000006030000-0x0000000006096000-memory.dmp

      Filesize

      408KB

    • memory/3312-139-0x0000000007D50000-0x0000000007D61000-memory.dmp

      Filesize

      68KB

    • memory/3312-66-0x0000000005250000-0x0000000005286000-memory.dmp

      Filesize

      216KB

    • memory/3312-138-0x0000000007DD0000-0x0000000007E66000-memory.dmp

      Filesize

      600KB

    • memory/3372-94-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/3692-56-0x0000000006480000-0x00000000064BA000-memory.dmp

      Filesize

      232KB

    • memory/3692-48-0x0000000005580000-0x000000000561C000-memory.dmp

      Filesize

      624KB

    • memory/3692-46-0x00000000008E0000-0x0000000000B7E000-memory.dmp

      Filesize

      2.6MB

    • memory/3692-21-0x00000000733BE000-0x00000000733BF000-memory.dmp

      Filesize

      4KB

    • memory/4244-57-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

    • memory/4500-67-0x00000000733B0000-0x0000000073B60000-memory.dmp

      Filesize

      7.7MB

    • memory/4500-50-0x00000000733B0000-0x0000000073B60000-memory.dmp

      Filesize

      7.7MB

    • memory/4500-33-0x00000000009A0000-0x00000000009BA000-memory.dmp

      Filesize

      104KB

    • memory/4632-144-0x0000000070130000-0x000000007017C000-memory.dmp

      Filesize

      304KB

    • memory/4880-125-0x00000000733B0000-0x0000000073B60000-memory.dmp

      Filesize

      7.7MB

    • memory/4880-51-0x0000000005870000-0x0000000005E14000-memory.dmp

      Filesize

      5.6MB

    • memory/4880-54-0x00000000733B0000-0x0000000073B60000-memory.dmp

      Filesize

      7.7MB

    • memory/4880-45-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

      Filesize

      104KB