Overview

overview

10

Static

static

3

Windows Defenders.exe

windows7-x64

10

Windows Defenders.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2025, 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Windows Defenders.exe

  • Size

    82KB

  • MD5

    c83eee916e8a78f97511dd3bce5fd38c

  • SHA1

    0748ee6c65a2c401b8641d39cfff57e087f62154

  • SHA256

    c93d11c96d20e8b20cff7cd018440fa16f6601c047890c48c7e72cb5e0077e02

  • SHA512

    de60264ce73d09266727d5b8be3cda669b8e5f2ae2c68c09dfc9e6f1cfcfc512a3abba459cd55a63bf7f0fa83136bb6d511a16ff7553813a799446faa27f5b51

  • SSDEEP

    1536:gD9iBlgS19xE2VE8NVBxcEu6+rFanqNy7g4FY2qNlnw:gRU119rEMVAEX+4KoFRt

Score
10/10
asyncratxwormdefaultrattrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

understanding-described.gl.at.ply.gg:3953

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

understanding-described.gl.at.ply.gg:3953

Attributes
  • Install_directory

    %AppData%

  • install_file

    scvhost.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Defenders.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Defenders.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\AVDG AntiVirus.exe
      "C:\Users\Admin\AppData\Local\Temp\AVDG AntiVirus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2496
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp57E0.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2932
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          PID:1444
    • C:\Users\Admin\AppData\Local\Temp\Avast AntiVirus.exe
      "C:\Users\Admin\AppData\Local\Temp\Avast AntiVirus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AVDG AntiVirus.exe
    Filesize

    63KB

    MD5

    014c308c9e085a5204d4af8651710143

    SHA1

    31499e284c9f4d8ede48e88512a89f0c5f68f896

    SHA256

    0e8ac5b96d7b8a6bef8052eaeb57c732dee119379f659cbe7249543dd225f33d

    SHA512

    058f38c23926fcad0367850ce9f91d489111d0bcb06903b9246295e335b6aca2b20cb84065408863d8aab866dfc527742e93d264d6ffa64a86d60c21934fd22f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Avast AntiVirus.exe
    Filesize

    67KB

    MD5

    e317647c04bfe18d171514c96d20a569

    SHA1

    4419cd2d51788d85ded8b8a110b186c10a09aefc

    SHA256

    f61f7e874d0aa814ab9799a363174a2f9ed4284a1537748c06d736070d2c20a6

    SHA512

    3da0e895f20188332db8c8a0562452d18e7676c4c461bab31e05c1d53202e38e0217804ec12d4d3aa68610e0573e8d54d16629d94dd7238f61925a2a3ca6319e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp57E0.tmp.bat
    Filesize

    151B

    MD5

    05394ed8c6957358f83a996d00886d0d

    SHA1

    e3a7fb249ea0d73c78cbd9ece9701f4b9cc6c2aa

    SHA256

    8db3d1d596ffac8375b1f488fccd8e71994ef45aab2daae74a959fcd94329b47

    SHA512

    7f7ba1727b16d713474cf84985832036ab79c28e2d708b719125335a4160ecb2829720d761601b336216932665b9f9ef35382bc888b722bc1b5caa82e51023d9

    Download Submit

  • memory/1444-30-0x00000000008D0000-0x00000000008E6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1780-14-0x0000000000280000-0x0000000000298000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2808-9-0x0000000001210000-0x0000000001226000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2808-15-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2808-26-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2868-1-0x0000000000090000-0x00000000000AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2868-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-16-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

    Filesize

    9.9MB

    Download