Overview

overview

10

Static

static

3

9409521653...ce.exe

windows7-x64

10

9409521653...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2024 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe

  • Size

    39.9MB

  • MD5

    e1a72f7e4426c8d5e849459fa7c7e476

  • SHA1

    e1101a053ebe7cf5dc44f4f4ea787be113cae10f

  • SHA256

    9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece

  • SHA512

    0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f

  • SSDEEP

    786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

Score
10/10
asyncratquasarxwormdefaultoffice04slaveexecutionratspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    ql4fQ8TV9ZFP9vRX2myA

  • install_name

    $sxr~Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77STARTUP~MSF

  • subdirectory

    $sxr~SubDir

Extracted

Family

xworm

C2

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes
  • encryption_key

    CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 4 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe
    "C:\Users\Admin\AppData\Local\Temp\9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\hat.exe
      "C:\Users\Admin\AppData\Local\Temp\hat.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1632
    • C:\Users\Admin\AppData\Local\Temp\mshta.exe
      "C:\Users\Admin\AppData\Local\Temp\mshta.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
    • C:\Users\Admin\AppData\Local\Temp\ONPE.exe
      "C:\Users\Admin\AppData\Local\Temp\ONPE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:900
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2056
    • C:\Users\Admin\AppData\Local\Temp\index.exe
      "C:\Users\Admin\AppData\Local\Temp\index.exe"
      2⤵
      • Executes dropped EXE
      PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    Filesize

    3.1MB

    MD5

    3609d79a3bd384ec00861417a1795932

    SHA1

    1e2beac3970f2debf5376ed1c4197380d1b1ab39

    SHA256

    ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80

    SHA512

    9ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ONPE.exe
    Filesize

    63KB

    MD5

    27fe9341167a34f606b800303ac54b1f

    SHA1

    86373d218b48361bff1c23ddd08b6ab1803a51d0

    SHA256

    29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

    SHA512

    05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hat.exe
    Filesize

    409KB

    MD5

    e10c7425705b2bd3214fa96247ee21c4

    SHA1

    7603536b97ab6337fa023bafcf80579c2b4059e6

    SHA256

    021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

    SHA512

    47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\index.exe
    Filesize

    36.2MB

    MD5

    3c9563aff1bd31ffa1692db8bf1526a6

    SHA1

    b9038ff03f20441170548f3910f141d58f46e46f

    SHA256

    c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2

    SHA512

    1ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mshta.exe
    Filesize

    67KB

    MD5

    092a0c6fe885844fd74947e64e7fc11e

    SHA1

    bfe46f64f36f2e927d862a1a787f146ed2c01219

    SHA256

    91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

    SHA512

    022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    79KB

    MD5

    1f1b23752df3d29e7604ba52aea85862

    SHA1

    bb582c6cf022098b171c4c9c7318a51de29ebcf4

    SHA256

    4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

    SHA512

    d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    9179c66d19e59aac944abc86d0f52c83

    SHA1

    585a9c3d4dc37969a2e86e680e9f706751eba740

    SHA256

    e98af8cb1e7c5f6cf2879b727ce71fa8e85cd33dcad3a1aa76033998f1c8a857

    SHA512

    3e7f2eb3dd00b9d99807a09dd77c5748e2698e763dc97fa504a7edd2fb93ecf0130078088aab3b9df83afad45f311a045112c07699c8ec1c034c2d6a5c0f5bf6

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/828-44-0x0000000001C10000-0x0000000001C18000-memory.dmp
    Filesize

    32KB

    Download
  • memory/828-43-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2028-31-0x0000000000290000-0x00000000002FC000-memory.dmp
    Filesize

    432KB

    Download
  • memory/2056-32-0x00000000012B0000-0x00000000015D4000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2080-20-0x0000000000DD0000-0x0000000000DE6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2128-27-0x0000000001000000-0x0000000001018000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2256-0-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2256-1-0x00000000013B0000-0x0000000003B9E000-memory.dmp
    Filesize

    39.9MB

    Download
  • memory/2336-61-0x000000001B7B0000-0x000000001BA92000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2336-62-0x0000000002290000-0x0000000002298000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2700-24-0x0000000000C70000-0x0000000000C8A000-memory.dmp
    Filesize

    104KB

    Download