venomrat | 5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7
submitted
15-08-2020 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7-Venom.exe
Size

625KB
MD5

8e0459ea44e2e136a66683b4bb1b9c66
SHA1

e675cd144db3f6adeef99c1d790caae6df4d2b49
SHA256

5e74c2b7ac2d1ad593abac2e47d690a083bf96f1566901e58a5f59d221bc9853
SHA512

257f134d34a6016295e2807e1ff94afb84e25897ae5dd346a8c17e5e28e9dbc130055d22adadfd1f31776d4d62c055d204f3f1293df9c58da2daa9244e2f5059

Score

10^/10

rat rootkit stealer venomrat evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 1 IoCs

Processes:

windowsrc.exe

pid	Process
1916	windowsrc.exe

Loads dropped DLL 1 IoCs

Processes:

7-Venom.exe

pid	Process
1516	7-Venom.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	7-Venom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	7-Venom.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1896	schtasks.exe
1064	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7-Venom.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	7-Venom.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	7-Venom.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe7-Venom.exe

pid	Process
1960	powershell.exe
1960	powershell.exe
1516	7-Venom.exe
1516	7-Venom.exe
1516	7-Venom.exe
1516	7-Venom.exe
1516	7-Venom.exe
1516	7-Venom.exe
1516	7-Venom.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7-Venom.exepowershell.exewindowsrc.exe

description	pid	Process
Token: SeDebugPrivilege	1516	7-Venom.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1916	windowsrc.exe
Token: SeDebugPrivilege	1916	windowsrc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windowsrc.exe

pid	Process
1916	windowsrc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7-Venom.exewindowsrc.execmd.exe

description	pid	Process	procid_target
PID 1516 wrote to memory of 1896	1516	7-Venom.exe	25
PID 1516 wrote to memory of 1896	1516	7-Venom.exe	25
PID 1516 wrote to memory of 1896	1516	7-Venom.exe	25
PID 1516 wrote to memory of 1896	1516	7-Venom.exe	25
PID 1516 wrote to memory of 1916	1516	7-Venom.exe	27
PID 1516 wrote to memory of 1916	1516	7-Venom.exe	27
PID 1516 wrote to memory of 1916	1516	7-Venom.exe	27
PID 1516 wrote to memory of 1916	1516	7-Venom.exe	27
PID 1516 wrote to memory of 1960	1516	7-Venom.exe	28
PID 1516 wrote to memory of 1960	1516	7-Venom.exe	28
PID 1516 wrote to memory of 1960	1516	7-Venom.exe	28
PID 1516 wrote to memory of 1960	1516	7-Venom.exe	28
PID 1916 wrote to memory of 1064	1916	windowsrc.exe	30
PID 1916 wrote to memory of 1064	1916	windowsrc.exe	30
PID 1916 wrote to memory of 1064	1916	windowsrc.exe	30
PID 1916 wrote to memory of 1064	1916	windowsrc.exe	30
PID 1516 wrote to memory of 240	1516	7-Venom.exe	32
PID 1516 wrote to memory of 240	1516	7-Venom.exe	32
PID 1516 wrote to memory of 240	1516	7-Venom.exe	32
PID 1516 wrote to memory of 240	1516	7-Venom.exe	32
PID 240 wrote to memory of 308	240	cmd.exe	34
PID 240 wrote to memory of 308	240	cmd.exe	34
PID 240 wrote to memory of 308	240	cmd.exe	34
PID 240 wrote to memory of 308	240	cmd.exe	34
PID 1516 wrote to memory of 1524	1516	7-Venom.exe	35
PID 1516 wrote to memory of 1524	1516	7-Venom.exe	35
PID 1516 wrote to memory of 1524	1516	7-Venom.exe	35
PID 1516 wrote to memory of 1524	1516	7-Venom.exe	35

C:\Users\Admin\AppData\Local\Temp\7-Venom.exe
"C:\Users\Admin\AppData\Local\Temp\7-Venom.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Registry Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7-Venom.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1896
- C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe
  "C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Registry Handler" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vky2JMqM1a5U.bat" "
  2⤵
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Vky2JMqM1a5U.bat

Download Submit
C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Download Submit
C:\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Download Submit
\Users\Admin\AppData\Roaming\bin\windowsrc.exe

Download Submit
memory/240-50-0x0000000000000000-mapping.dmp

Download
memory/308-52-0x0000000000000000-mapping.dmp

Download
memory/308-51-0x0000000000000000-mapping.dmp

Download
memory/1064-15-0x0000000000000000-mapping.dmp

Download
memory/1516-1-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1516-0-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1524-53-0x0000000000000000-mapping.dmp

Download
memory/1896-3-0x0000000000000000-mapping.dmp

Download
memory/1916-5-0x0000000000000000-mapping.dmp

Download
memory/1916-8-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1916-10-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1960-16-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1960-20-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1960-25-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1960-26-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/1960-33-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1960-34-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1960-48-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/1960-49-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/1960-17-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1960-14-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1960-13-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1960-12-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-9-0x0000000000000000-mapping.dmp

Download