Overview

overview

9

Static

static

a6790b9459...cc.rar

windows10-2004-x64

9

Resubmissions

07/09/2022, 00:37

220907-aym62sgacp 9

07/09/2022, 00:29

220907-ataedsgabr 10

Analysis

  • max time kernel
    508s
  • max time network
    510s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2022, 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc.rar

  • Size

    1.6MB

  • MD5

    3c631b8a295f115daecd22d097026312

  • SHA1

    776517116dbd2dd5faa7bf79796f868eaabd3513

  • SHA256

    a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc

  • SHA512

    81914c1dc797127e598b30e53c1422fe9b1a9e960ca03ad670e8b29e7a57dfcc88ebb367602bce1efca45a4cd2d379ba18000fd0b27b8cddba062495a95628b9

  • SSDEEP

    49152:tPgnrgcNTSpj28CxsnbPMxkiFLf4uEXYzMh:twhi2zsynFLQXYIh

Score
9/10
collectionevasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc.rar
    1⤵
    • Modifies registry class
    PID:4896
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4604
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4952
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\" -spe -an -ai#7zMap17318:208:7zEvent28263
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3932
    • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\VenomRootKit_cracked.exe
      "C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\VenomRootKit_cracked.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Executes dropped EXE
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\VenomRootKit_cracked.exe
        "{path}"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2264
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:3212
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile
                5⤵
                  PID:4832
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  5⤵
                    PID:768
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\0f79cba149a8da92ce38d8b34e9b0240\processes.txt"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1352
                  • C:\Windows\SysWOW64\tasklist.exe
                    tasklist /FO TABLE
                    5⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2436
                • C:\Users\Admin\AppData\Local\Temp\CommandCam.exe
                  "C:\Users\Admin\AppData\Local\Temp\CommandCam.exe" /filename "C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\0f79cba149a8da92ce38d8b34e9b0240\cam.jpg" /devnum 1
                  4⤵
                  • Executes dropped EXE
                  PID:460
              • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: AddClipboardFormatListener
                PID:3468
          • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\InstallerVenom.exe
            "C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\InstallerVenom.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3976
            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\InstallerVenom.exe
              "{path}"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3536
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 1584
                3⤵
                • Program crash
                PID:5080
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3536 -ip 3536
            1⤵
              PID:1968

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallerVenom.exe.log
              Filesize

              1KB

              MD5

              8ec831f3e3a3f77e4a7b9cd32b48384c

              SHA1

              d83f09fd87c5bd86e045873c231c14836e76a05c

              SHA256

              7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

              SHA512

              26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VenomRootKit_cracked.exe.log
              Filesize

              1KB

              MD5

              e08f822522c617a40840c62e4b0fb45e

              SHA1

              ae516dca4da5234be6676d3f234c19ec55725be7

              SHA256

              bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

              SHA512

              894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\0f79cba149a8da92ce38d8b34e9b0240\processes.txt
              Filesize

              7KB

              MD5

              5893355d05fa3a2cf12d875dc4ad0bb8

              SHA1

              e06c2622e827055b93443cf4e1df51f7b152a415

              SHA256

              c32da42b58712db430e14f20a7cabfb3449cc340a4f746ca46f8242e6bf6017d

              SHA512

              a620cb9bbd54182210394256ab6cf1737f77dc19636dce74daa81e2cbfa32887855728a7fc3a5c28f5470121e1a337d9b450423eae9de4cb88ee6bd4d3d62a00

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CommandCam.exe
              Filesize

              63KB

              MD5

              1009e5b3884fffc9926a2e97ccdf8408

              SHA1

              15ef775adbddd1f9515860f322fcfdb1f81fbb49

              SHA256

              e4e7f08d9a9a662b5615e8fcbb6cd3c711ecab6341a60562bbeff9ccca43f7e0

              SHA512

              3a8b777ccca6f29c8bc350711f594e1951afdbce8eb78786d2b3d85f940051635c05ec414768eef956076e41f1e53195f4d6fc20941428f525fc7cbbecc67891

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CommandCam.exe
              Filesize

              63KB

              MD5

              1009e5b3884fffc9926a2e97ccdf8408

              SHA1

              15ef775adbddd1f9515860f322fcfdb1f81fbb49

              SHA256

              e4e7f08d9a9a662b5615e8fcbb6cd3c711ecab6341a60562bbeff9ccca43f7e0

              SHA512

              3a8b777ccca6f29c8bc350711f594e1951afdbce8eb78786d2b3d85f940051635c05ec414768eef956076e41f1e53195f4d6fc20941428f525fc7cbbecc67891

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\InstallerVenom.exe
              Filesize

              4.8MB

              MD5

              ccb8a36201fbd8a7b0d945a849d0d381

              SHA1

              2fe5465e6a974d0e51a7748d35518e33e01f32e7

              SHA256

              c7b9c893fa6b625a0755001a5a881bd0f797ecec40bdd208ac2522985454e46e

              SHA512

              84a3f83ef74830637192b81031614493281bff935f560441c006306925d6d6e8b3450e332bb6e6b15a043aa16e427a80899697a96fa140f1fd667a8d096472ba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\InstallerVenom.exe
              Filesize

              4.8MB

              MD5

              ccb8a36201fbd8a7b0d945a849d0d381

              SHA1

              2fe5465e6a974d0e51a7748d35518e33e01f32e7

              SHA256

              c7b9c893fa6b625a0755001a5a881bd0f797ecec40bdd208ac2522985454e46e

              SHA512

              84a3f83ef74830637192b81031614493281bff935f560441c006306925d6d6e8b3450e332bb6e6b15a043aa16e427a80899697a96fa140f1fd667a8d096472ba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\InstallerVenom.exe
              Filesize

              4.8MB

              MD5

              ccb8a36201fbd8a7b0d945a849d0d381

              SHA1

              2fe5465e6a974d0e51a7748d35518e33e01f32e7

              SHA256

              c7b9c893fa6b625a0755001a5a881bd0f797ecec40bdd208ac2522985454e46e

              SHA512

              84a3f83ef74830637192b81031614493281bff935f560441c006306925d6d6e8b3450e332bb6e6b15a043aa16e427a80899697a96fa140f1fd667a8d096472ba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\VenomRootKit_cracked.exe
              Filesize

              23.8MB

              MD5

              4ff2fd0ee55920b92e95302ef5644f51

              SHA1

              6a6cf34c224d41e11e17e62552254fef6e8a87a2

              SHA256

              d794efea1a6ad5b3e590782ca066fa7166e0b1dd4f0fddde03a7539ca0b4ebe6

              SHA512

              75667a16be2d33f9ac3bec9cb5ed76a11b97e1ef575c963e89f328a552f041baf41fe31f1948bddf97c07e659f1e18bdf3d64452441b7dacc3dde2531905daf4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\VenomRootKit_cracked.exe
              Filesize

              23.8MB

              MD5

              4ff2fd0ee55920b92e95302ef5644f51

              SHA1

              6a6cf34c224d41e11e17e62552254fef6e8a87a2

              SHA256

              d794efea1a6ad5b3e590782ca066fa7166e0b1dd4f0fddde03a7539ca0b4ebe6

              SHA512

              75667a16be2d33f9ac3bec9cb5ed76a11b97e1ef575c963e89f328a552f041baf41fe31f1948bddf97c07e659f1e18bdf3d64452441b7dacc3dde2531905daf4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\a6790b94598f37630241e6cd5727f4e1ba0b90dce40bb6302a6e4b52839077cc\CRACKED Venom Rootkit\VenomRootKit_cracked.exe
              Filesize

              23.8MB

              MD5

              4ff2fd0ee55920b92e95302ef5644f51

              SHA1

              6a6cf34c224d41e11e17e62552254fef6e8a87a2

              SHA256

              d794efea1a6ad5b3e590782ca066fa7166e0b1dd4f0fddde03a7539ca0b4ebe6

              SHA512

              75667a16be2d33f9ac3bec9cb5ed76a11b97e1ef575c963e89f328a552f041baf41fe31f1948bddf97c07e659f1e18bdf3d64452441b7dacc3dde2531905daf4

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
              Filesize

              42KB

              MD5

              998d4888b99734c60802f93fb2daf940

              SHA1

              297a395d096ca67b885134dea1147c270b402c1a

              SHA256

              d63c4166014d50c6321e82e1c6de7c1a2207b0e09f541d1275d0109aa1d191b5

              SHA512

              2658aab48807606dc83c4b822438b5454a3df19f4db015d30b8b330baab6218a8a259bb33a2e57398e3c6823059ea49477b4d79df63fe383a9f4725359899190

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
              Filesize

              42KB

              MD5

              998d4888b99734c60802f93fb2daf940

              SHA1

              297a395d096ca67b885134dea1147c270b402c1a

              SHA256

              d63c4166014d50c6321e82e1c6de7c1a2207b0e09f541d1275d0109aa1d191b5

              SHA512

              2658aab48807606dc83c4b822438b5454a3df19f4db015d30b8b330baab6218a8a259bb33a2e57398e3c6823059ea49477b4d79df63fe383a9f4725359899190

              Download Submit

            • memory/460-181-0x0000000070420000-0x0000000070459000-memory.dmp

              Filesize

              228KB

              Download

            • memory/2264-171-0x0000000005860000-0x0000000005872000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2264-169-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-153-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-154-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-155-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-156-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-164-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-167-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-166-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-148-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-161-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-160-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-170-0x0000000005830000-0x000000000583A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2264-158-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-152-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-151-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/2264-150-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/3468-185-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3536-188-0x0000000000400000-0x000000000040A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3544-137-0x00000000052D0000-0x00000000052DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3544-138-0x00000000053F0000-0x000000000548C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/3544-136-0x0000000005110000-0x00000000051A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/3544-142-0x0000000006280000-0x00000000062E6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3544-135-0x000000000AD90000-0x000000000B334000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3544-134-0x0000000000680000-0x00000000007DA000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3976-141-0x00000000009F0000-0x0000000000A6C000-memory.dmp

              Filesize

              496KB

              Download

            • memory/4928-144-0x0000000000400000-0x00000000004B8000-memory.dmp

              Filesize

              736KB

              Download