Analysis
-
max time kernel
173s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
URFT06GSBAWRP_001_PDF.exe
-
Size
300.0MB
-
MD5
464753cd8a6523de0fba921ce6846177
-
SHA1
6b3b77af1129f9ad86acc31163d8450eacb4dbd3
-
SHA256
3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
-
SHA512
589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
SSDEEP
3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
resulttoday2.duckdns.org:6111
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3268-139-0x0000000000400000-0x0000000000416000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
opetr.exeopetr.exepid process 1300 opetr.exe 3336 opetr.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
URFT06GSBAWRP_001_PDF.exeopetr.exedescription pid process target process PID 5064 set thread context of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 1300 set thread context of 1616 1300 opetr.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1428 schtasks.exe 5068 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 3268 vbc.exe Token: SeDebugPrivilege 1616 vbc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
URFT06GSBAWRP_001_PDF.execmd.exeopetr.execmd.exedescription pid process target process PID 5064 wrote to memory of 4144 5064 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 5064 wrote to memory of 4144 5064 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 5064 wrote to memory of 4144 5064 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 4144 wrote to memory of 5068 4144 cmd.exe schtasks.exe PID 4144 wrote to memory of 5068 4144 cmd.exe schtasks.exe PID 4144 wrote to memory of 5068 4144 cmd.exe schtasks.exe PID 5064 wrote to memory of 3100 5064 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 5064 wrote to memory of 3100 5064 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 5064 wrote to memory of 3100 5064 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 5064 wrote to memory of 3268 5064 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 1300 wrote to memory of 2228 1300 opetr.exe cmd.exe PID 1300 wrote to memory of 2228 1300 opetr.exe cmd.exe PID 1300 wrote to memory of 2228 1300 opetr.exe cmd.exe PID 1300 wrote to memory of 1892 1300 opetr.exe cmd.exe PID 1300 wrote to memory of 1892 1300 opetr.exe cmd.exe PID 1300 wrote to memory of 1892 1300 opetr.exe cmd.exe PID 2228 wrote to memory of 1428 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 1428 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 1428 2228 cmd.exe schtasks.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe PID 1300 wrote to memory of 1616 1300 opetr.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\opetr.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opetr.exe.logFilesize
612B
MD5ca95b0db0b212857216268544c58e741
SHA15c2fd4ee1dc02d9412a19454562129f97bf930b5
SHA256bdcf4429adc6ee689394b8ea1628e98bac4d0b7f8d735e5bf9e96218a41cd6f0
SHA512c3d83412ec5c6dd7398c7ec0ae73838eed3f9e6e539771066378d74479092bc18f73deac581c3e5f053487eef1ae432a565eec2aa706c7ddf16d5855cb0e70bb
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
103.4MB
MD5d30be46d8fb913d458db5205587a6483
SHA1a424bc4c89c9f21bd86cb2b8c501dd0df44c2c21
SHA256f4a9f0ca1baaed7ea8e8b2a6b456ce9627e600a6bc946a109fad12f3b75adff8
SHA512cc7887a4af2c23c6f080b4d2b3173f9be7b6e4efc21cd816f58c1a5841c4aefebaef13fd6f62b45963848a116e454205d83ab5db4c30bb5a9d43511a334b664f
-
memory/1428-144-0x0000000000000000-mapping.dmp
-
memory/1616-145-0x0000000000000000-mapping.dmp
-
memory/1892-143-0x0000000000000000-mapping.dmp
-
memory/2228-142-0x0000000000000000-mapping.dmp
-
memory/3100-137-0x0000000000000000-mapping.dmp
-
memory/3268-138-0x0000000000000000-mapping.dmp
-
memory/3268-139-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4144-134-0x0000000000000000-mapping.dmp
-
memory/5064-136-0x0000000005710000-0x0000000005CB4000-memory.dmpFilesize
5.6MB
-
memory/5064-132-0x00000000004C0000-0x00000000004F2000-memory.dmpFilesize
200KB
-
memory/5064-133-0x00000000050F0000-0x0000000005156000-memory.dmpFilesize
408KB
-
memory/5068-135-0x0000000000000000-mapping.dmp