Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
1.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
1.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
URFT06GSBAWRP_001_PDF.exe
-
Size
300.0MB
-
MD5
464753cd8a6523de0fba921ce6846177
-
SHA1
6b3b77af1129f9ad86acc31163d8450eacb4dbd3
-
SHA256
3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
-
SHA512
589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
SSDEEP
3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
resulttoday2.duckdns.org:6111
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2692-140-0x00000000007E0000-0x00000000007F6000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
opetr.exeopetr.exepid process 4672 opetr.exe 4748 opetr.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
URFT06GSBAWRP_001_PDF.exeopetr.exeopetr.exedescription pid process target process PID 2260 set thread context of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 4672 set thread context of 2832 4672 opetr.exe vbc.exe PID 4748 set thread context of 3488 4748 opetr.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3872 schtasks.exe 2932 schtasks.exe 4648 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeDebugPrivilege 2692 vbc.exe Token: SeDebugPrivilege 2832 vbc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
URFT06GSBAWRP_001_PDF.execmd.exeopetr.execmd.exeopetr.execmd.exedescription pid process target process PID 2260 wrote to memory of 1584 2260 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 2260 wrote to memory of 1584 2260 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 2260 wrote to memory of 1584 2260 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 1584 wrote to memory of 3872 1584 cmd.exe schtasks.exe PID 1584 wrote to memory of 3872 1584 cmd.exe schtasks.exe PID 1584 wrote to memory of 3872 1584 cmd.exe schtasks.exe PID 2260 wrote to memory of 4324 2260 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 2260 wrote to memory of 4324 2260 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 2260 wrote to memory of 4324 2260 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 2260 wrote to memory of 2692 2260 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 4672 wrote to memory of 5072 4672 opetr.exe cmd.exe PID 4672 wrote to memory of 5072 4672 opetr.exe cmd.exe PID 4672 wrote to memory of 5072 4672 opetr.exe cmd.exe PID 5072 wrote to memory of 2932 5072 cmd.exe schtasks.exe PID 5072 wrote to memory of 2932 5072 cmd.exe schtasks.exe PID 5072 wrote to memory of 2932 5072 cmd.exe schtasks.exe PID 4672 wrote to memory of 3404 4672 opetr.exe cmd.exe PID 4672 wrote to memory of 3404 4672 opetr.exe cmd.exe PID 4672 wrote to memory of 3404 4672 opetr.exe cmd.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4672 wrote to memory of 2832 4672 opetr.exe vbc.exe PID 4748 wrote to memory of 3344 4748 opetr.exe cmd.exe PID 4748 wrote to memory of 3344 4748 opetr.exe cmd.exe PID 4748 wrote to memory of 3344 4748 opetr.exe cmd.exe PID 3344 wrote to memory of 4648 3344 cmd.exe schtasks.exe PID 3344 wrote to memory of 4648 3344 cmd.exe schtasks.exe PID 3344 wrote to memory of 4648 3344 cmd.exe schtasks.exe PID 4748 wrote to memory of 1832 4748 opetr.exe cmd.exe PID 4748 wrote to memory of 1832 4748 opetr.exe cmd.exe PID 4748 wrote to memory of 1832 4748 opetr.exe cmd.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe PID 4748 wrote to memory of 3488 4748 opetr.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\opetr.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\opetr.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\opetr.exe.logFilesize
612B
MD5ca95b0db0b212857216268544c58e741
SHA15c2fd4ee1dc02d9412a19454562129f97bf930b5
SHA256bdcf4429adc6ee689394b8ea1628e98bac4d0b7f8d735e5bf9e96218a41cd6f0
SHA512c3d83412ec5c6dd7398c7ec0ae73838eed3f9e6e539771066378d74479092bc18f73deac581c3e5f053487eef1ae432a565eec2aa706c7ddf16d5855cb0e70bb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
memory/1584-134-0x0000000000000000-mapping.dmp
-
memory/1832-152-0x0000000000000000-mapping.dmp
-
memory/2260-132-0x00000000002F0000-0x0000000000322000-memory.dmpFilesize
200KB
-
memory/2260-136-0x0000000005530000-0x0000000005AD4000-memory.dmpFilesize
5.6MB
-
memory/2260-133-0x0000000004F10000-0x0000000004F76000-memory.dmpFilesize
408KB
-
memory/2692-138-0x0000000000000000-mapping.dmp
-
memory/2692-139-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2692-140-0x00000000007E0000-0x00000000007F6000-memory.dmpFilesize
88KB
-
memory/2832-146-0x0000000000000000-mapping.dmp
-
memory/2932-144-0x0000000000000000-mapping.dmp
-
memory/3344-150-0x0000000000000000-mapping.dmp
-
memory/3404-145-0x0000000000000000-mapping.dmp
-
memory/3488-153-0x0000000000000000-mapping.dmp
-
memory/3872-135-0x0000000000000000-mapping.dmp
-
memory/4324-137-0x0000000000000000-mapping.dmp
-
memory/4648-151-0x0000000000000000-mapping.dmp
-
memory/5072-143-0x0000000000000000-mapping.dmp