929b11e9d778f3fb3753f2bfec104862dd325bd91546afc7dfe15803d1726a13

Analysis

max time kernel
98s
max time network
138s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VenomRAT/VenomRAT_HVNC.exe.xml
Size

2KB
MD5

fa21c166232c3b29f8d2d14557490c9c
SHA1

2cb1a7d4a204fc03bd6bd15aa9f431f3445a08de
SHA256

5c939c46f9d81cb75180c897feb5044176ed44cd0d51e076149bd82425e4ef44
SHA512

cca1dd276a093b62845e5a7652e778d07200b7158cb05a2b44e11e69ce8bc78020eeeb29d55a87a6b87a3fcc25b2883175850467002388a811abfe9945d58fd9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384273082"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c0000000002000000000010660000000100002000000056cd45ee8872e07732e7bdd7c73d2f392919040b218aff955a42cf907e7568a3000000000e8000000002000020000000f7131bd1ffd163322317e47609b6c7d8129da6ac3dcf10e3230af9a3536fd659200000006ec0032b2eb53399d6162ed5a679c9d5954728c53bd6d92ab53094dea82c26bc40000000b0f3e09287ec243408203e1d52ba3d55c9f0d98603b2bf8bb910e10bd28b50e2a2426d4c6b2b7c316ed34b60fc766ea2de087c34a5e8a2890a97931c1be5e1b0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FFD26EF1-B6AA-11ED-981D-FAEC88B9DA95} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a330d7b74ad901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000709d416cf0d73842d06634a5002e3b4de7ff14eda4e38fb19108fcfe2e7c4812000000000e8000000002000020000000b52e48da9b463bb88f27b3f38413f31ad4b58ee9106152a7b20f5b908e38af1890000000b05db1ce983e809c241c3cdb6beaa72140de9750c5e0eb3b1ff9a817798c2d9ae79a097bb53db5fc6452fb3fb4d97c46c1a5683f373f9465db80ba4ca5e56386929a73b377ce2ef9923764cf22c7e26e7e41b293b8c273314ebec8233f47507269f17e92d6950f246255a4a76a18dbbe620e6017a792bf1d5cd9be76fdde4834e9cbaa5b8c7e7e2446c2ca144ce4ff6640000000d507f77ec8ebc5f8c063c0b7ff5b07b2a6cb775710779f4b17034f7d7981130facc4ec23e8555d2d3d7b888417bbdedf91347e2fbebe5deabdb03001eba2635c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1792	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 840	1972	MSOXMLED.EXE	28
PID 1972 wrote to memory of 840	1972	MSOXMLED.EXE	28
PID 1972 wrote to memory of 840	1972	MSOXMLED.EXE	28
PID 1972 wrote to memory of 840	1972	MSOXMLED.EXE	28
PID 840 wrote to memory of 1792	840	iexplore.exe	29
PID 840 wrote to memory of 1792	840	iexplore.exe	29
PID 840 wrote to memory of 1792	840	iexplore.exe	29
PID 840 wrote to memory of 1792	840	iexplore.exe	29
PID 1792 wrote to memory of 2004	1792	IEXPLORE.EXE	30
PID 1792 wrote to memory of 2004	1792	IEXPLORE.EXE	30
PID 1792 wrote to memory of 2004	1792	IEXPLORE.EXE	30
PID 1792 wrote to memory of 2004	1792	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\VenomRAT\VenomRAT_HVNC.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fd25936f8b0a5318102fa143388c01c

SHA1
c598b4b19fb442f6eadcf076d8b932e35b42a7fb

SHA256
fe73b10a955d19e43548c32b083280dcae2472ef092c0d1f953332d60d35f5ea

SHA512
4a10d1f1a6e1b75fe0da54262a2644554321cff6bd9bd1570b7e371e21042c4eb01ccbb0db31da667c29620dcdabb9882e8d3c7bc491aa3d34983a3ed55b7f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdd115f77367da68d8b81bfc0c09322c

SHA1
6e3460432856de092284983b1315f8f7fc41f847

SHA256
a6377c7e14dbc7778b468d620ef4357eccfe9cba9bf6a0661d4435874998666c

SHA512
13d49c1bef06fef733a819234a4e0e2489929b0fedbc21b10ace0f0c791aad17b5e2ad62aede9dae155a437b31fb45febd947438a51cc3d574ef9725062e8ebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8edfaceaf64ccb5fbc330c4cc9c53186

SHA1
c0de30b53122b1c0523fa8ba9ccc1c390a12ab69

SHA256
cadfbbc37d6dfb7ca3fb8e6e6342d054eda1c0e560de25e700b4645956699eb2

SHA512
cf63f867d1826419a3027c4fdbbf0e653221b99d29a680cf678b1d37c95ac3eeddd07ba5c83c5c55a630c3cbcc1259d3c62e8577f0bbd567d0c3b39789733587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
455d2a94c174ab0f21522560ffe725ba

SHA1
373e2c751ad416cc09ae41485e41166be5ac7828

SHA256
80c65bd83f100586b96b20fad25b9a0f80d06b2e7bb9d00339a08a64b657a6c4

SHA512
bd4482a5b3ffa758c75a4005040e36f451122759ba506c9a25ac93bce9e8c265f03a9c10a3829ded9c872c6c32470059aa4fef98c21605fb23eb8f5623a1a806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cfcc90bee264530fcdff08863b7d913

SHA1
aefdd83db310c181f284c6100fee11237fdfe45f

SHA256
a4fa25ad51b20d3acafa57bc1e759f78ed8643b28ca73e0aa985cdb0d3eb6b43

SHA512
7b1378cb1b7a2f30fead7d054fe85f3aa15afa03af96833d6d094347c3dbcf69639e79beda8452b62f21378ce0a0646a8da7887c39ead7864480a3429547b025

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d917ebcc97ca40d5a756e4643d41d83f

SHA1
70398441373c59f4ccc1483b46ec1a5af3122ff2

SHA256
c1433de008360ec6171158f0f6c6cb8c59f77f31f673ad8c5159ee2d34fe7a8f

SHA512
2f48c1f401733236d79ed4edca6e0d3246ab597778997ca73629fa11a38d61b862cc1d6edfe3808ee936fb359f684b4b78a64dce8a50842d4049204ddafba373

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74f5758b8fac8921457c0802dc37b91c

SHA1
f0481aa6a3e87c9141a90dba295233c37e4ef417

SHA256
1f076cf69a0c79705f7d8b76712ce3bd46c0facc1490fa0803a84c3b01ccf2f4

SHA512
6bb40d71074d92643fed02d58e973b35023c4c8b6d1529bca75323025631c5b37493f3f6fe509190478ff13e51b17fd28aec2a23e393abb601d94c0c8613c9e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e99b1b762555de859bda599031cd9bd

SHA1
fd5731c8605f6fe7488d35206fc862b3199b0682

SHA256
b0c4d4a90f2179b8cac9331597de699790a7effecdec4da4fda72ad191e18172

SHA512
aaa26eec9affd568b3f334e806d1046a62b3e320262fe0174b2ba3dd123bbbf2b0b04c4aa622c763bc36a2a589a611e26d048e25f1fb5eaafdfd496d961ab8bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bab51a2fbd97ed559553029850729b3

SHA1
a7d7debdf9c5ed3a2a3a06b56c5e8949b1527706

SHA256
0f9e41a7919bfd9528988d30cc69a064a199f8e4bf2379677ffe04ccacaba219

SHA512
899b79a661a2e50293544506b27d599daa3e23257ce3d1547a9d1f0be7e86ac3923d87188fa2154d43cca24b2ca88155ced5721cff8227485cafd2fb467f97b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D3E.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DDE.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WI0FCBG1.txt

Filesize
604B

MD5
c7e43e84a5f42e91388f89f9c57b3ed3

SHA1
c2b4c0226ab2809955e78527e401242eee08de78

SHA256
77d1a8e23c545e37995a534992df0c9d9ace53572537bf0ead42aa28244d4af7

SHA512
8408955869bda3cc0e4090979427402307908d69eba4e6197d8c36091fc44a364ebc3eb51a22bf6f904b7c796fb85ad46551b2e3d3dba2f6f8e1e9142c8926af

Download Submit
memory/1792-54-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/2004-55-0x0000000000C60000-0x0000000000C62000-memory.dmp

Filesize
8KB

Download