Overview

overview

10

Static

static

10

Client2.exe

windows10-2004-x64

10

Resubmissions

27-03-2023 14:22

230327-rp15zsdg92 10

27-03-2023 13:43

230327-q1lc8sdf86 10

Analysis

  • max time kernel
    597s
  • max time network
    600s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client2.exe

  • Size

    63KB

  • MD5

    40a63f050f41848d979fc88712d1fbf1

  • SHA1

    0d155350fd579788f71dbf7e3f39c889bd37f50e

  • SHA256

    33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01

  • SHA512

    c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64

  • SSDEEP

    1536:YhW5hc1kw0kVit8Q0v9Gbb3w+HRpGmDpqKmY7:YhW5hc1kWVHGbb3hHR9gz

Score
10/10
arrowratasyncratvenom clientsvenomhvncpersistenceratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

soon-lp.at.ply.gg:17209

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

arrowrat

Botnet

VenomHVNC

C2

soon-lp.at.ply.gg:17209

Mutex

vkrfeXWoz.exe

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Async RAT payload 3 IoCs
    rat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 37 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client2.exe
    "C:\Users\Admin\AppData\Local\Temp\Client2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4848
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3892
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3928
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          4⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:976
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC soon-lp.at.ply.gg 17209 MKMdCvhKu.exe
          4⤵
            PID:388
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
            • Modifies registry class
            PID:3372
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC soon-lp.at.ply.gg 17209 vkrfeXWoz.exe
            4⤵
              PID:1820
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC soon-lp.at.ply.gg 17209 vkrfeXWoz.exe
              4⤵
                PID:4936
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC soon-lp.at.ply.gg 17209 vkrfeXWoz.exe
                4⤵
                  PID:4484
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  4⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1716
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    5⤵
                    • Modifies registry class
                    PID:2756
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC soon-lp.at.ply.gg 17209 vkrfeXWoz.exe
                    5⤵
                      PID:5068
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4492
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:2800

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133244079993461366.txt
              Filesize

              75KB

              MD5

              65019a5db517d9fb830d8a57406a03ea

              SHA1

              817faf2ffe8461f653519e7bd96e7ee75021c891

              SHA256

              3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

              SHA512

              bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp.bat
              Filesize

              151B

              MD5

              8d8a50ef71febb9aa4a0f17f7f7c8cbd

              SHA1

              e6ff17ce593cf3260dfe37eb719ece2bb244b65b

              SHA256

              c6446d9b266da737b4e453b3bc3fde9bbd996f98818046a150704ee3d1063324

              SHA512

              fbce194a6bbc6085c57675ee65b94a1ca10f0e7e9223eb70334cb08f1e361f3599c392737daed3f60f32cf2e440b6133eace5232e67e7d04b0810b04f89568aa

              Download Submit

            • C:\Users\Admin\AppData\Roaming\dzznTnel\dzznTnel
              Filesize

              63KB

              MD5

              0d5df43af2916f47d00c1573797c1a13

              SHA1

              230ab5559e806574d26b4c20847c368ed55483b0

              SHA256

              c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

              SHA512

              f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost.exe
              Filesize

              63KB

              MD5

              40a63f050f41848d979fc88712d1fbf1

              SHA1

              0d155350fd579788f71dbf7e3f39c889bd37f50e

              SHA256

              33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01

              SHA512

              c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost.exe
              Filesize

              63KB

              MD5

              40a63f050f41848d979fc88712d1fbf1

              SHA1

              0d155350fd579788f71dbf7e3f39c889bd37f50e

              SHA256

              33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01

              SHA512

              c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64

              Download Submit

            • memory/388-147-0x0000000005410000-0x00000000054A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/388-145-0x0000000000400000-0x0000000000410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/388-148-0x00000000054B0000-0x000000000554C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/388-149-0x0000000005C90000-0x0000000006234000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/388-150-0x00000000056D0000-0x00000000056E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/388-294-0x00000000056D0000-0x00000000056E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/444-133-0x00000000005D0000-0x00000000005E6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/444-134-0x000000001B170000-0x000000001B180000-memory.dmp

              Filesize

              64KB

              Download

            • memory/976-152-0x0000000002950000-0x0000000002951000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1716-320-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2800-158-0x000001A724840000-0x000001A724860000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2800-161-0x000001A724800000-0x000001A724820000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2800-164-0x000001A724C00000-0x000001A724C20000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3928-144-0x000000001BB90000-0x000000001BBAE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3928-143-0x000000001E5F0000-0x000000001E666000-memory.dmp

              Filesize

              472KB

              Download

            • memory/3928-331-0x000000001E150000-0x000000001E1A0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4484-319-0x0000000004910000-0x0000000004920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4484-314-0x0000000004910000-0x0000000004920000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5068-325-0x0000000005570000-0x0000000005580000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5068-326-0x0000000005570000-0x0000000005580000-memory.dmp

              Filesize

              64KB

              Download