Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
23-04-2023 09:56
General
-
Target
Venom HVNC 5.4.0 crack.rar
-
Size
14.5MB
-
MD5
3276eefc2547702c8a7fbc6db1275c36
-
SHA1
6c7ae5b03b8da23e5335da100675fc3ea824bbe4
-
SHA256
458c83f0bc425cb9fecfe4b60bd5e2df08fadffea5598422ff0561dee46b6e9a
-
SHA512
15a04bbf3990e78344ae7d657f1a35e90fbe856011aeee696dd4c206c551a834c5493c864f274525b4ac65ee383f3a0887cb4d3583962d9c2e1a51706b30771f
-
SSDEEP
393216:aLWJa3c4xuHK2CbbjlACVnyGinovZept7T4:Nc3oK2ebOynyG5vwr4
Malware Config
Extracted
xworm
behind-him.at.ply.gg:27180
-
install_file
USB.exe
Extracted
quasar
-
reconnect_delay
5000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 43 IoCs
-
Suspicious use of SetWindowsHookEx 36 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Venom HVNC 5.4.0 crack.rar"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Venom HVNC 5.4.0 crack.rar"2⤵
- Drops autorun.inf file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\VenomHVNC.exe"C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\VenomHVNC.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "VenomHVNC" /tr "C:\Users\Admin\AppData\Roaming\VenomHVNC.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\Venombin.exe"C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\Venombin.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 17202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4600 -ip 46001⤵
-
C:\Users\Admin\AppData\Roaming\VenomHVNC.exeC:\Users\Admin\AppData\Roaming\VenomHVNC.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5275ae366e4ecf3d88e56863ce8f712fa
SHA1e95c248a4379ebd5ccbdeddc196be0e852b16ccc
SHA25673948663c05951a55c1a92bd8cd3eed4e8f2c942faac8b749100f5457ffce2fc
SHA5128adea257aa3237dd4ad88e69e6b67f1d59ef6a7066622686d2e2637eb16a5d732e8e30d0c0e2c08bef6cd3071683e5104e6c1ee5ef954c2fa4b72b09c40e44e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5b907e049d9cb2a54e93318f768e57cb9
SHA1f2c69309b9796700d75b0fe42ba7a1beba7b0066
SHA2561ec69d645caa3a599abf62237ddde770d37350242f30668dfe78d91357311386
SHA5128470e8556e3fd8f7324cdd918bd613924e450ac2a4d03d091d432f9bfeaf8c1584a513fecc63f532d0e1b6cbf0f88c1b09dd21bdb3b942be87bef7fc91426b37
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VenomHVNC.lnkFilesize
783B
MD55fdd66a036014b9da503346ff49c7397
SHA18d60b78ec830ccdb20cf2b1aabd1116b85d41963
SHA2560b503e048cadbbfac5787e40aa4dce6fbbc956b498374c82b2f396db7947bd71
SHA512038bb86a0432e1b4effe4bf3b00a4e209d7ad543cbfa13401950d0ee30ffdc93bf2a4facab4d7440e219d50f39440c24422647b48b011cfe5f3443a265b0769b
-
C:\Users\Admin\AppData\Roaming\VenomHVNC.exeFilesize
188KB
MD5099aff06a5aba484c958501f1b037996
SHA1c418b0b0cb3f7cf97f31e619f9ef7075d7f7a50f
SHA2569e8390c4f8ca29205810d4947309bfc4ee7d92d697df720c75a151ddf6abdc0c
SHA5127f61f9e92d838f5bbf8b4a052d45298025ade393de7cdaaff48dfc2ec9902724518b60858ac15ef8fb372f077c4349201a43d459880b9e2e16f909bb198c49e3
-
C:\Users\Admin\AppData\Roaming\VenomHVNC.exeFilesize
188KB
MD5099aff06a5aba484c958501f1b037996
SHA1c418b0b0cb3f7cf97f31e619f9ef7075d7f7a50f
SHA2569e8390c4f8ca29205810d4947309bfc4ee7d92d697df720c75a151ddf6abdc0c
SHA5127f61f9e92d838f5bbf8b4a052d45298025ade393de7cdaaff48dfc2ec9902724518b60858ac15ef8fb372f077c4349201a43d459880b9e2e16f909bb198c49e3
-
C:\Users\Admin\AppData\Roaming\VenomHVNC.exeFilesize
188KB
MD5099aff06a5aba484c958501f1b037996
SHA1c418b0b0cb3f7cf97f31e619f9ef7075d7f7a50f
SHA2569e8390c4f8ca29205810d4947309bfc4ee7d92d697df720c75a151ddf6abdc0c
SHA5127f61f9e92d838f5bbf8b4a052d45298025ade393de7cdaaff48dfc2ec9902724518b60858ac15ef8fb372f077c4349201a43d459880b9e2e16f909bb198c49e3
-
C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\VenomHVNC.exeFilesize
188KB
MD5099aff06a5aba484c958501f1b037996
SHA1c418b0b0cb3f7cf97f31e619f9ef7075d7f7a50f
SHA2569e8390c4f8ca29205810d4947309bfc4ee7d92d697df720c75a151ddf6abdc0c
SHA5127f61f9e92d838f5bbf8b4a052d45298025ade393de7cdaaff48dfc2ec9902724518b60858ac15ef8fb372f077c4349201a43d459880b9e2e16f909bb198c49e3
-
C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\VenomHVNC.exeFilesize
188KB
MD5099aff06a5aba484c958501f1b037996
SHA1c418b0b0cb3f7cf97f31e619f9ef7075d7f7a50f
SHA2569e8390c4f8ca29205810d4947309bfc4ee7d92d697df720c75a151ddf6abdc0c
SHA5127f61f9e92d838f5bbf8b4a052d45298025ade393de7cdaaff48dfc2ec9902724518b60858ac15ef8fb372f077c4349201a43d459880b9e2e16f909bb198c49e3
-
C:\Users\Admin\Desktop\Venom HVNC 5.4.0 crack\Venombin.exeFilesize
2.6MB
MD528ab86b3dcd21945ecf0d61cff33f0af
SHA15117b7fea972011d5d8744632d5052d92d93bc64
SHA256a9da04a7a49309e177655fb41589cac45813b8a98e469225f58ed137a6fe3078
SHA5122c7370fe9fa0b0ca15bbb29c7b9b102978555aab02f6ced0a59773146f0f72e6b2d6994a3f99851bd4bd63a4e07a88751090aece1ce34ed1c97f97ead0fbe6f8
-
\??\c:\users\admin\desktop\venom hvnc 5.4.0 crack\venombin.exeFilesize
2.6MB
MD528ab86b3dcd21945ecf0d61cff33f0af
SHA15117b7fea972011d5d8744632d5052d92d93bc64
SHA256a9da04a7a49309e177655fb41589cac45813b8a98e469225f58ed137a6fe3078
SHA5122c7370fe9fa0b0ca15bbb29c7b9b102978555aab02f6ced0a59773146f0f72e6b2d6994a3f99851bd4bd63a4e07a88751090aece1ce34ed1c97f97ead0fbe6f8
-
memory/1736-535-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-537-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-541-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-540-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-539-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-538-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-536-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-531-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-529-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/1736-530-0x000001FE190A0000-0x000001FE190A1000-memory.dmpFilesize
4KB
-
memory/2764-505-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/2764-523-0x0000000000BD0000-0x0000000000BE0000-memory.dmpFilesize
64KB
-
memory/2764-504-0x0000000000320000-0x0000000000356000-memory.dmpFilesize
216KB
-
memory/4600-516-0x0000000000B30000-0x000000000156A000-memory.dmpFilesize
10.2MB
-
memory/4600-517-0x000000007EDD0000-0x000000007F1A1000-memory.dmpFilesize
3.8MB
-
memory/4600-525-0x000000007EDD0000-0x000000007F1A1000-memory.dmpFilesize
3.8MB
-
memory/4600-524-0x0000000000B30000-0x000000000156A000-memory.dmpFilesize
10.2MB
-
memory/4600-518-0x0000000000B30000-0x000000000156A000-memory.dmpFilesize
10.2MB
-
memory/4600-522-0x00000000078B0000-0x00000000078C0000-memory.dmpFilesize
64KB
-
memory/4600-521-0x0000000007960000-0x00000000079F2000-memory.dmpFilesize
584KB
-
memory/4600-520-0x0000000007D50000-0x00000000082F4000-memory.dmpFilesize
5.6MB
-
memory/4600-519-0x0000000000B30000-0x000000000156A000-memory.dmpFilesize
10.2MB