Analysis
-
max time kernel
190s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2023 19:19
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
336KB
-
MD5
7f5fd6228a8d8edf2c88d1b34cb8c847
-
SHA1
408049adf245bcad778add0903c6803a4d691d3f
-
SHA256
2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d
-
SHA512
4ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab
-
SSDEEP
6144:DT9zpYsT9/xBDwYQJkaLVo/DtBI6C39gMGHQuwDBOknXcMbE+:DYsZ/bxQJDVODtBtOgOuYO8Xb
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.1
Default
vrmctetyuyojxzjvffl
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/WD485ntt
Signatures
-
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1912-154-0x0000000000400000-0x0000000000418000-memory.dmp asyncrat -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3016 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" file.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3016 set thread context of 1912 3016 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1368 timeout.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
file.exesvchost.exepowershell.exejsc.exepid process 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3960 file.exe 3016 svchost.exe 3016 svchost.exe 672 powershell.exe 3016 svchost.exe 3016 svchost.exe 3016 svchost.exe 3016 svchost.exe 3016 svchost.exe 3016 svchost.exe 672 powershell.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe 1912 jsc.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
svchost.exepid process 3016 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
file.exesvchost.exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 3960 file.exe Token: SeDebugPrivilege 3016 svchost.exe Token: SeDebugPrivilege 3016 svchost.exe Token: SeLoadDriverPrivilege 3016 svchost.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeDebugPrivilege 1912 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 1912 jsc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
file.execmd.execmd.exesvchost.exedescription pid process target process PID 3960 wrote to memory of 1436 3960 file.exe cmd.exe PID 3960 wrote to memory of 1436 3960 file.exe cmd.exe PID 3960 wrote to memory of 1596 3960 file.exe cmd.exe PID 3960 wrote to memory of 1596 3960 file.exe cmd.exe PID 1596 wrote to memory of 1368 1596 cmd.exe timeout.exe PID 1596 wrote to memory of 1368 1596 cmd.exe timeout.exe PID 1436 wrote to memory of 2120 1436 cmd.exe schtasks.exe PID 1436 wrote to memory of 2120 1436 cmd.exe schtasks.exe PID 1596 wrote to memory of 3016 1596 cmd.exe svchost.exe PID 1596 wrote to memory of 3016 1596 cmd.exe svchost.exe PID 3016 wrote to memory of 672 3016 svchost.exe powershell.exe PID 3016 wrote to memory of 672 3016 svchost.exe powershell.exe PID 3016 wrote to memory of 4916 3016 svchost.exe ComSvcConfig.exe PID 3016 wrote to memory of 4916 3016 svchost.exe ComSvcConfig.exe PID 3016 wrote to memory of 1424 3016 svchost.exe ngentask.exe PID 3016 wrote to memory of 1424 3016 svchost.exe ngentask.exe PID 3016 wrote to memory of 3356 3016 svchost.exe aspnet_wp.exe PID 3016 wrote to memory of 3356 3016 svchost.exe aspnet_wp.exe PID 3016 wrote to memory of 3824 3016 svchost.exe RegSvcs.exe PID 3016 wrote to memory of 3824 3016 svchost.exe RegSvcs.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe PID 3016 wrote to memory of 1912 3016 svchost.exe jsc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xexghpnb.nwz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp.batFilesize
151B
MD53b1f7ec8f026af9f48af011c94964700
SHA1a5d0862552dc1a9ca25519933d55fc7b5a4e06f5
SHA25686b1b0a546ce96cd0093cddf49314a1cb0f17ae000cfa3b6fa6ae7c92995d8ee
SHA51203f6000f012d40b95e2b8b84f192d09c4bb332c8fe911c5e6fa5aa638fa48611860600befbdf3f4884589675d75144d543b5bcd727bdb20361eb669451250ff8
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
336KB
MD57f5fd6228a8d8edf2c88d1b34cb8c847
SHA1408049adf245bcad778add0903c6803a4d691d3f
SHA2562869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d
SHA5124ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
336KB
MD57f5fd6228a8d8edf2c88d1b34cb8c847
SHA1408049adf245bcad778add0903c6803a4d691d3f
SHA2562869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d
SHA5124ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab
-
memory/672-153-0x00000185A5930000-0x00000185A5952000-memory.dmpFilesize
136KB
-
memory/672-156-0x00000185A59F0000-0x00000185A5A00000-memory.dmpFilesize
64KB
-
memory/672-157-0x00000185A59F0000-0x00000185A5A00000-memory.dmpFilesize
64KB
-
memory/1912-154-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1912-160-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/1912-162-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/1912-163-0x0000000002BD0000-0x0000000002BE0000-memory.dmpFilesize
64KB
-
memory/1912-164-0x0000000005F20000-0x0000000005FB2000-memory.dmpFilesize
584KB
-
memory/1912-165-0x0000000006820000-0x000000000682A000-memory.dmpFilesize
40KB
-
memory/3960-133-0x000001735FB50000-0x000001735FBA8000-memory.dmpFilesize
352KB
-
memory/3960-134-0x000001737A0D0000-0x000001737A0E0000-memory.dmpFilesize
64KB