Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02/06/2023, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
353KB
-
MD5
3a31f9c35ab9f26a2e9028c5b438780d
-
SHA1
62dbb580219968fa4e4fed20703fa00dbac78666
-
SHA256
15b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7
-
SHA512
36a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5
-
SSDEEP
6144:Bj7y9GhvWNikQKsPDvKyG9Ih0oenrJYkcKp4ORIvY+pObV:9dcNHcvVh0oIrJfoORIvY+p+
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.1
V365
111.90.149.195:5111
111.90.149.195:7766
4ac24af1-9eb0-4f83-aa69-9a23a66ab177
-
delay
2
-
install
false
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/556-71-0x0000000000400000-0x000000000041C000-memory.dmp asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions file.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools file.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1368 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 888 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" file.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum file.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1368 set thread context of 556 1368 svchost.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1976 556 WerFault.exe 39 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 640 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1908 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2000 file.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe 1368 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2000 file.exe Token: SeDebugPrivilege 1368 svchost.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2000 wrote to memory of 320 2000 file.exe 28 PID 2000 wrote to memory of 320 2000 file.exe 28 PID 2000 wrote to memory of 320 2000 file.exe 28 PID 2000 wrote to memory of 888 2000 file.exe 30 PID 2000 wrote to memory of 888 2000 file.exe 30 PID 2000 wrote to memory of 888 2000 file.exe 30 PID 888 wrote to memory of 1908 888 cmd.exe 32 PID 888 wrote to memory of 1908 888 cmd.exe 32 PID 888 wrote to memory of 1908 888 cmd.exe 32 PID 320 wrote to memory of 640 320 cmd.exe 33 PID 320 wrote to memory of 640 320 cmd.exe 33 PID 320 wrote to memory of 640 320 cmd.exe 33 PID 888 wrote to memory of 1368 888 cmd.exe 34 PID 888 wrote to memory of 1368 888 cmd.exe 34 PID 888 wrote to memory of 1368 888 cmd.exe 34 PID 1368 wrote to memory of 576 1368 svchost.exe 35 PID 1368 wrote to memory of 576 1368 svchost.exe 35 PID 1368 wrote to memory of 576 1368 svchost.exe 35 PID 1368 wrote to memory of 1328 1368 svchost.exe 36 PID 1368 wrote to memory of 1328 1368 svchost.exe 36 PID 1368 wrote to memory of 1328 1368 svchost.exe 36 PID 1368 wrote to memory of 1544 1368 svchost.exe 37 PID 1368 wrote to memory of 1544 1368 svchost.exe 37 PID 1368 wrote to memory of 1544 1368 svchost.exe 37 PID 1368 wrote to memory of 2024 1368 svchost.exe 38 PID 1368 wrote to memory of 2024 1368 svchost.exe 38 PID 1368 wrote to memory of 2024 1368 svchost.exe 38 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 1368 wrote to memory of 556 1368 svchost.exe 39 PID 556 wrote to memory of 1976 556 SetupUtility.exe 40 PID 556 wrote to memory of 1976 556 SetupUtility.exe 40 PID 556 wrote to memory of 1976 556 SetupUtility.exe 40 PID 556 wrote to memory of 1976 556 SetupUtility.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:640
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp319C.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1908
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"4⤵PID:576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"4⤵PID:1328
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"4⤵PID:1544
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"4⤵PID:2024
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1685⤵
- Program crash
PID:1976
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD54903cf0694fe5526545066f73a6fbd53
SHA10fc6a8dc45d7d4a1a87ddf726117c43736ff30e4
SHA256f5ae5e38978e2d5d58eca03fc9ecfd3bb7cfc7e0f2fa3e2232ccbaa5ff091cc9
SHA5120e014804677c835e013b8d4b3ec1cc4ca1efcdcec5772f6fbcc47bcf46b522c17aa114d8e21992ecdc65ccb8db46bfdd9a23d34a087e5216c7c92ef66790ae01
-
Filesize
151B
MD54903cf0694fe5526545066f73a6fbd53
SHA10fc6a8dc45d7d4a1a87ddf726117c43736ff30e4
SHA256f5ae5e38978e2d5d58eca03fc9ecfd3bb7cfc7e0f2fa3e2232ccbaa5ff091cc9
SHA5120e014804677c835e013b8d4b3ec1cc4ca1efcdcec5772f6fbcc47bcf46b522c17aa114d8e21992ecdc65ccb8db46bfdd9a23d34a087e5216c7c92ef66790ae01
-
Filesize
353KB
MD53a31f9c35ab9f26a2e9028c5b438780d
SHA162dbb580219968fa4e4fed20703fa00dbac78666
SHA25615b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7
SHA51236a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5
-
Filesize
353KB
MD53a31f9c35ab9f26a2e9028c5b438780d
SHA162dbb580219968fa4e4fed20703fa00dbac78666
SHA25615b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7
SHA51236a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5
-
Filesize
353KB
MD53a31f9c35ab9f26a2e9028c5b438780d
SHA162dbb580219968fa4e4fed20703fa00dbac78666
SHA25615b5aace17bef2063e42f5956f066ee601b2dc15a657e9b3aaefb9588a7b83d7
SHA51236a93e957267c14eaee560f00217f2e9104dad8e75475bd364ce041a7c7395445afa4032a72fb1056e222d37686f0ac0171d8a3403c1873e5f1281dc55fc46b5