Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-11-2023 16:01
Static task
static1
Behavioral task
behavioral1
Sample
lib.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
lib.exe
Resource
win10-20231023-en
General
-
Target
lib.exe
-
Size
1.2MB
-
MD5
d39f50f7840e788f9aabb6fc571b954b
-
SHA1
b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
-
SHA256
58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
-
SHA512
dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce
-
SSDEEP
24576:+GhtNUS/L+lGr6T6beITFwVx3mpYkb1rNmFpEvu954SkIEN6yaJRq+:+GJR/qlK6gtTaVxSvyAuX4SknkRD
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot6834433996:AAGJy757LSjxghxJ7K6QegRWYUfoJwS7zOo/sendMessage?chat_id=1149368640
Signatures
-
Deletes itself 1 IoCs
pid Process 2508 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2272 rat.exe -
Loads dropped DLL 1 IoCs
pid Process 2508 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 3028 lib.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe 2272 rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3056 schtasks.exe 2660 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2492 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1700 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3028 lib.exe Token: SeDebugPrivilege 1700 tasklist.exe Token: SeDebugPrivilege 2272 rat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3028 lib.exe 2272 rat.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3028 wrote to memory of 3056 3028 lib.exe 29 PID 3028 wrote to memory of 3056 3028 lib.exe 29 PID 3028 wrote to memory of 3056 3028 lib.exe 29 PID 3028 wrote to memory of 3056 3028 lib.exe 29 PID 3028 wrote to memory of 2508 3028 lib.exe 31 PID 3028 wrote to memory of 2508 3028 lib.exe 31 PID 3028 wrote to memory of 2508 3028 lib.exe 31 PID 3028 wrote to memory of 2508 3028 lib.exe 31 PID 2508 wrote to memory of 1700 2508 cmd.exe 34 PID 2508 wrote to memory of 1700 2508 cmd.exe 34 PID 2508 wrote to memory of 1700 2508 cmd.exe 34 PID 2508 wrote to memory of 1700 2508 cmd.exe 34 PID 2508 wrote to memory of 2520 2508 cmd.exe 33 PID 2508 wrote to memory of 2520 2508 cmd.exe 33 PID 2508 wrote to memory of 2520 2508 cmd.exe 33 PID 2508 wrote to memory of 2520 2508 cmd.exe 33 PID 2508 wrote to memory of 2492 2508 cmd.exe 35 PID 2508 wrote to memory of 2492 2508 cmd.exe 35 PID 2508 wrote to memory of 2492 2508 cmd.exe 35 PID 2508 wrote to memory of 2492 2508 cmd.exe 35 PID 2508 wrote to memory of 2272 2508 cmd.exe 36 PID 2508 wrote to memory of 2272 2508 cmd.exe 36 PID 2508 wrote to memory of 2272 2508 cmd.exe 36 PID 2508 wrote to memory of 2272 2508 cmd.exe 36 PID 2272 wrote to memory of 2660 2272 rat.exe 38 PID 2272 wrote to memory of 2660 2272 rat.exe 38 PID 2272 wrote to memory of 2660 2272 rat.exe 38 PID 2272 wrote to memory of 2660 2272 rat.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\lib.exe"C:\Users\Admin\AppData\Local\Temp\lib.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:3056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpACF2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpACF2.tmp.bat2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\find.exefind ":"3⤵PID:2520
-
-
C:\Windows\SysWOW64\tasklist.exeTasklist /fi "PID eq 3028"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2492
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:2660
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD518c8923e877f737a46eeefb0351a75f1
SHA13fa887fc983df69c6366ea8a6b05fbab35062031
SHA2569eb44c8ca55952edbdec8b0f54a81a4d75e072acc81be93ba73b02e6b5916c4e
SHA512c7e6464ab447a71305ab75bf0a1115cec887aa13825112b7e07a5b2423fcb7f4e86991e4fbf1659eb28d7b8e262485ea48dff4d2464bf642b141dd4ff4d91f4b
-
Filesize
1.2MB
MD5d39f50f7840e788f9aabb6fc571b954b
SHA1b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
SHA25658e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
SHA512dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce
-
Filesize
1.2MB
MD5d39f50f7840e788f9aabb6fc571b954b
SHA1b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
SHA25658e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
SHA512dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce
-
Filesize
1.2MB
MD5d39f50f7840e788f9aabb6fc571b954b
SHA1b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
SHA25658e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
SHA512dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce