Analysis
-
max time kernel
136s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
12-11-2023 16:01
Static task
static1
Behavioral task
behavioral1
Sample
lib.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
lib.exe
Resource
win10-20231023-en
General
-
Target
lib.exe
-
Size
1.2MB
-
MD5
d39f50f7840e788f9aabb6fc571b954b
-
SHA1
b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
-
SHA256
58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
-
SHA512
dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce
-
SSDEEP
24576:+GhtNUS/L+lGr6T6beITFwVx3mpYkb1rNmFpEvu954SkIEN6yaJRq+:+GJR/qlK6gtTaVxSvyAuX4SknkRD
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot6834433996:AAGJy757LSjxghxJ7K6QegRWYUfoJwS7zOo/sendMessage?chat_id=1149368640
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4144 rat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 2456 lib.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe 4144 rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4960 schtasks.exe 4020 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4260 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 796 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2456 lib.exe Token: SeDebugPrivilege 796 tasklist.exe Token: SeDebugPrivilege 4144 rat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2456 lib.exe 4144 rat.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2456 wrote to memory of 4020 2456 lib.exe 73 PID 2456 wrote to memory of 4020 2456 lib.exe 73 PID 2456 wrote to memory of 4020 2456 lib.exe 73 PID 2456 wrote to memory of 2316 2456 lib.exe 75 PID 2456 wrote to memory of 2316 2456 lib.exe 75 PID 2456 wrote to memory of 2316 2456 lib.exe 75 PID 2316 wrote to memory of 796 2316 cmd.exe 78 PID 2316 wrote to memory of 796 2316 cmd.exe 78 PID 2316 wrote to memory of 796 2316 cmd.exe 78 PID 2316 wrote to memory of 2080 2316 cmd.exe 77 PID 2316 wrote to memory of 2080 2316 cmd.exe 77 PID 2316 wrote to memory of 2080 2316 cmd.exe 77 PID 2316 wrote to memory of 4260 2316 cmd.exe 79 PID 2316 wrote to memory of 4260 2316 cmd.exe 79 PID 2316 wrote to memory of 4260 2316 cmd.exe 79 PID 2316 wrote to memory of 4144 2316 cmd.exe 80 PID 2316 wrote to memory of 4144 2316 cmd.exe 80 PID 2316 wrote to memory of 4144 2316 cmd.exe 80 PID 4144 wrote to memory of 4960 4144 rat.exe 82 PID 4144 wrote to memory of 4960 4144 rat.exe 82 PID 4144 wrote to memory of 4960 4144 rat.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\lib.exe"C:\Users\Admin\AppData\Local\Temp\lib.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:4020
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC36F.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\find.exefind ":"3⤵PID:2080
-
-
C:\Windows\SysWOW64\tasklist.exeTasklist /fi "PID eq 2456"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4260
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:4960
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD51ac3fe7dedfafff46028ab61e7d5c9b5
SHA197fdd75caecb296bf172d6301746bcdb66a178f9
SHA2568e9fda2f0b46fa69d57c32de014b6ec29a46170aba33ce5159420ed4fa3a8b70
SHA5121a31237081d1defa50ab4f03dc94d8b044119bf264005c958b68f3107a782981ac184e11a4c7f636bc229395df85b47539705b226f2c3ca440e9adf6dd9ddb53
-
Filesize
1.2MB
MD5d39f50f7840e788f9aabb6fc571b954b
SHA1b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
SHA25658e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
SHA512dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce
-
Filesize
1.2MB
MD5d39f50f7840e788f9aabb6fc571b954b
SHA1b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
SHA25658e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
SHA512dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce