Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 16:37

General

  • Target

    NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe

  • Size

    63KB

  • MD5

    9c65c31fa60a7490db9ac229f88aeaec

  • SHA1

    1165267dfffa7ac1443002fb331fd573d34132ae

  • SHA256

    2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70

  • SHA512

    f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

  • SSDEEP

    1536:ZnQpg/GiDABXOUcbbKwPoGoGfDpqKmY7:Zj/GiDu/cbbKEHgz

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Test Paid not Crypted

C2

142.202.188.173:9953

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    KDFManager.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1068
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4332
      • C:\Users\Admin\AppData\Roaming\KDFManager.exe
        "C:\Users\Admin\AppData\Roaming\KDFManager.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4788

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat

          Filesize

          154B

          MD5

          ad6edcab391ae9397b0408137d00e762

          SHA1

          38c7d33de6d04a405f32b3c805594f05208e332a

          SHA256

          9ed994d6e4dbf1c632753cce6337ff4a42d2b8374a08fb12a94bc827fc9c68d4

          SHA512

          9e22f5263bfe851610a0c46a55476cfed38a763fb06626eb094235382655f52aa6b606c064706949bd7a3ac38e9fd1ce99f5f9c9aaef3758669ff6bc0d077f75

        • C:\Users\Admin\AppData\Roaming\KDFManager.exe

          Filesize

          63KB

          MD5

          9c65c31fa60a7490db9ac229f88aeaec

          SHA1

          1165267dfffa7ac1443002fb331fd573d34132ae

          SHA256

          2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70

          SHA512

          f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

        • C:\Users\Admin\AppData\Roaming\KDFManager.exe

          Filesize

          63KB

          MD5

          9c65c31fa60a7490db9ac229f88aeaec

          SHA1

          1165267dfffa7ac1443002fb331fd573d34132ae

          SHA256

          2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70

          SHA512

          f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61

        • memory/4772-0-0x0000000000900000-0x0000000000916000-memory.dmp

          Filesize

          88KB

        • memory/4772-1-0x00007FFE6FF40000-0x00007FFE70A01000-memory.dmp

          Filesize

          10.8MB

        • memory/4772-2-0x000000001B700000-0x000000001B710000-memory.dmp

          Filesize

          64KB

        • memory/4772-7-0x00007FFE8DDB0000-0x00007FFE8DFA5000-memory.dmp

          Filesize

          2.0MB

        • memory/4772-8-0x00007FFE6FF40000-0x00007FFE70A01000-memory.dmp

          Filesize

          10.8MB

        • memory/4788-13-0x00007FFE6EFD0000-0x00007FFE6FA91000-memory.dmp

          Filesize

          10.8MB

        • memory/4788-14-0x000000001B950000-0x000000001B960000-memory.dmp

          Filesize

          64KB

        • memory/4788-15-0x00007FFE6EFD0000-0x00007FFE6FA91000-memory.dmp

          Filesize

          10.8MB

        • memory/4788-16-0x000000001B950000-0x000000001B960000-memory.dmp

          Filesize

          64KB