Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
15/11/2023, 16:37
Behavioral task
behavioral1
Sample
NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe
-
Size
63KB
-
MD5
9c65c31fa60a7490db9ac229f88aeaec
-
SHA1
1165267dfffa7ac1443002fb331fd573d34132ae
-
SHA256
2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
-
SHA512
f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61
-
SSDEEP
1536:ZnQpg/GiDABXOUcbbKwPoGoGfDpqKmY7:Zj/GiDu/cbbKEHgz
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Test Paid not Crypted
142.202.188.173:9953
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
KDFManager.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
resource yara_rule behavioral2/memory/4772-0-0x0000000000900000-0x0000000000916000-memory.dmp asyncrat behavioral2/files/0x0008000000022d16-11.dat asyncrat behavioral2/files/0x0008000000022d16-12.dat asyncrat behavioral2/memory/4788-14-0x000000001B950000-0x000000001B960000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe -
Executes dropped EXE 1 IoCs
pid Process 4788 KDFManager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1068 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4332 timeout.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe Token: SeDebugPrivilege 4788 KDFManager.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4772 wrote to memory of 1392 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 88 PID 4772 wrote to memory of 1392 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 88 PID 4772 wrote to memory of 3592 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 90 PID 4772 wrote to memory of 3592 4772 NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe 90 PID 1392 wrote to memory of 1068 1392 cmd.exe 92 PID 1392 wrote to memory of 1068 1392 cmd.exe 92 PID 3592 wrote to memory of 4332 3592 cmd.exe 93 PID 3592 wrote to memory of 4332 3592 cmd.exe 93 PID 3592 wrote to memory of 4788 3592 cmd.exe 98 PID 3592 wrote to memory of 4788 3592 cmd.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.2a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "KDFManager" /tr '"C:\Users\Admin\AppData\Roaming\KDFManager.exe"'3⤵
- Creates scheduled task(s)
PID:1068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB98.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4332
-
-
C:\Users\Admin\AppData\Roaming\KDFManager.exe"C:\Users\Admin\AppData\Roaming\KDFManager.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154B
MD5ad6edcab391ae9397b0408137d00e762
SHA138c7d33de6d04a405f32b3c805594f05208e332a
SHA2569ed994d6e4dbf1c632753cce6337ff4a42d2b8374a08fb12a94bc827fc9c68d4
SHA5129e22f5263bfe851610a0c46a55476cfed38a763fb06626eb094235382655f52aa6b606c064706949bd7a3ac38e9fd1ce99f5f9c9aaef3758669ff6bc0d077f75
-
Filesize
63KB
MD59c65c31fa60a7490db9ac229f88aeaec
SHA11165267dfffa7ac1443002fb331fd573d34132ae
SHA2562a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
SHA512f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61
-
Filesize
63KB
MD59c65c31fa60a7490db9ac229f88aeaec
SHA11165267dfffa7ac1443002fb331fd573d34132ae
SHA2562a318235a7908da2cfacd1711becc3c0da7a23359a98628f6d1fe14a7dd97b70
SHA512f18cde1280543d32b442df89edb53420b5b40e1075cd3001bfe255557d9fe70670467e3005e68dc9e4bd0a2835a99bb7850eb4eefc866bb2bdd6dd177292eb61