Overview

overview

10

Static

static

10

7a40ca48bc...fa.exe

windows7-x64

10

7a40ca48bc...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a40ca48bc128c6eeff29d4a8cac46fa.exe

  • Size

    111KB

  • MD5

    7a40ca48bc128c6eeff29d4a8cac46fa

  • SHA1

    fa00aac627e3ebd38a724398264c81f2e5922063

  • SHA256

    e5b1c4c0553a9de4a7e5cea6bff98ffdb51ca04e3a9d1fce807621ac2bb74895

  • SHA512

    46be169801f7e49acc6fed273cd7649cc4b7cd486b5885574e187395702c95cb53b8fd848d36af587554653913609ff3ad26837be91505540623a45084fc3a23

  • SSDEEP

    3072:XbiZnYUuQaS+T8sERvc7LLqRI5LUluqb4qOhQW0zCrAZu6gO:uBYUuQaS+T8sERvc7yIalBbpn

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1929200100:AAFApHmZ6GD9WbEolE1gi0bnOTW4ipj-SSA/sendMessage?chat_id=1917426247

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a40ca48bc128c6eeff29d4a8cac46fa.exe
    "C:\Users\Admin\AppData\Local\Temp\7a40ca48bc128c6eeff29d4a8cac46fa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Alien\Alien.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2716
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA5E0.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA5E0.tmp.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1732"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2692
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2888
        • C:\Users\Alien\Alien.exe
          "Alien.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Alien\Alien.exe"
            4⤵
            • Creates scheduled task(s)
            PID:2612
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2912 -s 1640
            4⤵
              PID:1368

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpA5E0.tmp.bat
        Filesize

        208B

        MD5

        91a78d87e7c5d7ed305ffd40dc95bfd3

        SHA1

        0ace1452c38228338247a9011b4e4e99ea9a56a2

        SHA256

        9a061d08c0a676a9f6a0aae1daaff1e822762fe2fed5222eec1a10f87bc92457

        SHA512

        29e200262358ac16a4878dc7ae2cbeca34ab676bebb0de06263948066ee070fcd4346550d7f44cdada6bd31bd3c307d7cc3b31db20159a9466d93ac3201c1ebc

        Download Submit

      • C:\Users\Alien\Alien.exe
        Filesize

        111KB

        MD5

        7a40ca48bc128c6eeff29d4a8cac46fa

        SHA1

        fa00aac627e3ebd38a724398264c81f2e5922063

        SHA256

        e5b1c4c0553a9de4a7e5cea6bff98ffdb51ca04e3a9d1fce807621ac2bb74895

        SHA512

        46be169801f7e49acc6fed273cd7649cc4b7cd486b5885574e187395702c95cb53b8fd848d36af587554653913609ff3ad26837be91505540623a45084fc3a23

        Download Submit

      • memory/1732-0-0x0000000000020000-0x0000000000042000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1732-1-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1732-2-0x000000001AE10000-0x000000001AE90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1732-6-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2912-10-0x0000000000CD0000-0x0000000000CF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2912-11-0x000007FEF4FA0000-0x000007FEF598C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2912-12-0x000007FEF4FA0000-0x000007FEF598C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2912-13-0x000000001AF40000-0x000000001AFC0000-memory.dmp

        Filesize

        512KB

        Download