Overview

overview

10

Static

static

10

d8a3fbd066...99.exe

windows7-x64

10

d8a3fbd066...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2023 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8a3fbd0660dff1dd3d85cd3ec62fe99.exe

  • Size

    150KB

  • MD5

    d8a3fbd0660dff1dd3d85cd3ec62fe99

  • SHA1

    640febb6d6f64c3c3a9a6de193c168c30ab8dfb4

  • SHA256

    ad28955c354a29a193dfe7dc9588f53c5c80ba6d9b305a1b61b8730be0695358

  • SHA512

    8b0ef5a86bc866bec69adbd2dd04d98342f5fe7c5b275034742484ec446bb5fd44f969300e383ba5690963ab35619663fab28074a3b57b0a76dcea9ac8f9becb

  • SSDEEP

    3072:MbiZnYUuQaS+T8sERvc7LLqmeUPL2QAgbupHhQW0zCrAZu6h3xzsNInS5g1h:1BYUuQaS+T8sERvc7KULbEchYiS5

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1929200100:AAFApHmZ6GD9WbEolE1gi0bnOTW4ipj-SSA/sendMessage?chat_id=1917426247

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a3fbd0660dff1dd3d85cd3ec62fe99.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a3fbd0660dff1dd3d85cd3ec62fe99.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Alien\Alien.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2292
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2332
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 1560"
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2528
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2272
        • C:\Users\Alien\Alien.exe
          "Alien.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Alien\Alien.exe"
            4⤵
            • Creates scheduled task(s)
            PID:4100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp.bat
      Filesize

      208B

      MD5

      3d2d8c660cce193960baff10d457f60f

      SHA1

      27d29da0f32c0bb0db941c23f3339a1d0db78356

      SHA256

      1f64405ae237df49578d2634c3abcdb3ac6bdf31413a5eb83d1689f91024fb0d

      SHA512

      5bcf68d949c418b0ee239c8103176001469864b334c4a84ccaa005156081f5c4d19b0272e118c6caef99ff7ac7d1ce9b4526e858633a659d68d646aac305da57

      Download Submit

    • C:\Users\Alien\Alien.exe
      Filesize

      150KB

      MD5

      d8a3fbd0660dff1dd3d85cd3ec62fe99

      SHA1

      640febb6d6f64c3c3a9a6de193c168c30ab8dfb4

      SHA256

      ad28955c354a29a193dfe7dc9588f53c5c80ba6d9b305a1b61b8730be0695358

      SHA512

      8b0ef5a86bc866bec69adbd2dd04d98342f5fe7c5b275034742484ec446bb5fd44f969300e383ba5690963ab35619663fab28074a3b57b0a76dcea9ac8f9becb

      Download Submit

    • memory/1240-12-0x000002ABCC210000-0x000002ABCC220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-11-0x00007FFA9E950000-0x00007FFA9F411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1240-13-0x000002ABCC210000-0x000002ABCC220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-14-0x00007FFA9E950000-0x00007FFA9F411000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1240-15-0x000002ABCC210000-0x000002ABCC220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-16-0x000002ABCC210000-0x000002ABCC220000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-0-0x00000136D5B50000-0x00000136D5B7C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1560-1-0x00007FFA9ED50000-0x00007FFA9F811000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1560-2-0x00000136F0120000-0x00000136F0130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1560-6-0x00007FFA9ED50000-0x00007FFA9F811000-memory.dmp

      Filesize

      10.8MB

      Download