toxiceye | e266f576625221648379d9a1d512d19bfce7379b7e2ae0192e3ea2e69de14b0d

General

Target

59048850afb594c657d732a4e0b39471.exe
Size

55KB
MD5

59048850afb594c657d732a4e0b39471
SHA1

84710fbc564f6db75ca86d5646ac437b1f714f45
SHA256

e266f576625221648379d9a1d512d19bfce7379b7e2ae0192e3ea2e69de14b0d
SHA512

ac84f9b235d1f4a7c8089479067906c9267aba74ac14dbf8eb4779a2caf408c51041fa14210ab2955ca42f156f44439b91801363f50a5433a07d0c8fec4d1fad
SSDEEP

1536:3NQyUmnyAxXJkjjr2QULyLlIkECBkQ6NVAaXZMR:3NQRmnkr21GLlIkECBkQ6NVAaXY

Score

10^/10

toxiceye rat trojan

Malware Config

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2924 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Chrome_Update.exe

pid process

2812 Chrome_Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2696 schtasks.exe
2908 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2164 timeout.exe
3036 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2728 tasklist.exe
2612 tasklist.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Chrome_Update.exe

pid process

2812 Chrome_Update.exe
2812 Chrome_Update.exe

pid	process
2924	cmd.exe

pid	process
2812	Chrome_Update.exe

pid	process
2696	schtasks.exe
2908	schtasks.exe

pid	process
2164	timeout.exe
3036	timeout.exe

pid	process
2728	tasklist.exe
2612	tasklist.exe

pid	process
2812	Chrome_Update.exe
2812	Chrome_Update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

59048850afb594c657d732a4e0b39471.exetasklist.exetasklist.exeChrome_Update.exe

description	pid	process
Token: SeDebugPrivilege	356	59048850afb594c657d732a4e0b39471.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2612	tasklist.exe
Token: SeDebugPrivilege	2812	Chrome_Update.exe
Token: SeDebugPrivilege	2812	Chrome_Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Chrome_Update.exe

pid process

2812 Chrome_Update.exe

pid	process
2812	Chrome_Update.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

59048850afb594c657d732a4e0b39471.execmd.exeChrome_Update.exe

description	pid	process	target process
PID 356 wrote to memory of 2696	356	59048850afb594c657d732a4e0b39471.exe	schtasks.exe
PID 356 wrote to memory of 2696	356	59048850afb594c657d732a4e0b39471.exe	schtasks.exe
PID 356 wrote to memory of 2696	356	59048850afb594c657d732a4e0b39471.exe	schtasks.exe
PID 356 wrote to memory of 2924	356	59048850afb594c657d732a4e0b39471.exe	cmd.exe
PID 356 wrote to memory of 2924	356	59048850afb594c657d732a4e0b39471.exe	cmd.exe
PID 356 wrote to memory of 2924	356	59048850afb594c657d732a4e0b39471.exe	cmd.exe
PID 2924 wrote to memory of 2728	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 2728	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 2728	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 3032	2924	cmd.exe	find.exe
PID 2924 wrote to memory of 3032	2924	cmd.exe	find.exe
PID 2924 wrote to memory of 3032	2924	cmd.exe	find.exe
PID 2924 wrote to memory of 2164	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 2164	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 2164	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 2612	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 2612	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 2612	2924	cmd.exe	tasklist.exe
PID 2924 wrote to memory of 2624	2924	cmd.exe	find.exe
PID 2924 wrote to memory of 2624	2924	cmd.exe	find.exe
PID 2924 wrote to memory of 2624	2924	cmd.exe	find.exe
PID 2924 wrote to memory of 3036	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 3036	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 3036	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 2812	2924	cmd.exe	Chrome_Update.exe
PID 2924 wrote to memory of 2812	2924	cmd.exe	Chrome_Update.exe
PID 2924 wrote to memory of 2812	2924	cmd.exe	Chrome_Update.exe
PID 2812 wrote to memory of 2908	2812	Chrome_Update.exe	schtasks.exe
PID 2812 wrote to memory of 2908	2812	Chrome_Update.exe	schtasks.exe
PID 2812 wrote to memory of 2908	2812	Chrome_Update.exe	schtasks.exe
PID 2812 wrote to memory of 1356	2812	Chrome_Update.exe	WerFault.exe
PID 2812 wrote to memory of 1356	2812	Chrome_Update.exe	WerFault.exe
PID 2812 wrote to memory of 1356	2812	Chrome_Update.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59048850afb594c657d732a4e0b39471.exe
"C:\Users\Admin\AppData\Local\Temp\59048850afb594c657d732a4e0b39471.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\users\Chrome_Update.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp205C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp205C.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3032
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 356"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2164
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2624
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 356"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3036
- - C:\Users\users\Chrome_Update.exe
    "Chrome_Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\users\Chrome_Update.exe"
      4⤵
      Creates scheduled task(s)
      PID:2908
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2812 -s 1596
      4⤵
      PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp205C.tmp.bat

Filesize
215B

MD5
135c861e33e94a83472997fd3388ee13

SHA1
26f741e51841de430515ee51b006d8ec9b21f04f

SHA256
5ba54eaf1cbfe179048a99c693544aa53037f2bd4fb60eaefe18ce46518e7e8a

SHA512
f75e3e56e29d2bb4bc7cb1551d073f03b062e7c3870bfa17ed56bb9fc54204d680bbe476ef45756092cd955ea0c8b0a46d6c72d5e65a790c05d04a8c3e4e3464

Download Submit
C:\Users\users\Chrome_Update.exe

Filesize
55KB

MD5
59048850afb594c657d732a4e0b39471

SHA1
84710fbc564f6db75ca86d5646ac437b1f714f45

SHA256
e266f576625221648379d9a1d512d19bfce7379b7e2ae0192e3ea2e69de14b0d

SHA512
ac84f9b235d1f4a7c8089479067906c9267aba74ac14dbf8eb4779a2caf408c51041fa14210ab2955ca42f156f44439b91801363f50a5433a07d0c8fec4d1fad

Download Submit
memory/356-0-0x0000000000B50000-0x0000000000B64000-memory.dmp

Filesize
80KB

Download
memory/356-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/356-1-0x0000000000350000-0x0000000000372000-memory.dmp

Filesize
136KB

Download
memory/356-3-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/356-7-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-11-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download
memory/2812-13-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download
memory/2812-12-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-14-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-15-0x000000001AE90000-0x000000001AF10000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads