Analysis
-
max time kernel
126s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-01-2024 01:16
Behavioral task
behavioral1
Sample
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe
Resource
win7-20231129-en
General
-
Target
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe
-
Size
73KB
-
MD5
38312527c8f936445c85e7ddde36f420
-
SHA1
725a7f7522e907878eb84456ccb0424332b5cdd6
-
SHA256
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
-
SHA512
b748a3c76aaeefe29ca856ebbe49b7e316c992af399e6678bb43e0bef297e03cf0144b06cad64a9c46c6a2950e38036a07bd9e3dc23cc67f1b63702153fc38d0
-
SSDEEP
1536:6aUqAcxVMW7eTmJ9rxjJTkdK4WaxHdSzPMwy/eqmmRhdWVH1bfbCeZkwzUIbVclN:6aUTcxVMW7eiJ9rxjJTkdK4WaP0PMwh6
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Exodus
91.92.255.187:4449
ypyertvpyqfr
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2344-0-0x0000000001180000-0x0000000001198000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\chromeupdate.exe asyncrat behavioral1/memory/2648-19-0x0000000000F10000-0x0000000000F28000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\chromeupdate.exe asyncrat -
Executes dropped EXE 1 IoCs
Processes:
chromeupdate.exepid process 2648 chromeupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2116 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exechromeupdate.exepid process 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe 2648 chromeupdate.exe 2648 chromeupdate.exe 2648 chromeupdate.exe 2648 chromeupdate.exe 2648 chromeupdate.exe 2648 chromeupdate.exe 2648 chromeupdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exechromeupdate.exedescription pid process Token: SeDebugPrivilege 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe Token: SeDebugPrivilege 2648 chromeupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chromeupdate.exepid process 2648 chromeupdate.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.execmd.execmd.exedescription pid process target process PID 2344 wrote to memory of 1692 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe cmd.exe PID 2344 wrote to memory of 1692 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe cmd.exe PID 2344 wrote to memory of 1692 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe cmd.exe PID 2344 wrote to memory of 2900 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe cmd.exe PID 2344 wrote to memory of 2900 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe cmd.exe PID 2344 wrote to memory of 2900 2344 3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe cmd.exe PID 2900 wrote to memory of 2116 2900 cmd.exe timeout.exe PID 2900 wrote to memory of 2116 2900 cmd.exe timeout.exe PID 2900 wrote to memory of 2116 2900 cmd.exe timeout.exe PID 1692 wrote to memory of 2564 1692 cmd.exe schtasks.exe PID 1692 wrote to memory of 2564 1692 cmd.exe schtasks.exe PID 1692 wrote to memory of 2564 1692 cmd.exe schtasks.exe PID 2900 wrote to memory of 2648 2900 cmd.exe chromeupdate.exe PID 2900 wrote to memory of 2648 2900 cmd.exe chromeupdate.exe PID 2900 wrote to memory of 2648 2900 cmd.exe chromeupdate.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe"C:\Users\Admin\AppData\Local\Temp\3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC50.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC50.tmp.batFilesize
155B
MD52c5ca12c5c951787d924e364699fbc70
SHA1d1a6bce8b1ea6ef991fe624fb4c06d03f3ce16c9
SHA2565ba6a074922c49448cfaebc4eb47ae3c251a7b89741f54bb4b0a2d2c20c0fe80
SHA5126894f4725b03337e43fbcc7e579e64e605eece40285a1d464a2640d9fe5fecb7f26828817ad04aeedb44bbd038d3b9fd45b39ba702deff4b374e34fd38d37c85
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exeFilesize
53KB
MD55a26787422d636c4623551d1fa423db0
SHA1a691adb24555e90994af8b53e547b2021b2c96f1
SHA25638d4dd2141aeed972bff1387a08300a0dff6d5da517717d67c480f09df46f4f0
SHA512bfb73957a81273a66f10ff20c44b28b8e62e2119c378de026f761b68e08b3f03b9037b131e49275c6d0098eaa408a21c37500a08a9ad91ab5846c4fd9668bd9b
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exeFilesize
73KB
MD538312527c8f936445c85e7ddde36f420
SHA1725a7f7522e907878eb84456ccb0424332b5cdd6
SHA2563df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
SHA512b748a3c76aaeefe29ca856ebbe49b7e316c992af399e6678bb43e0bef297e03cf0144b06cad64a9c46c6a2950e38036a07bd9e3dc23cc67f1b63702153fc38d0
-
memory/2344-14-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2344-0-0x0000000001180000-0x0000000001198000-memory.dmpFilesize
96KB
-
memory/2344-4-0x0000000077540000-0x00000000776E9000-memory.dmpFilesize
1.7MB
-
memory/2344-15-0x0000000077540000-0x00000000776E9000-memory.dmpFilesize
1.7MB
-
memory/2344-3-0x000000001AEE0000-0x000000001AF60000-memory.dmpFilesize
512KB
-
memory/2344-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmpFilesize
9.9MB
-
memory/2648-19-0x0000000000F10000-0x0000000000F28000-memory.dmpFilesize
96KB
-
memory/2648-22-0x000000001AD20000-0x000000001ADA0000-memory.dmpFilesize
512KB
-
memory/2648-21-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmpFilesize
9.9MB
-
memory/2648-23-0x0000000077540000-0x00000000776E9000-memory.dmpFilesize
1.7MB
-
memory/2648-24-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmpFilesize
9.9MB
-
memory/2648-25-0x000000001AD20000-0x000000001ADA0000-memory.dmpFilesize
512KB
-
memory/2648-26-0x0000000077540000-0x00000000776E9000-memory.dmpFilesize
1.7MB