Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 14:47
Behavioral task
behavioral1
Sample
client.exe
Resource
win7-20231215-en
General
-
Target
client.exe
-
Size
73KB
-
MD5
25b6389bbaa746df85d53714d4a6d477
-
SHA1
86e6443e902f180f32fb434e06ecf45d484582e3
-
SHA256
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
-
SHA512
6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4
-
SSDEEP
1536:6aUqAcxVMW7eTmJ9rxjJTkdK4WaxHdSzPMwy/eqmmRhdWVH1bfbVCNIrXQlwzUIE:6aUTcxVMW7eiJ9rxjJTkdK4WaP0PMwhq
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
93.123.39.68:4449
kszghixltbdczq
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral1/memory/2944-0-0x0000000001240000-0x0000000001258000-memory.dmp asyncrat behavioral1/memory/2944-3-0x000000001ADF0000-0x000000001AE70000-memory.dmp asyncrat behavioral1/files/0x0035000000015c26-17.dat asyncrat behavioral1/memory/2680-19-0x0000000000CE0000-0x0000000000CF8000-memory.dmp asyncrat behavioral1/memory/2680-22-0x0000000002180000-0x0000000002200000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2680 chromeupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2848 timeout.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2944 client.exe 2944 client.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe 2680 chromeupdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 client.exe Token: SeDebugPrivilege 2680 chromeupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2680 chromeupdate.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2316 2944 client.exe 28 PID 2944 wrote to memory of 2316 2944 client.exe 28 PID 2944 wrote to memory of 2316 2944 client.exe 28 PID 2944 wrote to memory of 2792 2944 client.exe 30 PID 2944 wrote to memory of 2792 2944 client.exe 30 PID 2944 wrote to memory of 2792 2944 client.exe 30 PID 2792 wrote to memory of 2848 2792 cmd.exe 32 PID 2792 wrote to memory of 2848 2792 cmd.exe 32 PID 2792 wrote to memory of 2848 2792 cmd.exe 32 PID 2316 wrote to memory of 2768 2316 cmd.exe 33 PID 2316 wrote to memory of 2768 2316 cmd.exe 33 PID 2316 wrote to memory of 2768 2316 cmd.exe 33 PID 2792 wrote to memory of 2680 2792 cmd.exe 34 PID 2792 wrote to memory of 2680 2792 cmd.exe 34 PID 2792 wrote to memory of 2680 2792 cmd.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'3⤵
- Creates scheduled task(s)
PID:2768
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F11.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2848
-
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD59939a4bc8388d70b708ab7e0f2a3757e
SHA1d18fd1e5f2d974dba43f7644c29416f0c6a82005
SHA2561cce710732f8041f379bb92b9594b79851bac02a2005b7ab166e6e9ba3e5ddc3
SHA51297c8613d0501c2a46df171b5485adbb365d2d969834dae9fef00e1740d647c3e2087211c624ae4f300e966e3c1a31037e5339bb89ff34966a99dfe8c90e8b5d1
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
73KB
MD525b6389bbaa746df85d53714d4a6d477
SHA186e6443e902f180f32fb434e06ecf45d484582e3
SHA2564b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
SHA5126ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4