Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 14:47
Behavioral task
behavioral1
Sample
client.exe
Resource
win7-20231215-en
General
-
Target
client.exe
-
Size
73KB
-
MD5
25b6389bbaa746df85d53714d4a6d477
-
SHA1
86e6443e902f180f32fb434e06ecf45d484582e3
-
SHA256
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
-
SHA512
6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4
-
SSDEEP
1536:6aUqAcxVMW7eTmJ9rxjJTkdK4WaxHdSzPMwy/eqmmRhdWVH1bfbVCNIrXQlwzUIE:6aUTcxVMW7eiJ9rxjJTkdK4WaP0PMwhq
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
93.123.39.68:4449
kszghixltbdczq
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/3580-0-0x0000000000FA0000-0x0000000000FB8000-memory.dmp asyncrat behavioral2/files/0x0003000000000711-12.dat asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation client.exe -
Executes dropped EXE 1 IoCs
pid Process 4508 chromeupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 968 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3876 timeout.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 3580 client.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe 4508 chromeupdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3580 client.exe Token: SeDebugPrivilege 4508 chromeupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4508 chromeupdate.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3580 wrote to memory of 2708 3580 client.exe 91 PID 3580 wrote to memory of 2708 3580 client.exe 91 PID 3580 wrote to memory of 4636 3580 client.exe 92 PID 3580 wrote to memory of 4636 3580 client.exe 92 PID 4636 wrote to memory of 3876 4636 cmd.exe 96 PID 4636 wrote to memory of 3876 4636 cmd.exe 96 PID 2708 wrote to memory of 968 2708 cmd.exe 95 PID 2708 wrote to memory of 968 2708 cmd.exe 95 PID 4636 wrote to memory of 4508 4636 cmd.exe 97 PID 4636 wrote to memory of 4508 4636 cmd.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'3⤵
- Creates scheduled task(s)
PID:968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8FAD.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3876
-
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD58bfdf7b87a8dcf50433efafb70e6b794
SHA1e89a49742dc2d4bf7148f13ae600501c7386b523
SHA256fe8d831850f9cfc50c6991722ea7a8552340ee3cd588252bc8f34e430d09ecba
SHA5122eff1988befa3327e70d4718ecd4f0a820e6b8f3c40c041112513bdae2330bca633f2e1ebad71da2c2a4c0ad38096cc3e70f78d56d3bcf11718a43b6816faf31
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
73KB
MD525b6389bbaa746df85d53714d4a6d477
SHA186e6443e902f180f32fb434e06ecf45d484582e3
SHA2564b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56
SHA5126ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4