toxiceye | 587dae991f27a9e18c7bb98f6bd0785fe2894ec2464bddec729a1d243a7dda45

General

Target

a01d6062308781d37c5270fdba230231.exe
Size

111KB
MD5

a01d6062308781d37c5270fdba230231
SHA1

61083d8d892adfbb53c2684e2ae14236e9f0c78e
SHA256

587dae991f27a9e18c7bb98f6bd0785fe2894ec2464bddec729a1d243a7dda45
SHA512

cf544c32e92c49a8a51c38ae7c7431951421b48f091de1e7bd35bdd5624b1370faf8245d06c769fa9af38b803c9cceb65628276dffcd8371b0857b320e62c367
SSDEEP

3072:mb8YUuQaS+T8sNoVWloStVjNhOYJbxqHdQWbzCrAZuxsy:hYUuQaS+T8sNoVWlLHN9bgt

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1857786160:AAGDD7DgtbFIfWo0zZZYzaCSIulgMOW4U5E/sendMessage?chat_id=1835799378

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2816	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

svchost64.exe

pid	Process
2736	svchost64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2716	schtasks.exe
2492	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2784	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
2844	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost64.exe

pid	Process
2736	svchost64.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost64.exe

pid	Process
2736	svchost64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a01d6062308781d37c5270fdba230231.exetasklist.exesvchost64.exe

description	pid	Process
Token: SeDebugPrivilege	3036	a01d6062308781d37c5270fdba230231.exe
Token: SeDebugPrivilege	2844	tasklist.exe
Token: SeDebugPrivilege	2736	svchost64.exe
Token: SeDebugPrivilege	2736	svchost64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost64.exe

pid	Process
2736	svchost64.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a01d6062308781d37c5270fdba230231.execmd.exesvchost64.exe

description	pid	Process	procid_target
PID 3036 wrote to memory of 2716	3036	a01d6062308781d37c5270fdba230231.exe	30
PID 3036 wrote to memory of 2716	3036	a01d6062308781d37c5270fdba230231.exe	30
PID 3036 wrote to memory of 2716	3036	a01d6062308781d37c5270fdba230231.exe	30
PID 3036 wrote to memory of 2816	3036	a01d6062308781d37c5270fdba230231.exe	32
PID 3036 wrote to memory of 2816	3036	a01d6062308781d37c5270fdba230231.exe	32
PID 3036 wrote to memory of 2816	3036	a01d6062308781d37c5270fdba230231.exe	32
PID 2816 wrote to memory of 2844	2816	cmd.exe	34
PID 2816 wrote to memory of 2844	2816	cmd.exe	34
PID 2816 wrote to memory of 2844	2816	cmd.exe	34
PID 2816 wrote to memory of 2780	2816	cmd.exe	35
PID 2816 wrote to memory of 2780	2816	cmd.exe	35
PID 2816 wrote to memory of 2780	2816	cmd.exe	35
PID 2816 wrote to memory of 2784	2816	cmd.exe	36
PID 2816 wrote to memory of 2784	2816	cmd.exe	36
PID 2816 wrote to memory of 2784	2816	cmd.exe	36
PID 2816 wrote to memory of 2736	2816	cmd.exe	38
PID 2816 wrote to memory of 2736	2816	cmd.exe	38
PID 2816 wrote to memory of 2736	2816	cmd.exe	38
PID 2736 wrote to memory of 2492	2736	svchost64.exe	39
PID 2736 wrote to memory of 2492	2736	svchost64.exe	39
PID 2736 wrote to memory of 2492	2736	svchost64.exe	39
PID 2736 wrote to memory of 2560	2736	svchost64.exe	41
PID 2736 wrote to memory of 2560	2736	svchost64.exe	41
PID 2736 wrote to memory of 2560	2736	svchost64.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a01d6062308781d37c5270fdba230231.exe
"C:\Users\Admin\AppData\Local\Temp\a01d6062308781d37c5270fdba230231.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svchost64.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAA34.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAA34.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3036"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2780
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2784
- - C:\Users\svchost64.exe
    "svchost64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svchost64.exe"
      4⤵
      Creates scheduled task(s)
      PID:2492
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2736 -s 1772
      4⤵
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA34.tmp.bat

Filesize
206B

MD5
719282adcb1885c25070c739ae6c1d63

SHA1
3eb0a1261fd797b9e363133fd69940d3472f6b83

SHA256
17f011a917a63942c60188b9ecebde6274ee3feacde8dcb0360401055101eacd

SHA512
70630e2bafccc4b968458fc79462c23a14eb8f2ceebab1c15b9336616448d3880cca75678086a82eed3bc6eafe95dc3ae76e9e36e66e789859c3d1695cd3c3da

Download Submit
C:\Users\svchost64.exe

Filesize
111KB

MD5
a01d6062308781d37c5270fdba230231

SHA1
61083d8d892adfbb53c2684e2ae14236e9f0c78e

SHA256
587dae991f27a9e18c7bb98f6bd0785fe2894ec2464bddec729a1d243a7dda45

SHA512
cf544c32e92c49a8a51c38ae7c7431951421b48f091de1e7bd35bdd5624b1370faf8245d06c769fa9af38b803c9cceb65628276dffcd8371b0857b320e62c367

Download Submit
memory/2736-10-0x0000000001080000-0x00000000010A2000-memory.dmp

Filesize
136KB

Download
memory/2736-11-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-12-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2736-13-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-14-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/3036-0-0x0000000000120000-0x0000000000142000-memory.dmp

Filesize
136KB

Download
memory/3036-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-2-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/3036-5-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads