Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 01:48
Behavioral task
behavioral1
Sample
a.exe
Resource
win7-20240221-en
General
-
Target
a.exe
-
Size
143KB
-
MD5
9f7e5fec8caa330b7ae21818ca6bd057
-
SHA1
04c7bc6909a8cac7712010728c1d58ea348e7400
-
SHA256
5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33
-
SHA512
8756772ed9ca40cf1bd879faf2a6b34861ba3abe46199b90e3db66ddb1b87837494720892a73f7b3c22ed0f234f1a5d91282de48c431709775597dc4cd066e8f
-
SSDEEP
3072:/hcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9NIbve0ZQWf5CrAZuCPg:/v4v8Ef/iay+bWa
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/2868-1-0x000001EF2FA20000-0x000001EF2FA4A000-memory.dmp disable_win_def behavioral2/files/0x000900000002322b-9.dat disable_win_def -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation rat.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation a.exe -
Executes dropped EXE 1 IoCs
pid Process 416 rat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 21 raw.githubusercontent.com 22 raw.githubusercontent.com 23 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 872 schtasks.exe 716 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4508 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3928 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe 416 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2868 a.exe Token: SeDebugPrivilege 3928 tasklist.exe Token: SeDebugPrivilege 416 rat.exe Token: SeDebugPrivilege 416 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 416 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2868 wrote to memory of 872 2868 a.exe 98 PID 2868 wrote to memory of 872 2868 a.exe 98 PID 2868 wrote to memory of 4644 2868 a.exe 100 PID 2868 wrote to memory of 4644 2868 a.exe 100 PID 4644 wrote to memory of 3928 4644 cmd.exe 102 PID 4644 wrote to memory of 3928 4644 cmd.exe 102 PID 4644 wrote to memory of 4684 4644 cmd.exe 103 PID 4644 wrote to memory of 4684 4644 cmd.exe 103 PID 4644 wrote to memory of 4508 4644 cmd.exe 104 PID 4644 wrote to memory of 4508 4644 cmd.exe 104 PID 4644 wrote to memory of 416 4644 cmd.exe 106 PID 4644 wrote to memory of 416 4644 cmd.exe 106 PID 416 wrote to memory of 716 416 rat.exe 108 PID 416 wrote to memory of 716 416 rat.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2868"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:4684
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4508
-
-
C:\Users\CyberEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:716
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:4056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178B
MD5898a3bc38d57d4f157ba9b5fda068598
SHA1de033c39807770fc68e43a752b3a3a349e6e3341
SHA256b577031857cd16a9e4dc78d05c885851931c5230ee3ab38a426f160a8f429eab
SHA5126084df6e772fb3ee88069ddb91a1da00ceef4783702e01c080bff011077665346c87e7f04eaf4d3d2f483583393dd8a1d230b8a9e436de9327fd10883a6af256
-
Filesize
143KB
MD59f7e5fec8caa330b7ae21818ca6bd057
SHA104c7bc6909a8cac7712010728c1d58ea348e7400
SHA2565d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33
SHA5128756772ed9ca40cf1bd879faf2a6b34861ba3abe46199b90e3db66ddb1b87837494720892a73f7b3c22ed0f234f1a5d91282de48c431709775597dc4cd066e8f