Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    147KB

  • MD5

    27d11d6ddc6f80eed3b4fbd411b82014

  • SHA1

    2c5f9eb7c3f8bf0b9cb9f05bc192ab37cb9384d8

  • SHA256

    d56b2acb792a0e9e636c40190064525352293bbabd04d31a89978c0c167f50aa

  • SHA512

    e4cda09a174769cfbb665c51410bbe9d40a0896148ad600bfd78195f90d793e96b0a2d149c709491af60381533c3c91b816f04875433849e22e1eda4d9484eff

  • SSDEEP

    3072:lVHeqbQCpPCJc2L/BDLzEPzKcOP9aWvqXp087OsWVOQ28EwDx30kAmQiL:lVH3u7xsPzKhP9NSXJ7OLwV8EwVXQ

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2692
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 2916"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2392
        • C:\Windows\system32\find.exe
          find ":"
          4⤵
            PID:2400
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:2468
          • C:\Users\CyberEye\rat.exe
            "rat.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
              5⤵
              • Creates scheduled task(s)
              PID:2436
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3016 -s 1528
              5⤵
                PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
        Filesize

        143KB

        MD5

        74f22ec8451a5d788ee312e2b637519c

        SHA1

        a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0

        SHA256

        48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2

        SHA512

        5b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.bat
        Filesize

        188B

        MD5

        b3a15bc872565551120ae56caf11e5af

        SHA1

        35146d564e110100f9723d12556cae0f9500b56f

        SHA256

        ee03b9b978da32de4680bade01df986c89323cf2d5da2bd7e6707c068690ecf3

        SHA512

        68806ce96c447ecbcd8268135137ce47d38e49a7e1bc9e77e31ecafbeb59e2d8e19ddbc0b41440e4ddb9fd022a15e206de35c4dcc19894c007883e8ef7761a0d

        Download Submit

      • memory/2916-6-0x00000000009E0000-0x0000000000A0A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2916-7-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2916-8-0x0000000000400000-0x0000000000480000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2916-11-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3016-16-0x0000000000F20000-0x0000000000F4A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3016-17-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3016-18-0x000000001AD10000-0x000000001AD90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/3016-19-0x000007FEF4AA0000-0x000007FEF548C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3016-20-0x000000001AD10000-0x000000001AD90000-memory.dmp

        Filesize

        512KB

        Download