Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
General
-
Target
file.exe
-
Size
147KB
-
MD5
27d11d6ddc6f80eed3b4fbd411b82014
-
SHA1
2c5f9eb7c3f8bf0b9cb9f05bc192ab37cb9384d8
-
SHA256
d56b2acb792a0e9e636c40190064525352293bbabd04d31a89978c0c167f50aa
-
SHA512
e4cda09a174769cfbb665c51410bbe9d40a0896148ad600bfd78195f90d793e96b0a2d149c709491af60381533c3c91b816f04875433849e22e1eda4d9484eff
-
SSDEEP
3072:lVHeqbQCpPCJc2L/BDLzEPzKcOP9aWvqXp087OsWVOQ28EwDx30kAmQiL:lVH3u7xsPzKhP9NSXJ7OLwV8EwVXQ
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/files/0x000b000000012251-4.dat disable_win_def behavioral1/memory/2916-6-0x00000000009E0000-0x0000000000A0A000-memory.dmp disable_win_def behavioral1/memory/2916-8-0x0000000000400000-0x0000000000480000-memory.dmp disable_win_def behavioral1/memory/3016-16-0x0000000000F20000-0x0000000000F4A000-memory.dmp disable_win_def behavioral1/memory/3016-18-0x000000001AD10000-0x000000001AD90000-memory.dmp disable_win_def -
Executes dropped EXE 2 IoCs
pid Process 2916 TelegramRAT.exe 3016 rat.exe -
Loads dropped DLL 1 IoCs
pid Process 2848 file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2692 schtasks.exe 2436 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2468 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2392 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3016 rat.exe 3016 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2916 TelegramRAT.exe Token: SeDebugPrivilege 2392 tasklist.exe Token: SeDebugPrivilege 3016 rat.exe Token: SeDebugPrivilege 3016 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3016 rat.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2916 2848 file.exe 28 PID 2848 wrote to memory of 2916 2848 file.exe 28 PID 2848 wrote to memory of 2916 2848 file.exe 28 PID 2848 wrote to memory of 2916 2848 file.exe 28 PID 2916 wrote to memory of 2692 2916 TelegramRAT.exe 31 PID 2916 wrote to memory of 2692 2916 TelegramRAT.exe 31 PID 2916 wrote to memory of 2692 2916 TelegramRAT.exe 31 PID 2916 wrote to memory of 2644 2916 TelegramRAT.exe 33 PID 2916 wrote to memory of 2644 2916 TelegramRAT.exe 33 PID 2916 wrote to memory of 2644 2916 TelegramRAT.exe 33 PID 2644 wrote to memory of 2392 2644 cmd.exe 35 PID 2644 wrote to memory of 2392 2644 cmd.exe 35 PID 2644 wrote to memory of 2392 2644 cmd.exe 35 PID 2644 wrote to memory of 2400 2644 cmd.exe 36 PID 2644 wrote to memory of 2400 2644 cmd.exe 36 PID 2644 wrote to memory of 2400 2644 cmd.exe 36 PID 2644 wrote to memory of 2468 2644 cmd.exe 37 PID 2644 wrote to memory of 2468 2644 cmd.exe 37 PID 2644 wrote to memory of 2468 2644 cmd.exe 37 PID 2644 wrote to memory of 3016 2644 cmd.exe 38 PID 2644 wrote to memory of 3016 2644 cmd.exe 38 PID 2644 wrote to memory of 3016 2644 cmd.exe 38 PID 3016 wrote to memory of 2436 3016 rat.exe 40 PID 3016 wrote to memory of 2436 3016 rat.exe 40 PID 3016 wrote to memory of 2436 3016 rat.exe 40 PID 3016 wrote to memory of 2320 3016 rat.exe 42 PID 3016 wrote to memory of 2320 3016 rat.exe 42 PID 3016 wrote to memory of 2320 3016 rat.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"3⤵
- Creates scheduled task(s)
PID:2692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1AE0.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2916"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:2400
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:2468
-
-
C:\Users\CyberEye\rat.exe"rat.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"5⤵
- Creates scheduled task(s)
PID:2436
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3016 -s 15285⤵PID:2320
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD574f22ec8451a5d788ee312e2b637519c
SHA1a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0
SHA25648614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2
SHA5125b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b
-
Filesize
188B
MD5b3a15bc872565551120ae56caf11e5af
SHA135146d564e110100f9723d12556cae0f9500b56f
SHA256ee03b9b978da32de4680bade01df986c89323cf2d5da2bd7e6707c068690ecf3
SHA51268806ce96c447ecbcd8268135137ce47d38e49a7e1bc9e77e31ecafbeb59e2d8e19ddbc0b41440e4ddb9fd022a15e206de35c4dcc19894c007883e8ef7761a0d