Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    147KB

  • MD5

    27d11d6ddc6f80eed3b4fbd411b82014

  • SHA1

    2c5f9eb7c3f8bf0b9cb9f05bc192ab37cb9384d8

  • SHA256

    d56b2acb792a0e9e636c40190064525352293bbabd04d31a89978c0c167f50aa

  • SHA512

    e4cda09a174769cfbb665c51410bbe9d40a0896148ad600bfd78195f90d793e96b0a2d149c709491af60381533c3c91b816f04875433849e22e1eda4d9484eff

  • SSDEEP

    3072:lVHeqbQCpPCJc2L/BDLzEPzKcOP9aWvqXp087OsWVOQ28EwDx30kAmQiL:lVH3u7xsPzKhP9NSXJ7OLwV8EwVXQ

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

  • Contains code to disable Windows Defender 5 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2692
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 2104"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
        • C:\Windows\system32\find.exe
          find ":"
          4⤵
            PID:1748
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:2584
          • C:\Users\CyberEye\rat.exe
            "rat.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
              5⤵
              • Creates scheduled task(s)
              PID:1164
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 1992 -s 1592
              5⤵
                PID:880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat
        Filesize

        188B

        MD5

        c73eb55130cbf021c00c423fbc08620b

        SHA1

        dde61d6dcfda595d10beef7a58064341f5fbcfe4

        SHA256

        60fae2b41ec9a224ccc61267484f8c6c830b87146e9697dd38ae784350d435c5

        SHA512

        18b26e2e6513830a60e13d5a1f2ff91578577ad1c2b2a3c0a0217339bc836e4d6d42976ecd694587f4216afdde51f051b6683e6863e5e5330e29edd5fd632788

        Download Submit

      • C:\Users\CyberEye\rat.exe
        Filesize

        128KB

        MD5

        1999cdeae33e22f513edc20e9d250501

        SHA1

        a8be2acc32cdae5d35d1de65ec207971ce881817

        SHA256

        7e54a1a5f837cbcb4ade60a74eebddace4a151262ae56b0b8d0c31c031f20e83

        SHA512

        835c95de0742e88f0e18f8655cdcfc48c080b4e9f6df2580fc6f3c86b596548974d76ee9885170fb4555fa1980bffa5307ea0de77754af67a330f39519c192b1

        Download Submit

      • C:\Users\CyberEye\rat.exe
        Filesize

        1KB

        MD5

        e2f9376ef143f665bda82ee1dea8a1da

        SHA1

        df6570ae9d2dcf0a46ea516fd7d6097fcfaeffd8

        SHA256

        6a192b299cceb8bbc02458de41a876383747d4fe28aef5f3235bd68a2cb44a29

        SHA512

        2ac89224a32a77dc5bc71b253b9c564882c41246007ec2e33664fabb0a46116166725487d377593d577a27eece558bcabd366b15c9a76cd4453fc2ddb8047afe

        Download Submit

      • \Users\Admin\AppData\Local\Temp\TelegramRAT.exe
        Filesize

        143KB

        MD5

        74f22ec8451a5d788ee312e2b637519c

        SHA1

        a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0

        SHA256

        48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2

        SHA512

        5b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b

        Download Submit

      • memory/1992-17-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1992-16-0x0000000000360000-0x000000000038A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1992-18-0x000000001B0D0000-0x000000001B150000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1992-19-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1992-20-0x000000001B0D0000-0x000000001B150000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2104-11-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2104-8-0x000000001AD00000-0x000000001AD80000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2104-7-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2104-6-0x00000000003E0000-0x000000000040A000-memory.dmp

        Filesize

        168KB

        Download