Overview
overview
10Static
static
10Defender_Settings.vbs
windows10-1703-x64
3Defender_Settings.vbs
windows10-2004-x64
1Defender_Settings.vbs
windows11-21h2-x64
1VantaFN.exe
windows10-1703-x64
10VantaFN.exe
windows10-2004-x64
10VantaFN.exe
windows11-21h2-x64
10dControl.exe
windows10-1703-x64
7dControl.exe
windows10-2004-x64
7dControl.exe
windows11-21h2-x64
7out.exe
windows10-1703-x64
out.exe
windows10-2004-x64
out.exe
windows11-21h2-x64
3Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
07-04-2024 17:57
Behavioral task
behavioral1
Sample
Defender_Settings.vbs
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Defender_Settings.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Defender_Settings.vbs
Resource
win11-20240319-en
Behavioral task
behavioral4
Sample
VantaFN.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
VantaFN.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
VantaFN.exe
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
dControl.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
dControl.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
dControl.exe
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
out.exe
Resource
win10-20240319-en
Behavioral task
behavioral11
Sample
out.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
out.exe
Resource
win11-20240221-en
General
-
Target
VantaFN.exe
-
Size
3.8MB
-
MD5
84699018b1132b73d8063290faa07789
-
SHA1
7d1eec5ae60f0a0383f723f1e001dfc6c2c76aac
-
SHA256
d35c91227f48c494930749f5486054244686328ad8e02960a6b0b10226bc174c
-
SHA512
d7d29eaeacb5d4289aa0a3bbdf071f2e875bf307e326829432cfbbcff1b19e3eaccfc81ec5ebcbf2beab7dee8aff05ad8c086ac0e61a0837339f4febabef5ade
-
SSDEEP
1536:ftTXAtyLaVfblJpAGUbVh9CU5uodpqKmY7:fWyaVPaGUbVjzGz
Malware Config
Extracted
asyncrat
Default
Δ2cΕmVO比L西IVurs诶Eש8
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/z5PQ82wE
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral4/files/0x000900000001ab42-12.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1840 svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 3 0.tcp.eu.ngrok.io 20 0.tcp.eu.ngrok.io 39 0.tcp.eu.ngrok.io 1 pastebin.com 2 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 828 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2584 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 3152 VantaFN.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe 1840 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3152 VantaFN.exe Token: SeDebugPrivilege 1840 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3152 wrote to memory of 648 3152 VantaFN.exe 74 PID 3152 wrote to memory of 648 3152 VantaFN.exe 74 PID 3152 wrote to memory of 4992 3152 VantaFN.exe 76 PID 3152 wrote to memory of 4992 3152 VantaFN.exe 76 PID 4992 wrote to memory of 2584 4992 cmd.exe 78 PID 4992 wrote to memory of 2584 4992 cmd.exe 78 PID 648 wrote to memory of 828 648 cmd.exe 79 PID 648 wrote to memory of 828 648 cmd.exe 79 PID 4992 wrote to memory of 1840 4992 cmd.exe 80 PID 4992 wrote to memory of 1840 4992 cmd.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VantaFN.exe"C:\Users\Admin\AppData\Local\Temp\VantaFN.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DEF.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2584
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD558316bab4221296491da4c475300158a
SHA1e6d939574c4729346a4f46911bc928723f8b659f
SHA2565541aec8ad76ab74ed2f30c8ae203b5abcb018908c1678223faf315992934d96
SHA5128ad5a981f7207270101c6880ddd351a18d26c7e7078226fe5a095dcecb89d16e5f7e533a68fee00a2030089a2bbd15b1dbe77a99ec1c7b3743780073b246835f
-
Filesize
3.8MB
MD584699018b1132b73d8063290faa07789
SHA17d1eec5ae60f0a0383f723f1e001dfc6c2c76aac
SHA256d35c91227f48c494930749f5486054244686328ad8e02960a6b0b10226bc174c
SHA512d7d29eaeacb5d4289aa0a3bbdf071f2e875bf307e326829432cfbbcff1b19e3eaccfc81ec5ebcbf2beab7dee8aff05ad8c086ac0e61a0837339f4febabef5ade