Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 01:18
General
-
Target
cozios Image Logger.exe
-
Size
74KB
-
MD5
9a6f6caca9dd58075c1b428acd8a5f16
-
SHA1
20b4dcf9b06efad871116eb14d271bf8344e5907
-
SHA256
9c633404d41a3c07f7ea28683ba909ff5dd64f06e6680d0c143c6fdc66ef33a2
-
SHA512
ead8ac3ffb6940532e265b273e4f0d0ec8c2187eb60f9da1226f2c94d7129c1d6aff69125f454f62162a4d411e1d33a5f2e17f171e57109ceaf09cec7069a4b7
-
SSDEEP
1536:NUugcxaJ5CTWPMVmlm2IsH1bY/RQzceLVclN:NU/cxaDAWPMVmlxH1bY5Q3BY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
127.0.0.144:4449
87.100.214.103:4449
podqoeugtxfrsvjfnm
-
delay
1
-
install
true
-
install_file
image logger.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00070000000233e5-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation cozios Image Logger.exe -
Executes dropped EXE 1 IoCs
pid Process 500 image logger.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2436 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5036 timeout.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 3912 cozios Image Logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe 500 image logger.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3912 cozios Image Logger.exe Token: SeDebugPrivilege 500 image logger.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 500 image logger.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3912 wrote to memory of 2872 3912 cozios Image Logger.exe 86 PID 3912 wrote to memory of 2872 3912 cozios Image Logger.exe 86 PID 3912 wrote to memory of 5048 3912 cozios Image Logger.exe 87 PID 3912 wrote to memory of 5048 3912 cozios Image Logger.exe 87 PID 2872 wrote to memory of 2436 2872 cmd.exe 90 PID 2872 wrote to memory of 2436 2872 cmd.exe 90 PID 5048 wrote to memory of 5036 5048 cmd.exe 91 PID 5048 wrote to memory of 5036 5048 cmd.exe 91 PID 5048 wrote to memory of 500 5048 cmd.exe 94 PID 5048 wrote to memory of 500 5048 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cozios Image Logger.exe"C:\Users\Admin\AppData\Local\Temp\cozios Image Logger.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image logger" /tr '"C:\Users\Admin\AppData\Roaming\image logger.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "image logger" /tr '"C:\Users\Admin\AppData\Roaming\image logger.exe"'3⤵
- Creates scheduled task(s)
PID:2436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5036
-
-
C:\Users\Admin\AppData\Roaming\image logger.exe"C:\Users\Admin\AppData\Roaming\image logger.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD58ca642c8c66689e178b8f60f31cb6c3b
SHA1c893914f1d4e43ec174f3d1e921ee1d1158b1e7c
SHA256880d71437c8761ebf0af5d4289ce458a682b47365dbe1ae119fa0a022beae111
SHA51241c59ba6884dac1a656c54f02ef4c7b5783a644875088d0b8b4c61bdee1400e05bf36464728fbcb1f573aff1c0702d2d56c0676e0045012f34240ab7b350dc48
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD59a6f6caca9dd58075c1b428acd8a5f16
SHA120b4dcf9b06efad871116eb14d271bf8344e5907
SHA2569c633404d41a3c07f7ea28683ba909ff5dd64f06e6680d0c143c6fdc66ef33a2
SHA512ead8ac3ffb6940532e265b273e4f0d0ec8c2187eb60f9da1226f2c94d7129c1d6aff69125f454f62162a4d411e1d33a5f2e17f171e57109ceaf09cec7069a4b7