Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 02:27
Behavioral task
behavioral1
Sample
ILIKEMEN.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ILIKEMEN.exe
Resource
win10v2004-20240426-en
General
-
Target
ILIKEMEN.exe
-
Size
74KB
-
MD5
794f06f69365a10f17c4ecae5d782749
-
SHA1
179ab7369cf041ecddda5fc696b859db139d79df
-
SHA256
183c4a07c3859758dc971abf3351f0811698fcee4f846822d807fde8bd70021e
-
SHA512
71bc81b17db3084000be4f34e25070120b497dd778136b5234026411b3ff4ca156e9ab89881f1320fb9f27991de842098ac3bbaeb2c4531886f621e0c07b18f4
-
SSDEEP
1536:eUiccx0dxCKg6PMVZ5S5KmiLHIy31bu/n16UOTQzcaLVclN:eUzcx0f9g6PMVZAAv31buxkQLBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
127.0.0.1:38630
147.185.221.19:4449
147.185.221.19:38630
kwdwpnspxuuttrk
-
delay
1
-
install
true
-
install_file
sup nigga.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\sup nigga.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
sup nigga.exepid process 2580 sup nigga.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2560 timeout.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
ILIKEMEN.exesup nigga.exepid process 2268 ILIKEMEN.exe 2268 ILIKEMEN.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe 2580 sup nigga.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ILIKEMEN.exesup nigga.exedescription pid process Token: SeDebugPrivilege 2268 ILIKEMEN.exe Token: SeDebugPrivilege 2580 sup nigga.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sup nigga.exepid process 2580 sup nigga.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ILIKEMEN.execmd.execmd.exedescription pid process target process PID 2268 wrote to memory of 3068 2268 ILIKEMEN.exe cmd.exe PID 2268 wrote to memory of 3068 2268 ILIKEMEN.exe cmd.exe PID 2268 wrote to memory of 3068 2268 ILIKEMEN.exe cmd.exe PID 2268 wrote to memory of 2524 2268 ILIKEMEN.exe cmd.exe PID 2268 wrote to memory of 2524 2268 ILIKEMEN.exe cmd.exe PID 2268 wrote to memory of 2524 2268 ILIKEMEN.exe cmd.exe PID 2524 wrote to memory of 2560 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2560 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2560 2524 cmd.exe timeout.exe PID 3068 wrote to memory of 2640 3068 cmd.exe schtasks.exe PID 3068 wrote to memory of 2640 3068 cmd.exe schtasks.exe PID 3068 wrote to memory of 2640 3068 cmd.exe schtasks.exe PID 2524 wrote to memory of 2580 2524 cmd.exe sup nigga.exe PID 2524 wrote to memory of 2580 2524 cmd.exe sup nigga.exe PID 2524 wrote to memory of 2580 2524 cmd.exe sup nigga.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ILIKEMEN.exe"C:\Users\Admin\AppData\Local\Temp\ILIKEMEN.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sup nigga" /tr '"C:\Users\Admin\AppData\Roaming\sup nigga.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "sup nigga" /tr '"C:\Users\Admin\AppData\Roaming\sup nigga.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D7F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\sup nigga.exe"C:\Users\Admin\AppData\Roaming\sup nigga.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\TarA5F7.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\tmp1D7F.tmp.batFilesize
153B
MD534e0c27ff99a70d890fa468ec99804f3
SHA1aff12b541e1e34e9063e00e9b4f8df35fb0acb98
SHA256952cda85450962a067c3d746f1799edb6710411ece6a24d702eef073e65cec2e
SHA5121fec55a9cb402b47ab73e443c15b917ea5e9dbed3e7aa83bb35be0eff6e6d239a044f6b9c09dc403d5a5b61c9d2e2f699fe9a4b61c96a239626ed6d0043b42d4
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Users\Admin\AppData\Roaming\sup nigga.exeFilesize
74KB
MD5794f06f69365a10f17c4ecae5d782749
SHA1179ab7369cf041ecddda5fc696b859db139d79df
SHA256183c4a07c3859758dc971abf3351f0811698fcee4f846822d807fde8bd70021e
SHA51271bc81b17db3084000be4f34e25070120b497dd778136b5234026411b3ff4ca156e9ab89881f1320fb9f27991de842098ac3bbaeb2c4531886f621e0c07b18f4
-
memory/2268-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmpFilesize
4KB
-
memory/2268-1-0x0000000000090000-0x00000000000A8000-memory.dmpFilesize
96KB
-
memory/2268-3-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2268-13-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2268-14-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2580-18-0x0000000000D60000-0x0000000000D78000-memory.dmpFilesize
96KB