toxiceye | d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1

Resubmissions

18-05-2024 02:27

240518-cxlypsga48 10

18-05-2024 02:14

240518-cnzhfafe64 10

Analysis

max time kernel
152s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 02:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XcHvYYrNa.exe
Size

111KB
MD5

98e558eaea97f0b282b42fa6d49070b6
SHA1

2e48bb1b50177fe17392ac9407ba9f7e45685a3a
SHA256

d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1
SHA512

01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882
SSDEEP

1536:v+bDH/4gqLM91qQIwBI5xxxxdyyKDWfebhDqI68QWfzCrAZuYPwDr:Wb7/4jLSIFxxj8bxqH8QWfzCrAZuYUr

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot6444357834:AAGtL3te5_xl4dvacn8BJElHrky5SlLcE_4/sendMessage?chat_id=5563559839

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Executes dropped EXE 1 IoCs

pid	Process
3636	IShadowRTX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3064	schtasks.exe
1136	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1764	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3372	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3636	IShadowRTX.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe
3636	IShadowRTX.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	XcHvYYrNa.exe
Token: SeDebugPrivilege	3372	tasklist.exe
Token: SeDebugPrivilege	3636	IShadowRTX.exe
Token: SeDebugPrivilege	3636	IShadowRTX.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3636	IShadowRTX.exe
2044	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1136	2684	XcHvYYrNa.exe	79
PID 2684 wrote to memory of 1136	2684	XcHvYYrNa.exe	79
PID 2684 wrote to memory of 3184	2684	XcHvYYrNa.exe	81
PID 2684 wrote to memory of 3184	2684	XcHvYYrNa.exe	81
PID 3184 wrote to memory of 3372	3184	cmd.exe	83
PID 3184 wrote to memory of 3372	3184	cmd.exe	83
PID 3184 wrote to memory of 3592	3184	cmd.exe	84
PID 3184 wrote to memory of 3592	3184	cmd.exe	84
PID 3184 wrote to memory of 1764	3184	cmd.exe	85
PID 3184 wrote to memory of 1764	3184	cmd.exe	85
PID 3184 wrote to memory of 3636	3184	cmd.exe	86
PID 3184 wrote to memory of 3636	3184	cmd.exe	86
PID 3636 wrote to memory of 3064	3636	IShadowRTX.exe	88
PID 3636 wrote to memory of 3064	3636	IShadowRTX.exe	88
PID 3636 wrote to memory of 5116	3636	IShadowRTX.exe	103
PID 3636 wrote to memory of 5116	3636	IShadowRTX.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe
"C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8A2F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8A2F.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2684"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3592
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- - C:\Users\NVIDIA\IShadowRTX.exe
    "IShadowRTX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"
      4⤵
      Creates scheduled task(s)
      PID:3064
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:5116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:4792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3068
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:3064
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1132
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:2448
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:1408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:1832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:3924
  - - C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      4⤵
      PID:4044
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:2216
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1720

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a71ab244d565671f741686cb2c5ed11b

SHA1
b6e766a85f1f878d512f752df2dd4873971755e2

SHA256
06a5716962f3b50a8aa3acd30e33d6c75664465c3d795196ad6dce5e33a80faa

SHA512
0826c8e52b0f5dbcbda745f06390fd59ce9eee8e0e845cdb007f4a97b19065f2544ca63226b34d361adf9e1cf26644672abfe5dcfd75651cd2aeb1ae27f16f84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
44408d8bcd8c4ffe97a60ddf16281885

SHA1
ab8773e27c92a24e12969dd4dc6bb8422f15d589

SHA256
a6047cddc1126bc128da907db3550e725647640752e6a5c71ce9445735a9e83a

SHA512
ff4e382bd3d00515f57bb735c6ffce35afd9f63a8def25ba18f722e618ac9f107e31e0ab44ff7758394e9ca7f52bc67b0ba70710c4dfd6afdb470a34093a35c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A2F.tmp.bat

Filesize
191B

MD5
e9063cf21bd80d619371970e9a3fbd81

SHA1
9c24741d08a756f90e1f3f29e11a36e740904fce

SHA256
7aaf41e021b5c9da9b3c5bf4b9ceb98f9683563031a51a54b7dbc30073c9e1f0

SHA512
0c68f143bd3ab737d5ef944cca600dd1e7bc7ca332d11922c8f67091aa42c2cf2fe2091974fee59566a785107707c3e4a7d6e81c856a3e7558adfa00a28e2176

Download Submit
C:\Users\NVIDIA\IShadowRTX.exe

Filesize
111KB

MD5
98e558eaea97f0b282b42fa6d49070b6

SHA1
2e48bb1b50177fe17392ac9407ba9f7e45685a3a

SHA256
d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1

SHA512
01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882

Download Submit
memory/2684-0-0x00007FFAF8B53000-0x00007FFAF8B55000-memory.dmp

Filesize
8KB

Download
memory/2684-1-0x000001416F310000-0x000001416F332000-memory.dmp

Filesize
136KB

Download
memory/2684-2-0x00007FFAF8B50000-0x00007FFAF9612000-memory.dmp

Filesize
10.8MB

Download
memory/2684-6-0x00007FFAF8B50000-0x00007FFAF9612000-memory.dmp

Filesize
10.8MB

Download
memory/3636-31-0x000002986EAF0000-0x000002986EB9A000-memory.dmp

Filesize
680KB

Download
memory/3636-32-0x000002986EC20000-0x000002986EC96000-memory.dmp

Filesize
472KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads