Overview

overview

10

Static

static

10

XcHvYYrNa.exe

windows11-21h2-x64

Resubmissions

18-05-2024 02:27

240518-cxlypsga48 10

18-05-2024 02:14

240518-cnzhfafe64 10

Analysis

  • max time kernel
    184s
  • max time network
    187s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 02:27

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XcHvYYrNa.exe

  • Size

    111KB

  • MD5

    98e558eaea97f0b282b42fa6d49070b6

  • SHA1

    2e48bb1b50177fe17392ac9407ba9f7e45685a3a

  • SHA256

    d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1

  • SHA512

    01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882

  • SSDEEP

    1536:v+bDH/4gqLM91qQIwBI5xxxxdyyKDWfebhDqI68QWfzCrAZuYPwDr:Wb7/4jLSIFxxj8bxqH8QWfzCrAZuYUr

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6444357834:AAGtL3te5_xl4dvacn8BJElHrky5SlLcE_4/sendMessage?chat_id=5563559839

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe
    "C:\Users\Admin\AppData\Local\Temp\XcHvYYrNa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1696
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp82AD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp82AD.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1140"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2460
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2620
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4912
        • C:\Users\NVIDIA\IShadowRTX.exe
          "IShadowRTX.exe"
          3⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\NVIDIA\IShadowRTX.exe"
            4⤵
            • Creates scheduled task(s)
            PID:2572
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:4032
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
        1⤵
          PID:4236
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C0
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3236

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp82AD.tmp.bat
          Filesize

          191B

          MD5

          c708b3a48509eb496c6904ec30c2abcd

          SHA1

          4d25a0c6520ecfc20787af339ee69793fa5b5a10

          SHA256

          1ce059a87c1efcc1f258e1d463bb1c4bcb4a4d9f2e3fb8c7dc5ad9633a26aa94

          SHA512

          923443395aa0b5cad84379731572e445344b20a6e5b3cb673365dfb892f9e8a2c2f3a985fd3406292d8d12e7d186adf5557e4efda2f940b0492f89fe69ef09c1

          Download Submit

        • C:\Users\NVIDIA\IShadowRTX.exe
          Filesize

          111KB

          MD5

          98e558eaea97f0b282b42fa6d49070b6

          SHA1

          2e48bb1b50177fe17392ac9407ba9f7e45685a3a

          SHA256

          d50d11636b59a11c81577342de7c72f694c99540311c2c3ffa53126e8cc394f1

          SHA512

          01dcd7a191ef331fe7626f760064e4368cd06c7a30374b74074d6dddf35683b443fb8c0677d1a7bfa88eac81f482dadf6788f343d9958fc9818be749ac7e9882

          Download Submit

        • memory/892-19-0x000001A3DF100000-0x000001A3DF10B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/892-11-0x000001A3DE380000-0x000001A3DE42A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/892-12-0x000001A3DE4B0000-0x000001A3DE526000-memory.dmp

          Filesize

          472KB

          Download

        • memory/892-17-0x000001A3DE710000-0x000001A3DE71D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/892-18-0x000001A3DF0E0000-0x000001A3DF0FE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/892-16-0x000001A3DF090000-0x000001A3DF0D6000-memory.dmp

          Filesize

          280KB

          Download

        • memory/892-58-0x000001A3DE730000-0x000001A3DE89A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1140-6-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1140-2-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1140-1-0x0000023342D60000-0x0000023342D82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1140-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

          Filesize

          8KB

          Download