Overview

overview

10

Static

static

10

Cozios-Ima...er.exe

windows7-x64

10

Cozios-Ima...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cozios-Imagelogger-main/cozios ImageLogger.exe

  • Size

    81KB

  • MD5

    23f472ba6e59df467b80af92f43eaf22

  • SHA1

    7dd4433d3f059ea4a13454991f841c756aba3e47

  • SHA256

    498b02baa4dee1f19d4d06e45e5eda8bbf386fcce695f07846ac5374c654e406

  • SHA512

    ecaa60619bc59a546a8100518d5866fc993ae2be340454e6b1ea6a9dc05efa33946198a0e798488659c99c959d937cc63e09ce746d254bcab8a12c233a088468

  • SSDEEP

    1536:DUxwcx/BVuCkmPMVhAz0M4zyAkIQH1by/4XOp4QzcQ633I6VclN:DU+cx/Bw/mPMVhA1BH1byl4Ql633IIY

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

idjtweoowocnoy

Attributes
  • delay

    1

  • install

    true

  • install_file

    Cozios Imagelogger.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/LwwcrLg4

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cozios-Imagelogger-main\cozios ImageLogger.exe
    "C:\Users\Admin\AppData\Local\Temp\Cozios-Imagelogger-main\cozios ImageLogger.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2796
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3400
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
    1⤵
      PID:3364
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe"
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini
        2⤵
        • Enumerates connected drives
        PID:4720
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1804
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\more.com
          "C:\Windows\system32\more.com"
          2⤵
            PID:3060
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\more.com
            "C:\Windows\system32\more.com"
            2⤵
              PID:392

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
            Filesize

            53KB

            MD5

            3337d66209faa998d52d781d0ff2d804

            SHA1

            6594b85a70f998f79f43cdf1ca56137997534156

            SHA256

            9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

            SHA512

            8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wv1pzdle.g01.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            5KB

            MD5

            58fdf7488d9acfa2b3494ed6c7056482

            SHA1

            02fa604e05633aab735b1a4e485646533879e065

            SHA256

            ad75f8308c9b9aaf29094ab66d0d087f4ac2e3e18d9a67aa43220e9cf9f96dcb

            SHA512

            8c6bd3bde867544bb0141cd7980ad3ab9709ad5e9466392c807599cad95e646a46dc8dcbb4daad66036bf63f095df11b7fb43394339edc3ee2671a77f347a8b2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            5KB

            MD5

            359cc4072a6fc2a287a1ee5ac2ec881b

            SHA1

            e17c26a90dbc57fd4632d848b405fc04d65cb4ea

            SHA256

            220764a998fe6a153fdfb7da2812361a571b943f19b57d27fda769db1845b6e0

            SHA512

            bdc90c69630da2a72ebc8fdbb5765a1064a36e99756a5f04add4b7991af6c68d5337c553ab6e506cf1ecdc838c56ffc1f21a523c67db3277c8096229bb04c4b6

            Download Submit

          • memory/2540-36-0x0000000006840000-0x000000000685E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2540-38-0x0000000006E00000-0x0000000006E44000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2540-40-0x0000000008230000-0x00000000088AA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/2540-41-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2540-39-0x0000000007B30000-0x0000000007BA6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2540-37-0x0000000006870000-0x00000000068BC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2540-35-0x0000000006390000-0x00000000066E4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2540-25-0x00000000061E0000-0x0000000006246000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2540-24-0x0000000006100000-0x0000000006166000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2540-23-0x0000000005990000-0x00000000059B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2540-21-0x0000000005460000-0x0000000005496000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2540-22-0x0000000005AD0000-0x00000000060F8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2796-0-0x00007FFC7C303000-0x00007FFC7C305000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2796-1-0x0000000000670000-0x000000000068A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2796-3-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2796-4-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3400-15-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-14-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-11-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-6-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-16-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-17-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-7-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-5-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-13-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3400-12-0x0000029832B80000-0x0000029832B81000-memory.dmp

            Filesize

            4KB

            Download