Overview

overview

10

Static

static

10

Sh1zoRat.exe

windows11-21h2-x64

Resubmissions

18-05-2024 18:22

240518-wz59xahc67 10

18-05-2024 18:18

240518-wxrnqsha89 10

18-05-2024 18:17

240518-ww87dsha59 10

18-05-2024 18:15

240518-wwazlagh94 10

Analysis

  • max time kernel
    71s
  • max time network
    73s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 18:15

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Sh1zoRat.exe

  • Size

    119KB

  • MD5

    f548ca220d471a524cb1c7d8ff613721

  • SHA1

    3040c8945b16a58f44dd4f1ae5a7b0faf61b405e

  • SHA256

    5d0be378578617a2264e822d1b4424d71e8fa3e8dad60b30af614b173682880b

  • SHA512

    b1ea254c1ab6c3983cdb906f39403da5b342fed1836b14b4654a0e25dcae274edc517e30ec66fefbeb6f511b89e869a4d785098896bf55eac36108c79494c158

  • SSDEEP

    3072:BKUpvwYGqOcW7gabRq15QWXzCrAZu8Gq:MIWMabAL

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6444357834:AAGtL3te5_xl4dvacn8BJElHrky5SlLcE_4/sendMessage?chat_id=5974265372

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sh1zoRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Sh1zoRat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Sh1zo\RTGManager.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 3688"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2504
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:3580
        • C:\Users\Sh1zo\RTGManager.exe
          "RTGManager.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Sh1zo\RTGManager.exe"
            4⤵
            • Creates scheduled task(s)
            PID:3856
          • C:\Windows\System32\shutdown.exe
            "C:\Windows\System32\shutdown.exe" /s /t 0
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:1856
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:5028
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3a31055 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:1852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        10KB

        MD5

        394f971f95da279c2ebf1a4113ce8426

        SHA1

        74f73a16920c5919ccb7788e3c2429c291da34d3

        SHA256

        5555d03ce11acdeae26b199b7bdf7220be2f8a4668800c29644740857576659f

        SHA512

        1ea93d43096e70a182b4a5011b20b2a0c3558b907039c8ead7c3f89cc360b8ee635789b15398ef42f6a0c74a98d9f070290d5e98f786017e4d6bc3e25a042f33

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp609E.tmp.bat
        Filesize

        189B

        MD5

        32ab8744167b2877a959a83988e7ebfd

        SHA1

        150beda428a8e1133285c86c7e12ebb16085ae6d

        SHA256

        fe27367bf6509a1d9841bcabeb4d90ed613288dcb0787300a4d64089b4d009d7

        SHA512

        c824b9304831e80bb705a8ba8b57662a883046d9f04aa106754fa4cd73dba3b4c8b11aa8861c879628618e95b307039dd76083d396ea86166132cec3e093c4c4

        Download Submit

      • C:\Users\Sh1zo\RTGManager.exe
        Filesize

        119KB

        MD5

        f548ca220d471a524cb1c7d8ff613721

        SHA1

        3040c8945b16a58f44dd4f1ae5a7b0faf61b405e

        SHA256

        5d0be378578617a2264e822d1b4424d71e8fa3e8dad60b30af614b173682880b

        SHA512

        b1ea254c1ab6c3983cdb906f39403da5b342fed1836b14b4654a0e25dcae274edc517e30ec66fefbeb6f511b89e869a4d785098896bf55eac36108c79494c158

        Download Submit

      • memory/3688-0-0x00007FFCF01B3000-0x00007FFCF01B5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3688-1-0x000001EFFE8D0000-0x000001EFFE8F4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3688-2-0x00007FFCF01B0000-0x00007FFCF0C72000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3688-7-0x00007FFCF01B0000-0x00007FFCF0C72000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4652-13-0x000001D8E7CD0000-0x000001D8E7D7A000-memory.dmp

        Filesize

        680KB

        Download

      • memory/4652-14-0x000001D8E7E00000-0x000001D8E7E76000-memory.dmp

        Filesize

        472KB

        Download