Resubmissions
Analysis
-
max time kernel
107s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 12:19
Static task
static1
Behavioral task
behavioral1
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win11-20240426-en
General
-
Target
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
-
Size
231KB
-
MD5
144f1b1c4b9cdad97d8dd1a3a89e7ea1
-
SHA1
1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
-
SHA256
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
-
SHA512
2697bde82afdef6b3e9079e9add7a9026fffec2a9093932d6c05256fe73df0ef9a2fac4f26de28e2b5d87cc7dd0651dac80baa2a3841148409ab2c3ea32b6882
-
SSDEEP
6144:TZ+geAPqybJnO5AbpbO9jhJdrz8U6n4eOP07NyGyG2qYlw5S3U19:T4FvybJNpazzfoyG
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
66.235.168.242:4449
scgofjarww
-
delay
1
-
install
true
-
install_file
Loader.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
66.235.168.242:3232
-
delay
1
-
install
true
-
install_file
Loaader.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000c0000000146fc-6.dat family_asyncrat behavioral2/files/0x0033000000014b18-12.dat family_asyncrat -
Executes dropped EXE 5 IoCs
pid Process 2496 Client.exe 2608 Infected.exe 2516 WinDefend.exe 1948 Loader.exe 2308 Loaader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\YourAppName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefend.exe" WinDefend.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api64.ipify.org 4 api64.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe 2820 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 816 timeout.exe 1548 timeout.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2608 Infected.exe 2608 Infected.exe 2608 Infected.exe 2496 Client.exe 2496 Client.exe 2496 Client.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe 1948 Loader.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2496 Client.exe Token: SeDebugPrivilege 2516 WinDefend.exe Token: SeDebugPrivilege 2608 Infected.exe Token: SeDebugPrivilege 1948 Loader.exe Token: SeDebugPrivilege 2308 Loaader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1948 Loader.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2496 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 28 PID 2340 wrote to memory of 2496 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 28 PID 2340 wrote to memory of 2496 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 28 PID 2340 wrote to memory of 2608 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 29 PID 2340 wrote to memory of 2608 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 29 PID 2340 wrote to memory of 2608 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 29 PID 2340 wrote to memory of 2516 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 30 PID 2340 wrote to memory of 2516 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 30 PID 2340 wrote to memory of 2516 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 30 PID 2340 wrote to memory of 2516 2340 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 30 PID 2608 wrote to memory of 2384 2608 Infected.exe 31 PID 2608 wrote to memory of 2384 2608 Infected.exe 31 PID 2608 wrote to memory of 2384 2608 Infected.exe 31 PID 2608 wrote to memory of 1984 2608 Infected.exe 33 PID 2608 wrote to memory of 1984 2608 Infected.exe 33 PID 2608 wrote to memory of 1984 2608 Infected.exe 33 PID 1984 wrote to memory of 816 1984 cmd.exe 35 PID 1984 wrote to memory of 816 1984 cmd.exe 35 PID 1984 wrote to memory of 816 1984 cmd.exe 35 PID 2384 wrote to memory of 2820 2384 cmd.exe 36 PID 2384 wrote to memory of 2820 2384 cmd.exe 36 PID 2384 wrote to memory of 2820 2384 cmd.exe 36 PID 2496 wrote to memory of 1524 2496 Client.exe 37 PID 2496 wrote to memory of 1524 2496 Client.exe 37 PID 2496 wrote to memory of 1524 2496 Client.exe 37 PID 2496 wrote to memory of 1364 2496 Client.exe 39 PID 2496 wrote to memory of 1364 2496 Client.exe 39 PID 2496 wrote to memory of 1364 2496 Client.exe 39 PID 1524 wrote to memory of 2716 1524 cmd.exe 41 PID 1524 wrote to memory of 2716 1524 cmd.exe 41 PID 1524 wrote to memory of 2716 1524 cmd.exe 41 PID 1364 wrote to memory of 1548 1364 cmd.exe 42 PID 1364 wrote to memory of 1548 1364 cmd.exe 42 PID 1364 wrote to memory of 1548 1364 cmd.exe 42 PID 1364 wrote to memory of 1948 1364 cmd.exe 43 PID 1364 wrote to memory of 1948 1364 cmd.exe 43 PID 1364 wrote to memory of 1948 1364 cmd.exe 43 PID 1984 wrote to memory of 2308 1984 cmd.exe 44 PID 1984 wrote to memory of 2308 1984 cmd.exe 44 PID 1984 wrote to memory of 2308 1984 cmd.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'4⤵
- Creates scheduled task(s)
PID:2716
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp20F8.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1548
-
-
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'4⤵
- Creates scheduled task(s)
PID:2820
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp20AA.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:816
-
-
C:\Users\Admin\AppData\Roaming\Loaader.exe"C:\Users\Admin\AppData\Roaming\Loaader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD57ac0adf482250172280defec7a7054da
SHA120a25f0da68c309d062c4628ead8b6f377ac7969
SHA2563caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5
SHA512d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa
-
Filesize
63KB
MD5b8d455465260a845db35492fda5a8888
SHA1287b0ba049ad8f3be802d2224efb86dba72d3221
SHA256a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
SHA5125dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a
-
Filesize
87KB
MD55fc6a541845fdafb597ddfb98fa28b54
SHA122e5dd50ddd71bc39c812db0f9b164ca10c556dd
SHA25664e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117
SHA512f174e4ccc89d4a7473001a9153a9c3d63bedd393dda1ea3be171768b7587846722ad07445adeafa52ef54802a8ac84eb33ab1799248dcbf7db60aa4f311da5e3
-
Filesize
151B
MD568f913766b0d0647c81aed11735114af
SHA15b97429b179e87c934ba743f72f6b917e26773b0
SHA2565c2ead9e2d69ebd6813041b388931b1c1625bd47bda432b3e9a7e1f500876a26
SHA5123821dcf53aecce8ee0e3b2c4d274b2a3a54bf9d93b710c45ca824d33ee057c9eee8f2ff5b04813d605f2aad6a38db6daf5caa4d0a6e5db29464a4fc6b0914450
-
Filesize
150B
MD57147398115912eea2844a94a396adcf2
SHA14cce31bbe26888975d0b111476b1de2ba652d020
SHA256ff4fa3f584e0f201211900b8c17ae1ad8fc3e5592e820cabba51424afa23d910
SHA512e6caa66b4ea9d24533c33a5fb74d95eb6518f8bf8faf2f987a3fa8c8f7e0d39de4a087c02291a0557e2e2eccfeac36369d09626898b6d82fa493c50c0e49db31
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
2KB
MD56855d7f277072919daaafd0a3823f5ec
SHA12e72b3f0d6576a89c10a45734a4e735890e13bf5
SHA2565ce9a8da4c18e41b832d85d348771eaa05d7db37216f36e56fd951c76c47ec2a
SHA5126b256af0f10944c20ceb81607336c52bbd151617719343a7ced2c86f32e13488ad7320c138c35dc30bd70ba027e25513a1b2ea5d99bd9f656926a0f1eece5034
-
Filesize
2KB
MD5f2abfe11586c78014527a07c51b9a45d
SHA18d42a9623ce2cb0c573f3cb85018864dbf4e9758
SHA2564ccbac4230df959d1f585f65b2e07c09c1de2db9b70b6346d645f199918dc1d5
SHA512ccbe0000bfaa59f8c030620dbf2639cbae9c6ced4e512b6b3745c90e116e1b40173cdcbc964aba82e836d5a3b2d144a26d94fcedfe33ebb6d2012f442c1c44ce
-
Filesize
2KB
MD5755ad58896e078f5025ffd7ac1aececb
SHA1acc0afe7f46855c07d37d91ceb5e888caefbb196
SHA25637f0f6558ee4728fd54b507010dcb748108ebf8311fe6fe70ba29adb4de37240
SHA512219e8b200ad8cc0832e4ab55d312ee2774949e88112cc06c57e318d086539ba76732be3c383a6b90a261458b55e014c813a6a6a0e5f19ef9c4e2d6e271271744
-
Filesize
3KB
MD51c84a405caf71c53397670461ef529e4
SHA114c1ae706e9d7dbb2393e8abc778a685af1bc2e6
SHA256b82dc192ed820a5f697261a33b61534570374b767269260b173f2972f5d1f14e
SHA5121d96b212a21ae6b22ecd7144aa8c61ee4061b262cef32d65a7e93bf5dbd6cfe7597223e3eff3d472ac9bcc62be9910cca78b729cd56313d3f190e7a6fc69c55f
-
Filesize
3KB
MD5b3b623f3a885b8a2a4dea8b220e96d90
SHA1751138471b75de14f34d087d6ceb2df328863888
SHA25612d50976bc5391c630e145fd9de0a848821801fbd8cb8c1411f903a3b9b11d87
SHA512e6009cb42c475c169a06b09706027d51189ea7734071fedfea68db4c2f816cab062f8847d8e3f4d27dec5cb501821530507fad7e9040c119d4136ccac6a7183f
-
Filesize
4KB
MD5685ba8660d1bb879ffdf6e5b0bbe4570
SHA1707f7b17ace34a7bc7a72b236808fe0fe2b81e87
SHA25689c681a23a7bcb09e3a67b9a9f6ca855df5201d1cd02da67e64ac34225aea39d
SHA5125e18622248ff09c9fba71875967c6444ded5fa43ce930bb2898820ac64c734ce2884e9a90ed9b0f511f7abd7bf57054966755e46f22497827cd3d227fcc38660