Resubmissions
Analysis
-
max time kernel
109s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 12:19
Static task
static1
Behavioral task
behavioral1
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
Resource
win11-20240426-en
General
-
Target
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe
-
Size
231KB
-
MD5
144f1b1c4b9cdad97d8dd1a3a89e7ea1
-
SHA1
1a11d76a6ab646a0d699efa0e5fc71de6e5af92c
-
SHA256
e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944
-
SHA512
2697bde82afdef6b3e9079e9add7a9026fffec2a9093932d6c05256fe73df0ef9a2fac4f26de28e2b5d87cc7dd0651dac80baa2a3841148409ab2c3ea32b6882
-
SSDEEP
6144:TZ+geAPqybJnO5AbpbO9jhJdrz8U6n4eOP07NyGyG2qYlw5S3U19:T4FvybJNpazzfoyG
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
66.235.168.242:4449
scgofjarww
-
delay
1
-
install
true
-
install_file
Loader.exe
-
install_folder
%AppData%
Extracted
asyncrat
Default
66.235.168.242:3232
-
delay
1
-
install
true
-
install_file
Loaader.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral3/files/0x000800000002328e-7.dat family_asyncrat behavioral3/files/0x00070000000233fb-18.dat family_asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Infected.exe -
Executes dropped EXE 5 IoCs
pid Process 4920 Client.exe 3060 Infected.exe 1524 WinDefend.exe 3540 Loader.exe 700 Loaader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YourAppName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefend.exe" WinDefend.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api64.ipify.org 7 api64.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4696 schtasks.exe 3596 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4472 timeout.exe 3588 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 4920 Client.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3060 Infected.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe 3540 Loader.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4920 Client.exe Token: SeDebugPrivilege 1524 WinDefend.exe Token: SeDebugPrivilege 3060 Infected.exe Token: SeDebugPrivilege 3540 Loader.exe Token: SeDebugPrivilege 700 Loaader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3540 Loader.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3372 wrote to memory of 4920 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 83 PID 3372 wrote to memory of 4920 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 83 PID 3372 wrote to memory of 3060 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 84 PID 3372 wrote to memory of 3060 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 84 PID 3372 wrote to memory of 1524 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 85 PID 3372 wrote to memory of 1524 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 85 PID 3372 wrote to memory of 1524 3372 e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe 85 PID 4920 wrote to memory of 1764 4920 Client.exe 86 PID 4920 wrote to memory of 1764 4920 Client.exe 86 PID 4920 wrote to memory of 3012 4920 Client.exe 88 PID 4920 wrote to memory of 3012 4920 Client.exe 88 PID 3012 wrote to memory of 4472 3012 cmd.exe 91 PID 3012 wrote to memory of 4472 3012 cmd.exe 91 PID 1764 wrote to memory of 4696 1764 cmd.exe 90 PID 1764 wrote to memory of 4696 1764 cmd.exe 90 PID 3060 wrote to memory of 1804 3060 Infected.exe 92 PID 3060 wrote to memory of 1804 3060 Infected.exe 92 PID 3060 wrote to memory of 4456 3060 Infected.exe 94 PID 3060 wrote to memory of 4456 3060 Infected.exe 94 PID 1804 wrote to memory of 3596 1804 cmd.exe 96 PID 1804 wrote to memory of 3596 1804 cmd.exe 96 PID 4456 wrote to memory of 3588 4456 cmd.exe 97 PID 4456 wrote to memory of 3588 4456 cmd.exe 97 PID 3012 wrote to memory of 3540 3012 cmd.exe 103 PID 3012 wrote to memory of 3540 3012 cmd.exe 103 PID 4456 wrote to memory of 700 4456 cmd.exe 108 PID 4456 wrote to memory of 700 4456 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"C:\Users\Admin\AppData\Local\Temp\e3f245020bcf6beaca39b8cc9eb06b3db7f209356e765f41d8306ad56735e944.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'4⤵
- Creates scheduled task(s)
PID:4696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DDF.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4472
-
-
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'4⤵
- Creates scheduled task(s)
PID:3596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5EF8.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3588
-
-
C:\Users\Admin\AppData\Roaming\Loaader.exe"C:\Users\Admin\AppData\Roaming\Loaader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"C:\Users\Admin\AppData\Local\Temp\WinDefend.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD57ac0adf482250172280defec7a7054da
SHA120a25f0da68c309d062c4628ead8b6f377ac7969
SHA2563caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5
SHA512d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa
-
Filesize
63KB
MD5b8d455465260a845db35492fda5a8888
SHA1287b0ba049ad8f3be802d2224efb86dba72d3221
SHA256a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
SHA5125dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a
-
Filesize
87KB
MD55fc6a541845fdafb597ddfb98fa28b54
SHA122e5dd50ddd71bc39c812db0f9b164ca10c556dd
SHA25664e4dedb36812766c522c79cae57b7f3b2694efaa396151d4117a70282166117
SHA512f174e4ccc89d4a7473001a9153a9c3d63bedd393dda1ea3be171768b7587846722ad07445adeafa52ef54802a8ac84eb33ab1799248dcbf7db60aa4f311da5e3
-
Filesize
150B
MD59ee0cc633464db4c95d5ccdd10099c21
SHA195ad6a1245ef8a9fa458dd8706dc99292fb16292
SHA2567c61babaab471773707ed5e0b24fff200d2b9fb9b8da8b77cbbeca61e6712533
SHA5123b5c3f489a67a80917b667523be46a5dad498a525225d519c9a40388cca81efe1194f0975eec3f1b1bf1714bc452866677f0ab4dcda6730c181ad450c7824c49
-
Filesize
151B
MD5f337c9aedcb2c5345874bfadf0737581
SHA11fdacc27948d8163b20ee7e9966004e733e3906c
SHA2563167578613d1168220054e7fca56a2c880855cb1e522ec44e37badceb0007636
SHA5128d7777b8e9aa9403913ca21694516684a01a977f757e28c938d96156e2b3071bc8e0ea6549398ffe6b272bd3da4d15353da6c1c1316d37ae6a94eae04371245d
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
4KB
MD53a8cb1787e063f60806408db40454b7b
SHA17983a5df4915b2e4ce52d3b6cceba419ae6526d6
SHA256e1e68a268468224a378907e00757545f69200f237d1150e1854a0895665a7940
SHA512343dc5c61577eff0196bc6efcaac5d393efd077152249862eedc81f40158c522fa714ca5d50fa5ffc7818b6837dab884b52b9dd554a23ce3b9c4aaaca32e6da7