Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
-
Size
9.8MB
-
MD5
1947749a785b384a9bfe51d57c796ae9
-
SHA1
db986cb4503589a2319e596b799c878ec4d4a990
-
SHA256
6018e4099dca3d452ecc8fe34f5e6d00b2b43c5c21cdea1b4c53c7025376048a
-
SHA512
3e82f60c595a5fc25043729366137ea35f2037bf23b78248cf8946a2edb39c6af4c9159c9c5b6c876148ef8b06468d975a4f6e413319b6ebc9712920f3c5829e
-
SSDEEP
196608:w6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7U:40f/KacMbR2J2UKEdiRIAL1xXPCwkEn3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2516 netsh.exe -
Drops startup file 4 IoCs
Processes:
windows.exemicrosoft corporation.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe -
Executes dropped EXE 6 IoCs
Processes:
Venom Cracked.exeMajid Z Hacker Website.exemicrosoft corporation.exewindows.exewindows.exemicrosoft corporation.exepid process 2888 Venom Cracked.exe 3056 Majid Z Hacker Website.exe 2872 microsoft corporation.exe 2576 windows.exe 708 windows.exe 2988 microsoft corporation.exe -
Loads dropped DLL 5 IoCs
Processes:
Venom Software RAT Activated Cracked.exeMajid Z Hacker Website.exemicrosoft corporation.exepid process 2764 Venom Software RAT Activated Cracked.exe 2764 Venom Software RAT Activated Cracked.exe 3056 Majid Z Hacker Website.exe 3056 Majid Z Hacker Website.exe 2872 microsoft corporation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
windows.exewindows.exemicrosoft corporation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
windows.exedescription ioc process File created C:\autorun.inf windows.exe File opened for modification C:\autorun.inf windows.exe File created F:\autorun.inf windows.exe File opened for modification F:\autorun.inf windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString windows.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exepid process 2676 powershell.exe 2592 powershell.exe 2824 powershell.exe 2100 powershell.exe 2524 powershell.exe 2376 powershell.exe 1252 powershell.exe 1664 powershell.exe 1704 powershell.exe 608 powershell.exe 2060 powershell.exe 2872 microsoft corporation.exe 2872 microsoft corporation.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1252 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2872 microsoft corporation.exe Token: SeDebugPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe Token: 33 2988 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 2988 microsoft corporation.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
windows.exewindows.exepid process 2576 windows.exe 708 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
windows.exewindows.exepid process 2576 windows.exe 708 windows.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Venom Software RAT Activated Cracked.exeMajid Z Hacker Website.exeWScript.exeWScript.exedescription pid process target process PID 2764 wrote to memory of 2888 2764 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 2764 wrote to memory of 2888 2764 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 2764 wrote to memory of 2888 2764 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 2764 wrote to memory of 2888 2764 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 2764 wrote to memory of 3056 2764 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 2764 wrote to memory of 3056 2764 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 2764 wrote to memory of 3056 2764 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 2764 wrote to memory of 3056 2764 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 3056 wrote to memory of 2872 3056 Majid Z Hacker Website.exe microsoft corporation.exe PID 3056 wrote to memory of 2872 3056 Majid Z Hacker Website.exe microsoft corporation.exe PID 3056 wrote to memory of 2872 3056 Majid Z Hacker Website.exe microsoft corporation.exe PID 3056 wrote to memory of 2872 3056 Majid Z Hacker Website.exe microsoft corporation.exe PID 3056 wrote to memory of 2576 3056 Majid Z Hacker Website.exe windows.exe PID 3056 wrote to memory of 2576 3056 Majid Z Hacker Website.exe windows.exe PID 3056 wrote to memory of 2576 3056 Majid Z Hacker Website.exe windows.exe PID 3056 wrote to memory of 2576 3056 Majid Z Hacker Website.exe windows.exe PID 3056 wrote to memory of 2516 3056 Majid Z Hacker Website.exe WScript.exe PID 3056 wrote to memory of 2516 3056 Majid Z Hacker Website.exe WScript.exe PID 3056 wrote to memory of 2516 3056 Majid Z Hacker Website.exe WScript.exe PID 3056 wrote to memory of 2516 3056 Majid Z Hacker Website.exe WScript.exe PID 2516 wrote to memory of 2520 2516 WScript.exe WScript.exe PID 2516 wrote to memory of 2520 2516 WScript.exe WScript.exe PID 2516 wrote to memory of 2520 2516 WScript.exe WScript.exe PID 2516 wrote to memory of 2520 2516 WScript.exe WScript.exe PID 2520 wrote to memory of 2524 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2524 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2524 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2524 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1252 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1252 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1252 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1252 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2376 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2376 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2376 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2376 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2824 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2824 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2824 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2824 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2060 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2060 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2060 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2060 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1664 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1664 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1664 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1664 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 608 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 608 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 608 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 608 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1704 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1704 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1704 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 1704 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2592 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2592 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2592 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2592 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2676 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2676 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2676 2520 WScript.exe powershell.exe PID 2520 wrote to memory of 2676 2520 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\microsoft corporation.exe"C:\ProgramData\microsoft corporation.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 25⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 05⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
45B
MD5c65dda57254957c2ad83b548c55b42a5
SHA1d88daf5dd37726325a30a3078c254128f5579f85
SHA256adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44
SHA512d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Local\Temp\windows.exeFilesize
145KB
MD5aa4ba7df205e6f0dc8d847ab3c3681c2
SHA1bb8c96c2f736f1d5f1923fc3b20f53b890b98e46
SHA25659a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca
SHA5120f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5255463964525cc5e2c7d41ab139fc947
SHA16c18353134eeefab22ba1875edca3465b937ecab
SHA256ffd2d2a910e8c0e979fbaa1c24d46a573c67c902a4651b3c24160e53addf7d83
SHA512c99d30d3769dfdfecbe7cd6d74e41859734aaafe3582d30630c40cd60f7fb87e8cd4fe32921a2b70f6eab5d25767143b83b6e62470c524917d38a36c663e446d
-
\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exeFilesize
127KB
MD5b4d0b69f3c391acca7128a66abd480f7
SHA18ccac1861f4c544c51a5c7d4a0fb32796ab30488
SHA256349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07
SHA5129578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1
-
\Users\Admin\AppData\Local\Temp\Venom Cracked.exeFilesize
12.1MB
MD5750015e08a9409c80cd3837daebb970a
SHA1bfd1122f8c459862717b0b7a50b7216fc2573880
SHA2563c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2
SHA512f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac
-
\Users\Admin\AppData\Local\Temp\microsoft corporation.exeFilesize
33KB
MD523fb3146d1455b890afdbd9511b48351
SHA19e0118366167c76de2d88fb354606d5e58677eb7
SHA25658c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7
SHA51292a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4
-
memory/2888-16-0x000007FEF5753000-0x000007FEF5754000-memory.dmpFilesize
4KB
-
memory/2888-31-0x0000000000880000-0x000000000149A000-memory.dmpFilesize
12.1MB
-
memory/2888-101-0x000007FEF5753000-0x000007FEF5754000-memory.dmpFilesize
4KB