Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
-
Size
9.8MB
-
MD5
1947749a785b384a9bfe51d57c796ae9
-
SHA1
db986cb4503589a2319e596b799c878ec4d4a990
-
SHA256
6018e4099dca3d452ecc8fe34f5e6d00b2b43c5c21cdea1b4c53c7025376048a
-
SHA512
3e82f60c595a5fc25043729366137ea35f2037bf23b78248cf8946a2edb39c6af4c9159c9c5b6c876148ef8b06468d975a4f6e413319b6ebc9712920f3c5829e
-
SSDEEP
196608:w6+0f/ylacMb5mCbClb12UK4RDx5gRIAL1xXPm68DwOHRR+kc4N4FmDdgW7U:40f/KacMbR2J2UKEdiRIAL1xXPCwkEn3
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2804 netsh.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeWScript.exewindows.exemicrosoft corporation.exeVenom Software RAT Activated Cracked.exeMajid Z Hacker Website.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation windows.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation microsoft corporation.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Venom Software RAT Activated Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Majid Z Hacker Website.exe -
Drops startup file 4 IoCs
Processes:
windows.exemicrosoft corporation.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.exe windows.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e23fc64d012fb66b44b10cd7ea0e2414.exe microsoft corporation.exe -
Executes dropped EXE 6 IoCs
Processes:
Venom Cracked.exeMajid Z Hacker Website.exemicrosoft corporation.exewindows.exewindows.exemicrosoft corporation.exepid process 384 Venom Cracked.exe 4084 Majid Z Hacker Website.exe 756 microsoft corporation.exe 2560 windows.exe 3764 windows.exe 4116 microsoft corporation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
windows.exewindows.exemicrosoft corporation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Updates\\windows.exe" windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e23fc64d012fb66b44b10cd7ea0e2414 = "\"C:\\ProgramData\\microsoft corporation.exe\" .." microsoft corporation.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe" windows.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
windows.exedescription ioc process File created C:\autorun.inf windows.exe File opened for modification C:\autorun.inf windows.exe File created F:\autorun.inf windows.exe File opened for modification F:\autorun.inf windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
Majid Z Hacker Website.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings Majid Z Hacker Website.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exepid process 4844 powershell.exe 4844 powershell.exe 4900 powershell.exe 4900 powershell.exe 2200 powershell.exe 2200 powershell.exe 680 powershell.exe 680 powershell.exe 4144 powershell.exe 4144 powershell.exe 4536 powershell.exe 4536 powershell.exe 2992 powershell.exe 2992 powershell.exe 4636 powershell.exe 4636 powershell.exe 4624 powershell.exe 4624 powershell.exe 1552 powershell.exe 1552 powershell.exe 1740 powershell.exe 1740 powershell.exe 4844 powershell.exe 2200 powershell.exe 4900 powershell.exe 4624 powershell.exe 4144 powershell.exe 4536 powershell.exe 680 powershell.exe 1740 powershell.exe 2992 powershell.exe 1552 powershell.exe 4636 powershell.exe 756 microsoft corporation.exe 756 microsoft corporation.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 680 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 756 microsoft corporation.exe Token: SeDebugPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe Token: 33 4116 microsoft corporation.exe Token: SeIncBasePriorityPrivilege 4116 microsoft corporation.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
windows.exewindows.exepid process 2560 windows.exe 3764 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
windows.exewindows.exepid process 2560 windows.exe 3764 windows.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
Venom Software RAT Activated Cracked.exeMajid Z Hacker Website.exeWScript.exeWScript.exewindows.exemicrosoft corporation.exemicrosoft corporation.exedescription pid process target process PID 3092 wrote to memory of 384 3092 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 3092 wrote to memory of 384 3092 Venom Software RAT Activated Cracked.exe Venom Cracked.exe PID 3092 wrote to memory of 4084 3092 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 3092 wrote to memory of 4084 3092 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 3092 wrote to memory of 4084 3092 Venom Software RAT Activated Cracked.exe Majid Z Hacker Website.exe PID 4084 wrote to memory of 756 4084 Majid Z Hacker Website.exe microsoft corporation.exe PID 4084 wrote to memory of 756 4084 Majid Z Hacker Website.exe microsoft corporation.exe PID 4084 wrote to memory of 756 4084 Majid Z Hacker Website.exe microsoft corporation.exe PID 4084 wrote to memory of 2560 4084 Majid Z Hacker Website.exe windows.exe PID 4084 wrote to memory of 2560 4084 Majid Z Hacker Website.exe windows.exe PID 4084 wrote to memory of 508 4084 Majid Z Hacker Website.exe WScript.exe PID 4084 wrote to memory of 508 4084 Majid Z Hacker Website.exe WScript.exe PID 4084 wrote to memory of 508 4084 Majid Z Hacker Website.exe WScript.exe PID 508 wrote to memory of 4672 508 WScript.exe WScript.exe PID 508 wrote to memory of 4672 508 WScript.exe WScript.exe PID 508 wrote to memory of 4672 508 WScript.exe WScript.exe PID 4672 wrote to memory of 4844 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4844 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4844 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4900 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4900 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4900 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 2200 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 2200 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 2200 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 680 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 680 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 680 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4144 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4144 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4144 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4536 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4536 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4536 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4636 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4636 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4636 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 1740 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 1740 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 1740 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 2992 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 2992 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 2992 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 1552 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 1552 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 1552 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4624 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4624 4672 WScript.exe powershell.exe PID 4672 wrote to memory of 4624 4672 WScript.exe powershell.exe PID 2560 wrote to memory of 3764 2560 windows.exe windows.exe PID 2560 wrote to memory of 3764 2560 windows.exe windows.exe PID 756 wrote to memory of 4116 756 microsoft corporation.exe microsoft corporation.exe PID 756 wrote to memory of 4116 756 microsoft corporation.exe microsoft corporation.exe PID 756 wrote to memory of 4116 756 microsoft corporation.exe microsoft corporation.exe PID 4116 wrote to memory of 2804 4116 microsoft corporation.exe netsh.exe PID 4116 wrote to memory of 2804 4116 microsoft corporation.exe netsh.exe PID 4116 wrote to memory of 2804 4116 microsoft corporation.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom-Rat-Cracked--main\Venom Software RAT Activated Cracked.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\microsoft corporation.exe"C:\ProgramData\microsoft corporation.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\microsoft corporation.exe" "microsoft corporation.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\windows.exe"C:\Users\Admin\AppData\Local\Temp\windows.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"C:\Users\Admin\AppData\Roaming\Adobe\Updates\windows.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate4⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 25⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 05⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 65⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD568f0fe3afa9c37f777603de6f823866a
SHA169415eb67f5ebbc729f0525622b683210f0dde84
SHA2560c4180222489f046777b4e0391fe58df93edace594edfbffa1e485436bc5857e
SHA512e89f7e108040958324ca1ffaa0ccf78e9b2d398b270b65b79433a68df06348e6b977dc8bc6bff56beb7cdefaa0ca2be4d26faf10f21341a4994b138f899f8213
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5795ed483647dfa209fd8ba54d227ae04
SHA19d6337f5a209614c390b9dfd748ac03f9d9d8ac6
SHA256a96a870097ba7c0d38dfd07394c230e10c31f7c5abd2145746c77b09a526fac0
SHA5121db708c63e8c189722dcc0d1ccb68370ab07861c6492f8dbfc611204e6ad7483c32688822dfb003671b98eccaafa3eb695dda4c29cb52f29036b5e7ef52d6a17
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD565cda57d5531a4731b207d7c43e9a38c
SHA14a73cf36c1eb237a6c77605beaddb3b39fa79355
SHA256e8052bd77b6e3925cfcfc7a8b6630e241543ce29cd761f95477da692fca46c5a
SHA512ee291351d479ada5e89f48927da742531decd5e996629ae5701ad73f94b3d975ca9d1fd2267e13dda02345dcbf7f7048ba6a215251bc8b370cf9b6a219730bed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ae25eb8ca607c90abd141c0d6fa92829
SHA16c7683cbf0673aac74e73d7f560479566772f080
SHA256664889064a3c6462ff5bbcfe94da4098d40aeecaae64ac7fc797d1d85418dde0
SHA512c0fff5b686a8b70d1759dd7b7b4756f3ef3a208aee3b205d41d6a3b67b7b3e95b766b7b9271b8e769ee3dc2ef8cc11c446f2fa6f6408637842cd763dd525b9b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5a1f4e93c680b365791e940391b3ed909
SHA1e49627af1b51172eba5acc01d31d204f3e380c18
SHA25651d96265f010b2f93ec75d779d15636bda1ecae7762ff8a7cc4dd7f33610e51f
SHA512c0080be3f5d5fa0e3d16d14ff7e3cdb81b8edfd77ed69b8cfb8cb9ba4fd90136b247fbf292fc39e1c9e0284ff8e707bf60ba1da966c5742c34b321ad425c0485
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5f37f9713fca6b8bcb24aab62b8ffed24
SHA1887ab2c788613858496b13f8cfcc9e606b42118c
SHA256c4bbd038ab36148df28f397a09355ce889bff3ca6770ebc5923817e2a01f8d16
SHA512973ef86d60efbc943dfdc52f19a2089c981eb3613bbaa2f433cf766394afd496b7b5d41d4f37bc8fa508bb4b165911a8ac34ec1f85fc510f63adccc53e195709
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5714421544bd113f3e12acde452493e11
SHA17cbb42cd8e4d22494403d0c316509b888c79398f
SHA2562febe26172a7db4b2297930dbdf4e0dd2c86d16a8df8af706f5fd6f261e5002c
SHA512be20ca93c5da64a715a8789ed11e9a6f5e2e91c98b98242700354e9db43ea76d6904d65c81b41ac09b3855f4587c80d3fa65a2bab355899a155f77424c2703cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5220dfe1b6dcb1a5996d5c8a297ffa9aa
SHA1f9b89e9b7bdcbfa69b8a5b289ea1a3429334c166
SHA256155f9610446434b2cccde6944d7a97c20692ed01eb3ad5851371a6611d382c4d
SHA512b4b18a8b0200f311b0c2a2b4bdf768a5f90c20d35e82a18cf386cc99e0112064e8a1f22f37c88f1be0da79ece79cb02c115a2aa54e078458beba1027e693d40f
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker Website.exeFilesize
127KB
MD5b4d0b69f3c391acca7128a66abd480f7
SHA18ccac1861f4c544c51a5c7d4a0fb32796ab30488
SHA256349b87c3ebd55cab9daa375c468b62be416063af859a16bed78cf4bd06fb5c07
SHA5129578df157aafc7740e12952d1abba08fa9e032fc73073e1787fffb7e24ce6963d98d7bdd4539297be0123626efdfccb63c7dea411d82ceef7bf6197ff2806ff1
-
C:\Users\Admin\AppData\Local\Temp\Venom Cracked.exeFilesize
12.1MB
MD5750015e08a9409c80cd3837daebb970a
SHA1bfd1122f8c459862717b0b7a50b7216fc2573880
SHA2563c413ee4b07c531c891ac1852d3d1b6a60bdc92e549e9cf4744d4fe85ebb5de2
SHA512f35938eac84d6084d9239977462c965bab95924895cd2b73e501a7d7c2ff400aaeaefbdc3302ac8f8c13cd49e22d19e95ef530cf1cc10f79f6ab62653021e5ac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1ehbkck.usm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\melt.txtFilesize
45B
MD5c65dda57254957c2ad83b548c55b42a5
SHA1d88daf5dd37726325a30a3078c254128f5579f85
SHA256adae127291a1d4f70e9ff1258044a01d95176fd9bb2c303ab94f3e62db429a44
SHA512d74c977dd16046f024a6b012322dcfd0380fcc58a5db5e96d350852723bc1404d49a67d6185210711a24b9aeb94974212f4e056590e0742937821a459ba628b6
-
C:\Users\Admin\AppData\Local\Temp\microsoft corporation.exeFilesize
33KB
MD523fb3146d1455b890afdbd9511b48351
SHA19e0118366167c76de2d88fb354606d5e58677eb7
SHA25658c8e3599d16762dfc51decf16c3d014cd8c8dd1aab59a0acff5372c5182bda7
SHA51292a816b16f854cb19a28a9bd186223dd3f7961800b6486b32be1f270b26a0240c0f68ebe0f6c555b72f0e3388f3aa1a061fad50c0b09aaec1af9de1185fc8cf4
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Local\Temp\windows.exeFilesize
145KB
MD5aa4ba7df205e6f0dc8d847ab3c3681c2
SHA1bb8c96c2f736f1d5f1923fc3b20f53b890b98e46
SHA25659a0bd599e306457164b08b7fe23bbf4fe92b202beaad836d6faa28da61073ca
SHA5120f8f57de1251e3102d1db2c72ed7c3f7cc1d12c3ce561a275d4d280944f77952970464c553da3ce6ce88e9462033818ed186e83eba1b8853d16d28bcc7140450
-
memory/384-329-0x00007FF83C163000-0x00007FF83C165000-memory.dmpFilesize
8KB
-
memory/384-19-0x00007FF83C163000-0x00007FF83C165000-memory.dmpFilesize
8KB
-
memory/384-27-0x00000000007F0000-0x000000000140A000-memory.dmpFilesize
12.1MB
-
memory/680-226-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/756-41-0x0000000001460000-0x0000000001470000-memory.dmpFilesize
64KB
-
memory/1552-279-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/1740-257-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/2200-204-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/2200-278-0x0000000007390000-0x00000000073A1000-memory.dmpFilesize
68KB
-
memory/2560-47-0x000000001C130000-0x000000001C1CC000-memory.dmpFilesize
624KB
-
memory/2560-65-0x000000001DA60000-0x000000001DD6E000-memory.dmpFilesize
3.1MB
-
memory/2560-48-0x0000000000F80000-0x0000000000F88000-memory.dmpFilesize
32KB
-
memory/2560-46-0x000000001BBC0000-0x000000001C08E000-memory.dmpFilesize
4.8MB
-
memory/2560-45-0x000000001B640000-0x000000001B6E6000-memory.dmpFilesize
664KB
-
memory/2560-49-0x000000001C350000-0x000000001C39C000-memory.dmpFilesize
304KB
-
memory/2992-268-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4144-237-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4536-247-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4624-216-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4636-289-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4844-189-0x0000000006600000-0x000000000661E000-memory.dmpFilesize
120KB
-
memory/4844-191-0x00000000070E0000-0x0000000007183000-memory.dmpFilesize
652KB
-
memory/4844-267-0x0000000007650000-0x00000000076E6000-memory.dmpFilesize
600KB
-
memory/4844-215-0x00000000073D0000-0x00000000073EA000-memory.dmpFilesize
104KB
-
memory/4844-214-0x0000000007A10000-0x000000000808A000-memory.dmpFilesize
6.5MB
-
memory/4844-54-0x0000000005930000-0x0000000005996000-memory.dmpFilesize
408KB
-
memory/4844-178-0x00000000066D0000-0x0000000006702000-memory.dmpFilesize
200KB
-
memory/4844-299-0x0000000007620000-0x000000000762E000-memory.dmpFilesize
56KB
-
memory/4844-300-0x0000000007630000-0x0000000007644000-memory.dmpFilesize
80KB
-
memory/4844-301-0x0000000007730000-0x000000000774A000-memory.dmpFilesize
104KB
-
memory/4844-302-0x0000000007710000-0x0000000007718000-memory.dmpFilesize
32KB
-
memory/4844-236-0x0000000007440000-0x000000000744A000-memory.dmpFilesize
40KB
-
memory/4844-179-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4844-170-0x0000000006620000-0x000000000666C000-memory.dmpFilesize
304KB
-
memory/4844-169-0x00000000060A0000-0x00000000060BE000-memory.dmpFilesize
120KB
-
memory/4844-55-0x0000000005AA0000-0x0000000005DF4000-memory.dmpFilesize
3.3MB
-
memory/4844-52-0x0000000004FE0000-0x0000000005002000-memory.dmpFilesize
136KB
-
memory/4844-53-0x00000000058C0000-0x0000000005926000-memory.dmpFilesize
408KB
-
memory/4900-194-0x0000000072EF0000-0x0000000072F3C000-memory.dmpFilesize
304KB
-
memory/4900-50-0x0000000004F30000-0x0000000004F66000-memory.dmpFilesize
216KB
-
memory/4900-51-0x0000000005670000-0x0000000005C98000-memory.dmpFilesize
6.2MB