Overview

overview

10

Static

static

10

Nursultan Crack.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-07-2024 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan Crack.exe

  • Size

    111KB

  • MD5

    0dd740e6b9ef233d114a6a9760deef8d

  • SHA1

    2173e0f562091e6e8e013a20be9a64a883cab48f

  • SHA256

    5bd364033480d135fce29b38ef89ff65a221ef39ab8ca5eb2cf2f239805cbc3c

  • SHA512

    abfa94848d0808b0da24e71bf4117a6c7dcde8bffc1054d21def3b052442f2589d9e73ef9ba6c321da83d4aef9e9970d0066456985f599c314a11de9f6d28bd8

  • SSDEEP

    3072:cbk3P7tiPQHZxj8bxqHqQW/zCrAZuyxv:9P7YPkgbUY

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6998171236:AAHZzzN-_3RkZvr6lSYqrgfeGycmwh5j24U/sendMessage?chat_id=5179630861

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 24 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Crack.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Nursultan" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2000
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDE79.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDE79.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1572"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3124
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:4984
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:876
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Nursultan" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3848
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1612
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4108
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2364
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5016
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:1440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri
        Filesize

        171KB

        MD5

        30ec43ce86e297c1ee42df6209f5b18f

        SHA1

        fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

        SHA256

        8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

        SHA512

        19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri
        Filesize

        2KB

        MD5

        b8da5aac926bbaec818b15f56bb5d7f6

        SHA1

        2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

        SHA256

        5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

        SHA512

        c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpDE79.tmp.bat
        Filesize

        192B

        MD5

        a79c5d6011194dd5f57959a2326e2965

        SHA1

        92d3c1648f7a5a5f5d5f8c1bff2892e33d1f5bda

        SHA256

        3b11d071930d460d7cf7f6db9402703c5c5c9dcad344aaf943c2ccee9ae23088

        SHA512

        fc041da356099b4e42b50e58566c88fc5f61a9a3b2f3d9acf7bc0586c1dbdf0174a7816be57ab4785e5c70aeefaf7080263a6d673b42227ceb507e52aede9d07

        Download Submit

      • C:\Users\ToxicEye\rat.exe
        Filesize

        111KB

        MD5

        0dd740e6b9ef233d114a6a9760deef8d

        SHA1

        2173e0f562091e6e8e013a20be9a64a883cab48f

        SHA256

        5bd364033480d135fce29b38ef89ff65a221ef39ab8ca5eb2cf2f239805cbc3c

        SHA512

        abfa94848d0808b0da24e71bf4117a6c7dcde8bffc1054d21def3b052442f2589d9e73ef9ba6c321da83d4aef9e9970d0066456985f599c314a11de9f6d28bd8

        Download Submit

      • memory/1572-0-0x00007FFF16C53000-0x00007FFF16C54000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1572-1-0x0000023410070000-0x0000023410092000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1572-2-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1572-6-0x00007FFF16C50000-0x00007FFF1763C000-memory.dmp

        Filesize

        9.9MB

        Download