Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 02:21
Behavioral task
behavioral1
Sample
378b0ac112a719e6d5f8b31603877690N.exe
Resource
win7-20240708-en
General
-
Target
378b0ac112a719e6d5f8b31603877690N.exe
-
Size
119KB
-
MD5
378b0ac112a719e6d5f8b31603877690
-
SHA1
27c6e0cdee370a6ff54efc949727c9076870dcab
-
SHA256
f23dac3626300010fbfdedaec9cf07d0890b3acec0190283ecb0b545de22ecb8
-
SHA512
c0788079b2bc9dfafc3b5cb48b45f33974bb26004b3d3c07893fdde8c56e5cd0409b3b82c7313ddfb89d31de9580ddb0be4ab3604dd49b85fc3674ec6f130588
-
SSDEEP
3072:qOfRzlXCwwFwOwWAmm+m/bxqH8QWrzCrAZu8VDpyD/d+OC:qr1SWH+/bgi1VDpyD/Y
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7335066800:AAFPnjqCOJcJkOIGjmU_-X7I-VqiZLlbktE/sendMessage?chat_id=1319796723
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 378b0ac112a719e6d5f8b31603877690N.exe Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 2108 rat.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1456 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2664 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3148 schtasks.exe 2604 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2108 rat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe 2108 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1848 378b0ac112a719e6d5f8b31603877690N.exe Token: SeDebugPrivilege 1456 tasklist.exe Token: SeDebugPrivilege 2108 rat.exe Token: SeDebugPrivilege 2108 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2108 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1848 wrote to memory of 3148 1848 378b0ac112a719e6d5f8b31603877690N.exe 88 PID 1848 wrote to memory of 3148 1848 378b0ac112a719e6d5f8b31603877690N.exe 88 PID 1848 wrote to memory of 2872 1848 378b0ac112a719e6d5f8b31603877690N.exe 91 PID 1848 wrote to memory of 2872 1848 378b0ac112a719e6d5f8b31603877690N.exe 91 PID 2872 wrote to memory of 1456 2872 cmd.exe 93 PID 2872 wrote to memory of 1456 2872 cmd.exe 93 PID 2872 wrote to memory of 1484 2872 cmd.exe 94 PID 2872 wrote to memory of 1484 2872 cmd.exe 94 PID 2872 wrote to memory of 2664 2872 cmd.exe 95 PID 2872 wrote to memory of 2664 2872 cmd.exe 95 PID 2872 wrote to memory of 2108 2872 cmd.exe 97 PID 2872 wrote to memory of 2108 2872 cmd.exe 97 PID 2108 wrote to memory of 2604 2108 rat.exe 102 PID 2108 wrote to memory of 2604 2108 rat.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\378b0ac112a719e6d5f8b31603877690N.exe"C:\Users\Admin\AppData\Local\Temp\378b0ac112a719e6d5f8b31603877690N.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3148
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp800D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp800D.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1848"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:1484
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2664
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5373c6455f0243518ba1f7c6c41277975
SHA1a57deca8705f19517c90362342f81f341101bfde
SHA256cc3efed27a247b94f0504630c4bab1b47428c37dd3b22147570aaa476253d145
SHA51290e3aefa059d0c8305ae99ad590cb78713ea95d1f9a1230fd846e1d982992e1ea35d1632ec33e526ef022cb9da06ee2e306a7344beb57f1cc4e1babeac07f477
-
Filesize
119KB
MD5378b0ac112a719e6d5f8b31603877690
SHA127c6e0cdee370a6ff54efc949727c9076870dcab
SHA256f23dac3626300010fbfdedaec9cf07d0890b3acec0190283ecb0b545de22ecb8
SHA512c0788079b2bc9dfafc3b5cb48b45f33974bb26004b3d3c07893fdde8c56e5cd0409b3b82c7313ddfb89d31de9580ddb0be4ab3604dd49b85fc3674ec6f130588