Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 05:08
Behavioral task
behavioral1
Sample
Venom.exe
Resource
win7-20240708-en
General
-
Target
Venom.exe
-
Size
3.1MB
-
MD5
1348632fc2ede08cab5db1cb174ff0d3
-
SHA1
2a1966291aa0e7aee1b039a1a75fa4879489a2be
-
SHA256
900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf
-
SHA512
52f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb
-
SSDEEP
49152:avht62XlaSFNWPjljiFa2RoUYItFW7Bxn+oGdzTHHB72eh2NT:avL62XlaSFNWPjljiFXRoUYIrW2
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.246:4782
1e9de725-2f46-4350-b6c8-78b3b776a085
-
encryption_key
ACF3D3BDCC7612495B863F26348AD4EE3B96458B
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
venom
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3220-1-0x0000000000960000-0x0000000000C84000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar C:\Users\Admin\Downloads\venom executor.exe family_quasar behavioral2/memory/2260-601-0x00000000000D0000-0x00000000003F4000-memory.dmp family_quasar -
Executes dropped EXE 7 IoCs
Processes:
Client.exevenom executor.exevenom executor.exeClient.exevenom executor.exevenom executor.exevenom executor.exepid process 2496 Client.exe 2260 venom executor.exe 1276 venom executor.exe 2564 Client.exe 3560 venom executor.exe 944 venom executor.exe 2428 venom executor.exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1228 schtasks.exe 4128 schtasks.exe 5100 schtasks.exe 880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
chrome.exevenom executor.exechrome.exepid process 2488 chrome.exe 2488 chrome.exe 2260 venom executor.exe 1844 chrome.exe 1844 chrome.exe 1844 chrome.exe 1844 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Client.exepid process 2496 Client.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Venom.exeClient.exechrome.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 3220 Venom.exe Token: SeDebugPrivilege 2496 Client.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: SeShutdownPrivilege 2488 chrome.exe Token: SeCreatePagefilePrivilege 2488 chrome.exe Token: 33 2552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2552 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
Client.exechrome.exeClient.exepid process 2496 Client.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2564 Client.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
Client.exechrome.exeClient.exepid process 2496 Client.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2488 chrome.exe 2564 Client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Client.exeClient.exepid process 2496 Client.exe 2564 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Venom.exeClient.exechrome.exedescription pid process target process PID 3220 wrote to memory of 880 3220 Venom.exe schtasks.exe PID 3220 wrote to memory of 880 3220 Venom.exe schtasks.exe PID 3220 wrote to memory of 2496 3220 Venom.exe Client.exe PID 3220 wrote to memory of 2496 3220 Venom.exe Client.exe PID 2496 wrote to memory of 1228 2496 Client.exe schtasks.exe PID 2496 wrote to memory of 1228 2496 Client.exe schtasks.exe PID 2488 wrote to memory of 632 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 632 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5116 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 1504 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 1504 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe PID 2488 wrote to memory of 5052 2488 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venom.exe"C:\Users\Admin\AppData\Local\Temp\Venom.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:880 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "venom" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd84a7cc40,0x7ffd84a7cc4c,0x7ffd84a7cc582⤵PID:632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1936 /prefetch:22⤵PID:5116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:32⤵PID:1504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2524 /prefetch:82⤵PID:5052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:12⤵PID:3040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:736
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3680,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3672 /prefetch:12⤵PID:944
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:82⤵PID:1780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5028 /prefetch:82⤵PID:4404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4352,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:4156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3440,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:4312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4004,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:4468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=208,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5384 /prefetch:82⤵PID:3748
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5764,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5820 /prefetch:82⤵PID:4864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5796,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5960 /prefetch:82⤵PID:3480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5800,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5996 /prefetch:82⤵PID:2820
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5756,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6140 /prefetch:82⤵PID:1460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5984,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6288 /prefetch:82⤵PID:432
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6228,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6424 /prefetch:82⤵PID:912
-
C:\Users\Admin\Downloads\venom executor.exe"C:\Users\Admin\Downloads\venom executor.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Users\Admin\Downloads\venom executor.exe"C:\Users\Admin\Downloads\venom executor.exe"2⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "venom executor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4128 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "venom executor" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:5100 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6220,i,10075390807884759930,3284817973986861888,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6440 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1844
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1560
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c4 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1464
-
C:\Users\Admin\Downloads\venom executor.exe"C:\Users\Admin\Downloads\venom executor.exe"1⤵
- Executes dropped EXE
PID:3560
-
C:\Users\Admin\Downloads\venom executor.exe"C:\Users\Admin\Downloads\venom executor.exe"1⤵
- Executes dropped EXE
PID:944
-
C:\Users\Admin\Downloads\venom executor.exe"C:\Users\Admin\Downloads\venom executor.exe"1⤵
- Executes dropped EXE
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768B
MD5572cd72041ce10f482a592e1eefde0e7
SHA1a172c1c4c186ff7dc502453c6e8bba21dad99e98
SHA2562269ea84b608bae2af743306e1d40e5381d1e403bed0c3396709c0cdc091a386
SHA512ce2f9a9caf79a61dea99e0dff87c1bc83ba08dd57062ea6a20d91f3122ee8e66cc075644923bbc86171b3f1ba5bb266814e960e7e48cb91da20d2a0126099ede
-
Filesize
816B
MD5b36ab373d6fec9da3c34d561ddfd9616
SHA1ac74a1bd8c956277bd4c15c0349e4d07c1fb0f0b
SHA256733f5ecd2b2b8fd12dd71a246c89037f52f156d5eefe7224429ef5e77c82a038
SHA5129867895ecf5bb0ea4ad01336b72b8bde4abfc7e6b7bfc101a369fe2f9b8af4742e3b4c935f7459d848e01160ec42681c9f4f558eb84c57f2d7e1b9d9cbf01a94
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000001.dbtmp
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5ac4f464b13ac05b3d610f9ed25e04d28
SHA1dd1b6eabc28e70a04ff517067c356d3c88a47583
SHA256ce8877deab4ff736b48ef353224e477d27885911437fe5315a6e0d78cb183736
SHA51277afd313528619024d134e375d918286fb979d2fccd685b94a40c571dedb0bd21f3883d83593e44a2ea7a30e3dd4b6faa85c9d46482023e25118daf012e819fc
-
Filesize
2KB
MD5b63d9836c66ad76736959c91f13b92c4
SHA1581b465a2525356c6f5f7fe5e63d4cec56d45b2b
SHA256a8234b6356624d26139c2c02847404059a60e55eb141f0ba58426574165874d7
SHA512b77f1b6bca3a1d3e54511a0fa542e5d170c28b4d5a0c5abbc5fb0669060ee3c062bfda303d4ec757f00975fb53ead523c962537a17fb73015b077ce14dfa2b47
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5e0efdea3669cdf83ebff754642b49e45
SHA11125bb5310d0b3ebabf5e5be15977a686c859b81
SHA256eacb31a7a96b2022ec1d7d6971f69f091c7bab1d091ea322a86e4e121edb7c3c
SHA512827d12151b2daedf558470f3cdc61825d46a626dedfcf36243aa9f233dccc6bbae1376d94e05b6a1153c89a426b3e85907f632a0475e4082b610ea882fc16ae5
-
Filesize
691B
MD50ed5374197f6fc996080a995d9d0966e
SHA140025a112ac6a9f388abdc22a3e6ad37686618ff
SHA256f8608860461bb9d92bd210fdc725a379f0a2ac3df9090a904a57f29194bceeb4
SHA5122984d4b6866296d89a79952693cc7dc8f9e2d2ba1e2d8780d405713344a2aa0001b505d0b50580e1e42aebb479a080af5904c0c615d01890b0091425d730a382
-
Filesize
7KB
MD52d3b5ecb9f257a37efc78471c1be6300
SHA1754af26996342384102d5bf7452e94ad6af339ac
SHA256d8e44f0134b6374565ab298d5b43ca88012826773afceac64d218f95789660ff
SHA512286a5c3a2cade09c4c81c41e5c0803beb40785d3170358d2eddde3f05d174502c7cd7de996e2199269ec6c2137dc564dcc0ec886725eb5cae4e1003901821710
-
Filesize
8KB
MD5e2107db3fc9f0fc8cafa2f0c185f226c
SHA170396b3572cbfc751842d7eb13edf913735aafb9
SHA256435ccdfaa0ffe72297d9037fbd08a50804697544990322ef4f027edbf5554a5c
SHA512edd4369f7232d4e4e97a19cc38e9ace3b4c129bc58e54d66576c16ec1637f3fcb2343698acf4dbf425562e5266e2af673f479d070f8e9eb278da5a70471a6dce
-
Filesize
9KB
MD500d23b360b37ebfe4fc5224adeac1d98
SHA1713fddd40886d8c5fe273e18a660052ec6252cc4
SHA256c9097384a48b11c9730978af42213a5503a088825ac49018813f481faef2d21c
SHA51260240a14e788231d8660d5b96acd1573918611ace06b4ab06ae60d644cbce09d782cbb98b8237b71a7e83fda70097906629d9907bca43955d71284f136b087c0
-
Filesize
9KB
MD5a981f230db1e4f78295f2057c81126e4
SHA1138ea6392c85c00bbd1cb2202cbb53f92060e7e9
SHA2562424a63abb859beef9dcbd4fa41f4c773d9b3e571860fdca8c85748021d3adaa
SHA51251e8a252b751539bb50654f2f7537fe559f8d9620597918ae4e8556ef5054c29faa33424de1e38f943417f9a9d522605a0391cfee5f9826c4282681c1fd26d41
-
Filesize
9KB
MD5fb5fe715c8dfeb4c0b97167b20b00eba
SHA131bfe4b912e2c440700b260de20ac1ee97ffe6e7
SHA2565dbdaf083621144787cdcd113fea7c02a8d961b1b43c1240ee2b8921e661ae68
SHA512901ae036b2ab5b89e44a564ad4146c4490ae99740bb157a91696a9b908c55ad2def2a2afd57ff33921fd0df6c1edb2e8fe107b0e31b9f1a0f178997608d39fc2
-
Filesize
9KB
MD590e89f1badf3ce711357a50fe4e71b8f
SHA1bd6202ac97dce0d6bc75adc0b6e72b49ec15b904
SHA25619b6398d20dfd36f9e7de3b4c2d9501a70534bb550356bbcbdd38fe230416588
SHA5128e5ef6289666c2f3303ba838f7c456f122610e4388f655c2701608a4d11f026c55d24b30c052e44624b19baf3e01ee56423124a8aafacc80a13a36b26016b5b2
-
Filesize
9KB
MD5a9d6b8668ad25721ed3c6f4442ef9540
SHA13edd4771ab12b9b457ebf3232297076d73d334ec
SHA256fcb68b1d4a8d3fd6c8260cccc20564d2f3885a04c673cc4632795ed818963041
SHA512b725b8800c47539bbac23b2de5090a0348d543cb260761b19ffceeb465c64d809af4a1814c41936055b895f722a8836ca92295c078988f0b2b6bc8fb0c358a9a
-
Filesize
9KB
MD53639219d0d32f02c4d0388f8cb7501cb
SHA11b4defd1beebf0233f592458578926ccfaa93952
SHA2565bece2c3b63b294c80215456dad86d4c60fbbe4a990c8fdfb6cb52bec2f0bbf9
SHA512b2c068cfd7412265d15d335dd8d07c00d890fc64762e244cee2cfc1d58e20875f88e41ecc5f6ac5336ef8b6ccfb3a5f03bbd086de1fb5fd0c5415ffd89ab74dc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5e0d76acb56aafd72c5cf2a8ec5691cc3
SHA186db595a156d96cefa4bd84737eff4059204198c
SHA25643e2137e6ffe5daacfda0fdaed91994d605c1c681ba10484bacc643c0c564a67
SHA51277db5fb55e6eb9f2d124ff191a6cabef0e4a0be7044ea3e6b0402d9088bdc0a5cb227995561f57c0e7924b31acb37e8d48468211afa75731105ee87858da40ba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c6e4a044-a9ab-4794-abca-974326e50aa5.tmp
Filesize9KB
MD55f1bb56e64021677d82976fadfee4f3d
SHA1fa527f3fb811382be65e53b82fd4386c3d603db7
SHA256789c978921bff88dc37ddfefae3f135ef62bb569407b645aa95e63737c9435ef
SHA512fe8ee03b44060fb079dbec6e53b0f14251c0d13f348e3fbcc28f9d7997115f70d0d1cb84516ae2641edffe7ade6642b193e2463bc69057f3117fb20c24fa51f2
-
Filesize
195KB
MD55c02754a500d319b7c9478fd4d724f65
SHA1916460f7f39674cbe958fd046a33e2e88a1e584a
SHA256988a9703ced6a75511831d9d46a7fdb1a086320272490d925d82c062251417d7
SHA5126d7cb87df7e23a1c715beefd34a058e14f88e6f87b972ffbe12901e7c5e17205e4b717fc46491460fbbf194e502a70e9d536d86ad727f56443e85953650fbd7c
-
Filesize
195KB
MD5dc826801c3b5b8c97af9dea8e869e843
SHA134101e8c50f7fe751b4c64ec30feabcaddece6e6
SHA2564f431ca69bd9561ac2685ef19d3f38cee4b1d49bbce68d42d5c3d4c99ad2f402
SHA5120e8801b6238d220be646bff8e300610072bf260d65b91c5f406f191e19f2ea7e3385fc8b569a4ae9f449633a3c00a36118c05721f0375024ca247b5db7f5d159
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
3.1MB
MD51348632fc2ede08cab5db1cb174ff0d3
SHA12a1966291aa0e7aee1b039a1a75fa4879489a2be
SHA256900cb76890979aa50347b7b929ef1babd7c677966f642aa4d74cf973136a48bf
SHA51252f68303d71f1293b02784539ef3250a95cf9ef4cb868e26e381a86667ab4f5cfc5a36d462ff746dc021bc0420cf8f0b31b050ec4142fb1be4b8f626fae39edb
-
Filesize
3.1MB
MD57fcd3fc792bd631ae9055127392a0f5c
SHA1fa2e9d748dbee62689579cfb3cac376549eb063c
SHA2566fe4cd2c15952dc044b40bb28ad3f0fc4dc8530ea472241675201ec1a82a9743
SHA512961486995fa0bfe4cc34313d1e0c38566e3644fff72291d5ee5f08d3edf31ee75188d6354d48f2f31322b8f5e074de2085a8ef6548df9acdc381fcf6ff238b14
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e