Overview

overview

10

Static

static

3

Release.exe

windows10-2004-x64

Release.exe

windows11-21h2-x64

Analysis

  • max time kernel
    7s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 21:53

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Release.exe

  • Size

    597KB

  • MD5

    606053f855e7969e596bfce116360cd4

  • SHA1

    78c4bf47fa78eca3a89d1061d21275836902d5c6

  • SHA256

    2d7d41e9ed34a165cd45ef6e9700c5d70d43cd3e9a2686389cd667bd5d2a30ef

  • SHA512

    85e40a1b11db1ef340e5c794315046e8db047963228f1780bc47356a8ff52e4c1beb72acbdd83709aca898ef7194f224d1b13e6bcca4efb28ec61d1df1d057f5

  • SSDEEP

    12288:yyveQB/fTHIGaPkKEYzURNAwbAgOT+t1R2RxoC/aHK09Tp:yuDXTIGaPhEYzUzA0bsWjT

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7370990677:AAFRG5SGghnaK_mDZqGyrOAkScygRIFkkzQ/sendMessage?chat_id=7315171848

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release.exe
    "C:\Users\Admin\AppData\Local\Temp\Release.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3228
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBD26.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBD26.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 3084"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
        • C:\Windows\system32\find.exe
          find ":"
          4⤵
            PID:3280
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1216
          • C:\Users\CyberEye\rat.exe
            "rat.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4920
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      Filesize

      136KB

      MD5

      8aadaaa1bd0395908abe7632ae27b08c

      SHA1

      71b37ca8b03ec620647141ec91f2f1eb4042450f

      SHA256

      8d11819be351083a53b4e50a722c4bb81e19ac0a4ac69409102d50e79094d336

      SHA512

      170acad3a55677ead5e7e471c1b648d26925d77457e1e821879c8ab7efb9a8773b50192099e0993c6174f4b044421865021f3ce98386f13c23732373a38f55ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe.config
      Filesize

      161B

      MD5

      c16b0746faa39818049fe38709a82c62

      SHA1

      3fa322fe6ed724b1bc4fd52795428a36b7b8c131

      SHA256

      d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad

      SHA512

      cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpBD26.tmp.bat
      Filesize

      188B

      MD5

      b1cc876889564b4d90b83663bc2350b7

      SHA1

      a7032b1aea52e1c67d56f5450dbd91a2ef744a49

      SHA256

      67540d57d6b943c4f152036ca8aff68616a079aa49f63272d48e35eab6e0e0ee

      SHA512

      05b3982fcfc60f816502cebe02f15034d5ffc12278b46f6ccbdca95418663d00e0338240b65b3da252c2813e561af80af44640d1c5575b50384567992331ef1b

      Download Submit

    • memory/3084-23-0x00007FF9B30D3000-0x00007FF9B30D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3084-24-0x0000015B085B0000-0x0000015B085D8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3084-25-0x00007FF9B30D0000-0x00007FF9B3B91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3084-29-0x00007FF9B30D0000-0x00007FF9B3B91000-memory.dmp

      Filesize

      10.8MB

      Download