Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 23:31
Behavioral task
behavioral1
Sample
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe
Resource
win7-20240903-en
General
-
Target
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe
-
Size
74KB
-
MD5
e5ebd0b94853ac7c6d8f2f1e755e6200
-
SHA1
7723a709bcd5d593b8a26c64995189536e8f4f27
-
SHA256
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0de
-
SHA512
0ab193eed655acee210a0f9992d676508695aa76442e5b6bc9e68301cd9524f878d1832243af8a816311ba8922af284b80b395d0c32ea0825222bcc112c25c23
-
SSDEEP
1536:NUxQcxI76jCsGPMVee9VdQuDI6H1bf/2DzIQzcCLVclN:NUOcxI7q3GPMVee9VdQsH1bf88QTBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
147.185.221.21:64638
AADWadsafsjbajiawd=-adfsr
-
delay
1
-
install
true
-
install_file
Windows Update.exe
-
install_folder
%AppData%
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2420-1-0x00000000003A0000-0x00000000003B8000-memory.dmp VenomRAT C:\Users\Admin\AppData\Roaming\Windows Update.exe VenomRAT behavioral1/memory/2808-18-0x00000000001B0000-0x00000000001C8000-memory.dmp VenomRAT -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 2808 Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2344 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exeWindows Update.exepid process 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 2808 Windows Update.exe 2808 Windows Update.exe 2808 Windows Update.exe 2808 Windows Update.exe 2808 Windows Update.exe 2808 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe Token: SeDebugPrivilege 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe Token: SeDebugPrivilege 2808 Windows Update.exe Token: SeDebugPrivilege 2808 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2808 Windows Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.execmd.execmd.exedescription pid process target process PID 2420 wrote to memory of 2120 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe cmd.exe PID 2420 wrote to memory of 2120 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe cmd.exe PID 2420 wrote to memory of 2120 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe cmd.exe PID 2420 wrote to memory of 1712 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe cmd.exe PID 2420 wrote to memory of 1712 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe cmd.exe PID 2420 wrote to memory of 1712 2420 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe cmd.exe PID 1712 wrote to memory of 2344 1712 cmd.exe timeout.exe PID 1712 wrote to memory of 2344 1712 cmd.exe timeout.exe PID 1712 wrote to memory of 2344 1712 cmd.exe timeout.exe PID 2120 wrote to memory of 2712 2120 cmd.exe schtasks.exe PID 2120 wrote to memory of 2712 2120 cmd.exe schtasks.exe PID 2120 wrote to memory of 2712 2120 cmd.exe schtasks.exe PID 1712 wrote to memory of 2808 1712 cmd.exe Windows Update.exe PID 1712 wrote to memory of 2808 1712 cmd.exe Windows Update.exe PID 1712 wrote to memory of 2808 1712 cmd.exe Windows Update.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe"C:\Users\Admin\AppData\Local\Temp\ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2712 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB2D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2344 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD53eb24ffc0ca484288c0bed841e738df2
SHA125d83cc80dd763668607b98b502acd499c23efd0
SHA256603bd5a4225dd66eecf694ab4fd096e271f694dfbe8429273bf52bda1916838c
SHA51293b4e010556e3bbe94cee45c48fdf4c152f4b514561816afe815b54a307ba2506c0b44bed5cb8931a6c1f5381014fbc457b729cd57c3dabaa34155cf4f12be46
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD5e5ebd0b94853ac7c6d8f2f1e755e6200
SHA17723a709bcd5d593b8a26c64995189536e8f4f27
SHA256ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0de
SHA5120ab193eed655acee210a0f9992d676508695aa76442e5b6bc9e68301cd9524f878d1832243af8a816311ba8922af284b80b395d0c32ea0825222bcc112c25c23