Analysis
-
max time kernel
104s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 23:31
Behavioral task
behavioral1
Sample
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe
Resource
win7-20240903-en
General
-
Target
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe
-
Size
74KB
-
MD5
e5ebd0b94853ac7c6d8f2f1e755e6200
-
SHA1
7723a709bcd5d593b8a26c64995189536e8f4f27
-
SHA256
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0de
-
SHA512
0ab193eed655acee210a0f9992d676508695aa76442e5b6bc9e68301cd9524f878d1832243af8a816311ba8922af284b80b395d0c32ea0825222bcc112c25c23
-
SSDEEP
1536:NUxQcxI76jCsGPMVee9VdQuDI6H1bf/2DzIQzcCLVclN:NUOcxI7q3GPMVee9VdQsH1bf88QTBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
147.185.221.21:64638
AADWadsafsjbajiawd=-adfsr
-
delay
1
-
install
true
-
install_file
Windows Update.exe
-
install_folder
%AppData%
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1896-1-0x0000000000CB0000-0x0000000000CC8000-memory.dmp VenomRAT behavioral2/files/0x000400000001da0e-12.dat VenomRAT -
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x000400000001da0e-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid Process 3964 Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 4456 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exeWindows Update.exepid Process 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 3964 Windows Update.exe 3964 Windows Update.exe 3964 Windows Update.exe 3964 Windows Update.exe 3964 Windows Update.exe 3964 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exeWindows Update.exedescription pid Process Token: SeDebugPrivilege 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe Token: SeDebugPrivilege 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe Token: SeDebugPrivilege 3964 Windows Update.exe Token: SeDebugPrivilege 3964 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid Process 3964 Windows Update.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.execmd.execmd.exedescription pid Process procid_target PID 1896 wrote to memory of 2240 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 87 PID 1896 wrote to memory of 2240 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 87 PID 1896 wrote to memory of 2052 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 88 PID 1896 wrote to memory of 2052 1896 ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe 88 PID 2240 wrote to memory of 1272 2240 cmd.exe 91 PID 2240 wrote to memory of 1272 2240 cmd.exe 91 PID 2052 wrote to memory of 4456 2052 cmd.exe 92 PID 2052 wrote to memory of 4456 2052 cmd.exe 92 PID 2052 wrote to memory of 3964 2052 cmd.exe 98 PID 2052 wrote to memory of 3964 2052 cmd.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe"C:\Users\Admin\AppData\Local\Temp\ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0deN.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8EE2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5c983b11ee6a632cd5c7e7ca869d5d00e
SHA1e886fbf9154593571bd21b27939d0e961349012d
SHA25641c131e867cb25262231046b8ac18e3e35748353701b36073c54105fca394d85
SHA512d68278e3ac39a35ab5dc7a3f12be555c1fba72955e4a357e4e6e7a8e1876c2ac313a40e0389726395b141b9d0ad5efd6b8da47624fab8b6a4cf3e824d16f987d
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD5e5ebd0b94853ac7c6d8f2f1e755e6200
SHA17723a709bcd5d593b8a26c64995189536e8f4f27
SHA256ad320647b7cedddf918daaff0fca18e4cc92493d82c21062cd0acff66ad1e0de
SHA5120ab193eed655acee210a0f9992d676508695aa76442e5b6bc9e68301cd9524f878d1832243af8a816311ba8922af284b80b395d0c32ea0825222bcc112c25c23