Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe
Resource
win7-20240708-en
General
-
Target
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe
-
Size
1.1MB
-
MD5
0e43108aac7bb6e9f68d769b746fea16
-
SHA1
751e7fe585e73d5ab80f5f629c94c170484c12f5
-
SHA256
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993
-
SHA512
faca3f1d87a4bdbacc0396544818a27925800b95e298185eb8ae3580d79f02a7eee7f02564181f453bdb56197539a3659526e1f00881ac0779301d7dbdd60c27
-
SSDEEP
24576:D9e1IHkIpNfvY092Y1f9t2JZVJ+TJV8felYpYtx8zkUa:DUmHpBNv9UJZVJ+TJVuiMa
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Receiving + Grabber v6.0.4
NewClient
157.20.182.183:4449
fsqshvwapaxdhwtdp
-
delay
1
-
install
false
-
install_file
Winup.exe
-
install_folder
%AppData%
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Councils.pifdescription pid process target process PID 2608 created 3632 2608 Councils.pif Explorer.EXE -
Processes:
resource yara_rule behavioral2/memory/4968-31-0x00000000009A0000-0x00000000009B8000-memory.dmp VenomRAT -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Councils.pifRegAsm.exepid process 2608 Councils.pif 4968 RegAsm.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5068 tasklist.exe 932 tasklist.exe -
Drops file in Windows directory 3 IoCs
Processes:
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exedescription ioc process File opened for modification C:\Windows\MatchedThem 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe File opened for modification C:\Windows\DemonstrationCult 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe File opened for modification C:\Windows\CrackBride 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
findstr.exetasklist.exeRegAsm.exetasklist.execmd.exefindstr.execmd.exeCouncils.pif931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.execmd.exefindstr.exechoice.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Councils.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
Councils.pifRegAsm.exepid process 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe 4968 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 932 tasklist.exe Token: SeDebugPrivilege 5068 tasklist.exe Token: SeDebugPrivilege 4968 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Councils.pifpid process 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Councils.pifpid process 2608 Councils.pif 2608 Councils.pif 2608 Councils.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 4968 RegAsm.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.execmd.exeCouncils.pifdescription pid process target process PID 4244 wrote to memory of 3580 4244 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe cmd.exe PID 4244 wrote to memory of 3580 4244 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe cmd.exe PID 4244 wrote to memory of 3580 4244 931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe cmd.exe PID 3580 wrote to memory of 932 3580 cmd.exe tasklist.exe PID 3580 wrote to memory of 932 3580 cmd.exe tasklist.exe PID 3580 wrote to memory of 932 3580 cmd.exe tasklist.exe PID 3580 wrote to memory of 1796 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 1796 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 1796 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 5068 3580 cmd.exe tasklist.exe PID 3580 wrote to memory of 5068 3580 cmd.exe tasklist.exe PID 3580 wrote to memory of 5068 3580 cmd.exe tasklist.exe PID 3580 wrote to memory of 5076 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 5076 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 5076 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 5044 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 5044 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 5044 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 4264 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 4264 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 4264 3580 cmd.exe findstr.exe PID 3580 wrote to memory of 3104 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 3104 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 3104 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 2608 3580 cmd.exe Councils.pif PID 3580 wrote to memory of 2608 3580 cmd.exe Councils.pif PID 3580 wrote to memory of 2608 3580 cmd.exe Councils.pif PID 3580 wrote to memory of 2180 3580 cmd.exe choice.exe PID 3580 wrote to memory of 2180 3580 cmd.exe choice.exe PID 3580 wrote to memory of 2180 3580 cmd.exe choice.exe PID 2608 wrote to memory of 4168 2608 Councils.pif cmd.exe PID 2608 wrote to memory of 4168 2608 Councils.pif cmd.exe PID 2608 wrote to memory of 4168 2608 Councils.pif cmd.exe PID 2608 wrote to memory of 4968 2608 Councils.pif RegAsm.exe PID 2608 wrote to memory of 4968 2608 Councils.pif RegAsm.exe PID 2608 wrote to memory of 4968 2608 Councils.pif RegAsm.exe PID 2608 wrote to memory of 4968 2608 Councils.pif RegAsm.exe PID 2608 wrote to memory of 4968 2608 Councils.pif RegAsm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe"C:\Users\Admin\AppData\Local\Temp\931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Attacked Attacked.bat & Attacked.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Windows\SysWOW64\cmd.execmd /c md 3478614⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\findstr.exefindstr /V "systemadaptermeetingskenneth" Grow4⤵
- System Location Discovery: System Language Discovery
PID:4264 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Officer + ..\Essays + ..\Cool + ..\Prompt + ..\Itunes G4⤵
- System Location Discovery: System Language Discovery
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\347861\Councils.pifCouncils.pif G4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & echo URL="C:\Users\Admin\AppData\Local\EduInno Dynamics\EduCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
331KB
MD55a9b52baaf6a9030f3bb5fdc73fdbb97
SHA18391133bab34d7ec3af23058bad403a404cd9986
SHA256a4fb39190e94406427d266c4f0a7b8a576dea8e6329645706bba403cfcce50a8
SHA5121168f78e3ca07ff74123b8d4dc059f7d5d872bf9e5b7e2728314b44f31058f0d0e4f1487c45fa521a699f8dbeefb43b724f47a040ec46ddf0aa7b1ee1070ab4a
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
16KB
MD56ef8c1c2b28c05eaeac6e46b3040e369
SHA1e95b0727b83d7093562ed5605cec43a4ef999d55
SHA2569b49261b378ff83d4deba60b2340d42f374cde941167951600029d9083ba48e7
SHA5129a125ab0f47d9637542d1ec582ede4b0acf547e31756d0989e91fc8b638e37611d8dd6f01c6a11f209ee77a11f2a928163fe7b6a8f28b86d0b79cfe913fa505d
-
Filesize
69KB
MD5ffa1c079c2f4c6fe1748c9705fbc0fda
SHA1f701e6edc65bb7de8158b57861b03014bc1c65b9
SHA256514774d8e62dc37f281992338612463068808ed5a466dc1b0c7c242b31f48389
SHA512babb4b4fee2d4444e96f634c713de43ba0490e759e003497723293b54235fdc06a3fd60dc200bf708ad4fcf397a3e5338ddad6dd8154c9f46f64f6a805d1e800
-
Filesize
69KB
MD5150f4653b13b6c4d0b8b72770c682969
SHA1b62372a844d67e89e7a335bb3791fb7ec4b38321
SHA25636bbde273aee8421edb18b4f2017146118307ba7dd3694b6d55f64bd159c3ded
SHA512ccf3695445a4fde30edbe4210ceb594d1016a3bf154ba43222ce2d42d5e24357a094c0896faad6a933c7047b764345e0748489f7ad1ec9f58e95555dc3153dc5
-
Filesize
2KB
MD53c9f8ff4a787de0add5ea18b3c90aeec
SHA1906ebcd1a5b5b34169b3312c57b478b7eb2acfa9
SHA256555da9eb7911ddc494fed580e6ea21988b13e917f76206e00707176797db190b
SHA512f321713b684334a6ee674680bda1cb45b82c9a2385ce0257f44823d7acedb9390638dc267dc55fa73647b074ee7d7c062c98284b90d9ae9aad9128bb0a303765
-
Filesize
29KB
MD5694d11c39dab9971a8e33c9a2fbb8c54
SHA11ab6a65b43de72bd706c4c2b1baabcc03c2e20f3
SHA25658af08c2703bf98461f3acf686b52d34d7c63e6665982eaee6f2be2f32f3a76a
SHA512ed0789ba83fb053241838abfece5b30389e339d11121e37754a0ca2bb4d8c04152e37b805fc814f17b605e6abed0b4b71b35387d345cac7de93ddba4a213929c
-
Filesize
65KB
MD5b2d7b245eb933bb0a5fe20daa25cbff9
SHA1ad52775da728362183fc18991db143903d1118a9
SHA25694a1ee3ff9882414c621b0bf21b74744bbd69461e55d7a3479c0e75801167aca
SHA512ff51ec8ec382e25e0946281bde452e27d510723b66d378a54623597255f89aee5014c2ee8885c832bb9449e4b3c51565764b80d2b8782fe62fee108f605ea859
-
Filesize
99KB
MD5e3d1a8c190d473c37be04f3e883c5bd5
SHA1817fffb89d3835977921fa827cf407f901475b6d
SHA256e731b0ed7a9b1ea844b0f7aca3f27982213b6e8a6dc6512c0aaec3b8dece079d
SHA5124d86b387b75792f2168a4d51750ca41a71674e5ec25a7e09826f0b74eeb13e9ffdb49aab632a8aa7e10678494881aa8d39b9e89c988971cd9260e6c06c316360
-
Filesize
870KB
MD5acf1ef48885709dbc83533ee0425c52f
SHA1d0ef7d02f7610a7e0121bc80b828158e18cd2f65
SHA2564f9208638d6a49b70e5192c525792edcdb1bb06ab403cdc5b93a357b5ba3bee2
SHA5122de5ab5f7e71dd12973040ae6f3a53df71fc746ce4874d41fd8123be3fe24c0f9fa8444b07f89b03d4132ac14c40891e3b84885d62278bce62b2b0db0b0cd7bb