Resubmissions
Analysis
-
max time kernel
110s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 12:01
Behavioral task
behavioral1
Sample
New Compressed (zipped) Folder.zip
Resource
win7-20241023-en
Errors
General
-
Target
New Compressed (zipped) Folder.zip
-
Size
35KB
-
MD5
2f8686bb41f2630a770e831b2e2e162e
-
SHA1
5cf31b68b6503d22c4a65fcb4f4989f052becc69
-
SHA256
bd4f765c8608ad84aab3859639f4dfc925c2f099434e1c0e2d7db15fc7d05e8f
-
SHA512
cb6c6315f4acfc729517840b92682c0bbcbf56cb384873fdf8c95e5adf3fad7258e606b016b122180ac9c286c8c4591cfd1bcd669a86a9ee483299dad4a1f4bc
-
SSDEEP
768:ykeI/9/uVjK7HKy84/igZ8TgZkXTe1GZ6UNolhM6n:x/9/X7S4/VJqTeI8H
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
zibgoamyfpalbhsqxxf
-
delay
1
-
install
true
-
install_file
discord.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zO4F4BA278\discord.exe family_asyncrat -
Executes dropped EXE 3 IoCs
Processes:
discord.exediscord.exediscord.exepid process 2456 discord.exe 2976 discord.exe 2112 discord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 596 timeout.exe 1712 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2308 schtasks.exe 1976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
discord.exe7zFM.exediscord.exepid process 2976 discord.exe 1268 7zFM.exe 1268 7zFM.exe 1268 7zFM.exe 1268 7zFM.exe 1268 7zFM.exe 2112 discord.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
7zFM.exediscord.exediscord.exediscord.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 1268 7zFM.exe Token: 35 1268 7zFM.exe Token: SeSecurityPrivilege 1268 7zFM.exe Token: SeDebugPrivilege 2456 discord.exe Token: SeSecurityPrivilege 1268 7zFM.exe Token: SeDebugPrivilege 2976 discord.exe Token: SeSecurityPrivilege 1268 7zFM.exe Token: SeDebugPrivilege 2112 discord.exe Token: 33 1924 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1924 AUDIODG.EXE Token: 33 1924 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1924 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7zFM.exepid process 1268 7zFM.exe 1268 7zFM.exe 1268 7zFM.exe 1268 7zFM.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
7zFM.exediscord.execmd.execmd.exediscord.execmd.execmd.exedescription pid process target process PID 1268 wrote to memory of 2456 1268 7zFM.exe discord.exe PID 1268 wrote to memory of 2456 1268 7zFM.exe discord.exe PID 1268 wrote to memory of 2456 1268 7zFM.exe discord.exe PID 1268 wrote to memory of 2976 1268 7zFM.exe discord.exe PID 1268 wrote to memory of 2976 1268 7zFM.exe discord.exe PID 1268 wrote to memory of 2976 1268 7zFM.exe discord.exe PID 2976 wrote to memory of 1304 2976 discord.exe cmd.exe PID 2976 wrote to memory of 1304 2976 discord.exe cmd.exe PID 2976 wrote to memory of 1304 2976 discord.exe cmd.exe PID 2976 wrote to memory of 2188 2976 discord.exe cmd.exe PID 2976 wrote to memory of 2188 2976 discord.exe cmd.exe PID 2976 wrote to memory of 2188 2976 discord.exe cmd.exe PID 2188 wrote to memory of 596 2188 cmd.exe timeout.exe PID 2188 wrote to memory of 596 2188 cmd.exe timeout.exe PID 2188 wrote to memory of 596 2188 cmd.exe timeout.exe PID 1304 wrote to memory of 2308 1304 cmd.exe schtasks.exe PID 1304 wrote to memory of 2308 1304 cmd.exe schtasks.exe PID 1304 wrote to memory of 2308 1304 cmd.exe schtasks.exe PID 2112 wrote to memory of 2460 2112 discord.exe cmd.exe PID 2112 wrote to memory of 2460 2112 discord.exe cmd.exe PID 2112 wrote to memory of 2460 2112 discord.exe cmd.exe PID 2460 wrote to memory of 1976 2460 cmd.exe schtasks.exe PID 2460 wrote to memory of 1976 2460 cmd.exe schtasks.exe PID 2460 wrote to memory of 1976 2460 cmd.exe schtasks.exe PID 2112 wrote to memory of 1000 2112 discord.exe cmd.exe PID 2112 wrote to memory of 1000 2112 discord.exe cmd.exe PID 2112 wrote to memory of 1000 2112 discord.exe cmd.exe PID 1000 wrote to memory of 1712 1000 cmd.exe timeout.exe PID 1000 wrote to memory of 1712 1000 cmd.exe timeout.exe PID 1000 wrote to memory of 1712 1000 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Compressed (zipped) Folder.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\7zO4F4BA278\discord.exe"C:\Users\Admin\AppData\Local\Temp\7zO4F4BA278\discord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\7zO4F424378\discord.exe"C:\Users\Admin\AppData\Local\Temp\7zO4F424378\discord.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:2308 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E94.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:596
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1976 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E0F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1712
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1480
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5881⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD545543e1a02340ade4c65314fbf401d09
SHA1a75eb9173c40a1b0e47af74cd0b51c99905a56fe
SHA25621fff7a94a630799dd5393bf16019816998086b843e3310fb8f33dbc74f5011f
SHA512a4288d6094ca6d43a92eeff9f94a9fc7aa2f4fb9023227f07a2eb69a484a1e1b2277351ec01ac6ad246e5587debe8277edbcf61f41b1e4b90caabdda9c52b23b
-
Filesize
151B
MD537f5fd30d8555ccee74260bbcd832d8a
SHA17b09fbc56b9242e5def0580dbff8c7c6ddb5b974
SHA25688c8c8d0246547eb5d308b4523a769996d3b3f2e49e53bdca0229985b52cd325
SHA512d4dd5adcf2fe491f04a0075569ff0a1fd8d7fcb177321e120d10bdaa661dde1da9211d751d79db720741e0cd69691d61d7447a4504b4d7a14ba8ff3c2c32e126
-
Filesize
151B
MD5964604ff1e0b5e639fd194e53eb8ad9e
SHA1db55b87fc69323e10b50b657e372ef9cf8af924f
SHA256c3d60b49345b8b4d65eec530a4d2818d18febb520d96bf4ca5af20d46cfea983
SHA512bb9286247bb894dfebf2cfc7233c494ae8564223ac23f8f23b27427f6d2ddb07111a6969c17316fcd9e39f6114f0dccfa22943f334a1977ea6d4f9cfe5c9111d
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b