Resubmissions
Analysis
-
max time kernel
58s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 12:01
Behavioral task
behavioral1
Sample
New Compressed (zipped) Folder.zip
Resource
win7-20241023-en
Errors
General
-
Target
New Compressed (zipped) Folder.zip
-
Size
35KB
-
MD5
2f8686bb41f2630a770e831b2e2e162e
-
SHA1
5cf31b68b6503d22c4a65fcb4f4989f052becc69
-
SHA256
bd4f765c8608ad84aab3859639f4dfc925c2f099434e1c0e2d7db15fc7d05e8f
-
SHA512
cb6c6315f4acfc729517840b92682c0bbcbf56cb384873fdf8c95e5adf3fad7258e606b016b122180ac9c286c8c4591cfd1bcd669a86a9ee483299dad4a1f4bc
-
SSDEEP
768:ykeI/9/uVjK7HKy84/igZ8TgZkXTe1GZ6UNolhM6n:x/9/X7S4/VJqTeI8H
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
zibgoamyfpalbhsqxxf
-
delay
1
-
install
true
-
install_file
discord.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\discord.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
discord.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation discord.exe -
Executes dropped EXE 7 IoCs
Processes:
discord.exediscord.exediscord.exediscord.exediscord.exediscord.exediscord.exepid process 3356 discord.exe 1484 discord.exe 4624 discord.exe 468 discord.exe 4412 discord.exe 2660 discord.exe 1360 discord.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3380 timeout.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
discord.exediscord.exetaskmgr.exepid process 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 3356 discord.exe 1484 discord.exe 1484 discord.exe 1484 discord.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1484 discord.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1484 discord.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1484 discord.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1484 discord.exe 1484 discord.exe 1484 discord.exe 1484 discord.exe 1484 discord.exe 1552 taskmgr.exe 1552 taskmgr.exe 1484 discord.exe 1484 discord.exe 1484 discord.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1552 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
7zFM.exediscord.exediscord.exediscord.exediscord.exediscord.exediscord.exediscord.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 1124 7zFM.exe Token: 35 1124 7zFM.exe Token: SeSecurityPrivilege 1124 7zFM.exe Token: SeDebugPrivilege 3356 discord.exe Token: SeDebugPrivilege 1484 discord.exe Token: SeDebugPrivilege 4624 discord.exe Token: SeDebugPrivilege 468 discord.exe Token: SeDebugPrivilege 4412 discord.exe Token: SeDebugPrivilege 2660 discord.exe Token: SeDebugPrivilege 1360 discord.exe Token: SeDebugPrivilege 1552 taskmgr.exe Token: SeSystemProfilePrivilege 1552 taskmgr.exe Token: SeCreateGlobalPrivilege 1552 taskmgr.exe Token: 33 1552 taskmgr.exe Token: SeIncBasePriorityPrivilege 1552 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
7zFM.exetaskmgr.exepid process 1124 7zFM.exe 1124 7zFM.exe 1124 7zFM.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe -
Suspicious use of SendNotifyMessage 62 IoCs
Processes:
taskmgr.exepid process 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe 1552 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
discord.exeLogonUI.exepid process 1484 discord.exe 2992 LogonUI.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
discord.execmd.execmd.exedescription pid process target process PID 3356 wrote to memory of 1972 3356 discord.exe cmd.exe PID 3356 wrote to memory of 1972 3356 discord.exe cmd.exe PID 3356 wrote to memory of 452 3356 discord.exe cmd.exe PID 3356 wrote to memory of 452 3356 discord.exe cmd.exe PID 1972 wrote to memory of 1592 1972 cmd.exe schtasks.exe PID 1972 wrote to memory of 1592 1972 cmd.exe schtasks.exe PID 452 wrote to memory of 3380 452 cmd.exe timeout.exe PID 452 wrote to memory of 3380 452 cmd.exe timeout.exe PID 452 wrote to memory of 1484 452 cmd.exe discord.exe PID 452 wrote to memory of 1484 452 cmd.exe discord.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\New Compressed (zipped) Folder.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1124
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "discord" /tr '"C:\Users\Admin\AppData\Roaming\discord.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA6FE.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3380 -
C:\Users\Admin\AppData\Roaming\discord.exe"C:\Users\Admin\AppData\Roaming\discord.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
C:\Users\Admin\Desktop\discord.exe"C:\Users\Admin\Desktop\discord.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3939855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
151B
MD5c224a466712aae64eb1ae7f9335da653
SHA10ceb58cf305ead8175e2f6d632ec1ef1fc3ba7a2
SHA256a11e9cbe9436fecbb52eb3ad6994466cb5129613cfb40c0406c88f24b03d30f3
SHA5121fd34ffcc16eed9c719efc95f317c0821c19018b20cb62cb8f9d311f9d4a2dc6209b66b0aa0592c159243546ccad1db6b137857149c6e8b995356c54b2f59f6d
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD545543e1a02340ade4c65314fbf401d09
SHA1a75eb9173c40a1b0e47af74cd0b51c99905a56fe
SHA25621fff7a94a630799dd5393bf16019816998086b843e3310fb8f33dbc74f5011f
SHA512a4288d6094ca6d43a92eeff9f94a9fc7aa2f4fb9023227f07a2eb69a484a1e1b2277351ec01ac6ad246e5587debe8277edbcf61f41b1e4b90caabdda9c52b23b