Analysis
-
max time kernel
59s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
Rose_1_1_4_2.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rose_1_1_4_2.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Rose_1_1_4_2/RoseMenu.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Rose_1_1_4_2/RoseMenu.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Rose_1_1_4_2/Rose_İnjector.exe
Resource
win7-20240903-en
General
-
Target
Rose_1_1_4_2.zip
-
Size
16.1MB
-
MD5
6b27604d6f445bce6ad546885c0c0949
-
SHA1
75967d80043852f69bfc858675298b8fa1da12a9
-
SHA256
3af2d8280ca274b2d5d06e2494a7e99ba1b26c439e426335bf98c1eb640e38fc
-
SHA512
e71d31fdefb7b77787f12ea6a5a712240b3d1146c2e7d9212877a83f8a69cb7509b8bc5928674cfb45f125c721f61f6cc9d30ff588e66bbbf77abcf02cc1d97d
-
SSDEEP
393216:iON95GDgNyOMiyGFty4riUG4/Hv73BwVa6w:iakM4GrjvbBwVa6w
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
sazan
rdzbojdvoiqafvcuqj
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.ai/raw/it4zrvblz1
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Client.exe family_asyncrat -
Executes dropped EXE 5 IoCs
Processes:
Rose_İnjector.exeClient.exeRose_Injector.exeRose_İnjector.exeRose_İnjector.exepid process 2180 Rose_İnjector.exe 2700 Client.exe 2560 Rose_Injector.exe 2904 Rose_İnjector.exe 2024 Rose_İnjector.exe -
Loads dropped DLL 1 IoCs
Processes:
Rose_İnjector.exepid process 2180 Rose_İnjector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
7zFM.exeRose_Injector.exeClient.exepid process 2708 7zFM.exe 2560 Rose_Injector.exe 2560 Rose_Injector.exe 2708 7zFM.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2708 7zFM.exe 2700 Client.exe 2700 Client.exe 2708 7zFM.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe 2700 Client.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2708 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7zFM.exeRose_Injector.exeClient.exedescription pid process Token: SeRestorePrivilege 2708 7zFM.exe Token: 35 2708 7zFM.exe Token: SeSecurityPrivilege 2708 7zFM.exe Token: SeDebugPrivilege 2560 Rose_Injector.exe Token: SeDebugPrivilege 2700 Client.exe Token: SeSecurityPrivilege 2708 7zFM.exe Token: SeSecurityPrivilege 2708 7zFM.exe Token: SeSecurityPrivilege 2708 7zFM.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
7zFM.exepid process 2708 7zFM.exe 2708 7zFM.exe 2708 7zFM.exe 2708 7zFM.exe 2708 7zFM.exe 2708 7zFM.exe 2708 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2700 Client.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7zFM.exeRose_İnjector.exeRose_İnjector.exeRose_İnjector.exedescription pid process target process PID 2708 wrote to memory of 2180 2708 7zFM.exe Rose_İnjector.exe PID 2708 wrote to memory of 2180 2708 7zFM.exe Rose_İnjector.exe PID 2708 wrote to memory of 2180 2708 7zFM.exe Rose_İnjector.exe PID 2180 wrote to memory of 2700 2180 Rose_İnjector.exe Client.exe PID 2180 wrote to memory of 2700 2180 Rose_İnjector.exe Client.exe PID 2180 wrote to memory of 2700 2180 Rose_İnjector.exe Client.exe PID 2180 wrote to memory of 2560 2180 Rose_İnjector.exe Rose_Injector.exe PID 2180 wrote to memory of 2560 2180 Rose_İnjector.exe Rose_Injector.exe PID 2180 wrote to memory of 2560 2180 Rose_İnjector.exe Rose_Injector.exe PID 2708 wrote to memory of 2904 2708 7zFM.exe Rose_İnjector.exe PID 2708 wrote to memory of 2904 2708 7zFM.exe Rose_İnjector.exe PID 2708 wrote to memory of 2904 2708 7zFM.exe Rose_İnjector.exe PID 2904 wrote to memory of 1044 2904 Rose_İnjector.exe WerFault.exe PID 2904 wrote to memory of 1044 2904 Rose_İnjector.exe WerFault.exe PID 2904 wrote to memory of 1044 2904 Rose_İnjector.exe WerFault.exe PID 2708 wrote to memory of 2024 2708 7zFM.exe Rose_İnjector.exe PID 2708 wrote to memory of 2024 2708 7zFM.exe Rose_İnjector.exe PID 2708 wrote to memory of 2024 2708 7zFM.exe Rose_İnjector.exe PID 2024 wrote to memory of 1544 2024 Rose_İnjector.exe WerFault.exe PID 2024 wrote to memory of 1544 2024 Rose_İnjector.exe WerFault.exe PID 2024 wrote to memory of 1544 2024 Rose_İnjector.exe WerFault.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Rose_1_1_4_2.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\7zO49A4BA37\Rose_İnjector.exe"C:\Users\Admin\AppData\Local\Temp\7zO49A4BA37\Rose_İnjector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700 -
C:\Users\Admin\AppData\Roaming\Rose_Injector.exe"C:\Users\Admin\AppData\Roaming\Rose_Injector.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\7zO49ADBA57\Rose_İnjector.exe"C:\Users\Admin\AppData\Local\Temp\7zO49ADBA57\Rose_İnjector.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2904 -s 5803⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\7zO49A9D0B7\Rose_İnjector.exe"C:\Users\Admin\AppData\Local\Temp\7zO49A9D0B7\Rose_İnjector.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2024 -s 5763⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD517f7206a7e2535c2757a2e28af6c13c8
SHA15cea3e60c35b8da9e1520832071ca52b98991797
SHA2568f1d00324051a90eb2ca14d2d68946b78d89e36ed3ce9082af05da5b38c04457
SHA51215c3ea73fd01290171448f0e0dea4a3b2919448c35116d9bcce99f6e81be063ba6fccef7ec1b71fcce3056c15f0099130d21edd5372fb7f46cfcae5f7c2dec39
-
Filesize
74KB
MD51e62f2d4b2155fe336bc8f449100554a
SHA12506734f15d2b69270be7c922f008e7de9d839dd
SHA25616a3ba1c991f0d2c666e7f41528ccf65c477c094a8ff75b924289f564bf11498
SHA512a14d75b76935b73af946f81370aa7c6874240dd907336bfdb09a70e8e088a8c6e1341fb8da7277477fb1328251ea1a52a9e8c1126d3c4b59b8dcf99191266ebf
-
Filesize
27KB
MD58be0e3590df0a1337f9fb82630852376
SHA16f0d6bc2ba3ab5cbbff94a944dd24c0eda0771d5
SHA25636a340af2f3f63c9be3546704985accb516135860a575ef6c655819d7998ed39
SHA51248714538160ddeddd9ff1834056daaef50f261401bd19e44b60af628f46ebc741c32dcc73ccbb546b325da79fd336cbfa79f31215008bf3578ea070ff8156d16