venomrat | d87bc6b532f94b6023c55bb38f96f0472857bb7742db4199704386bf8f533fb9

General

Target

setup.exe
Size

146KB
MD5

15ac5ad1c4c1a483da074a5fad3f4b0c
SHA1

144d87b60d42a0b5d527b3cab8cd7ad60d3c468c
SHA256

d87bc6b532f94b6023c55bb38f96f0472857bb7742db4199704386bf8f533fb9
SHA512

4dacb7551ccc17cb552ad12a0308f2d0c6ff3a27e5a079767b094db7daf54dbf2886273f7da6cd84d73d33a861aae8f1b35d0f52b3ee1db0913854181411a4de
SSDEEP

3072:4ESJuC4+3BrDDl8DC+1iJLU0YFzkEDN3BtGc/aFRsO8Jw:+uCBRrDZN+1i2xCmRwc/a7j

Score

10^/10

venomrat evasion rat

Malware Config

Signatures

VenomRAT 2 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	VenomRAT
behavioral2/memory/1412-18-0x0000000000DE0000-0x0000000000E20000-memory.dmp	VenomRAT

Venomrat family
venomrat
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

svchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation setup.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1412 svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	setup.exe

pid	process
1412	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1412	svchost.exe
Token: SeIncreaseQuotaPrivilege	1412	svchost.exe
Token: SeSecurityPrivilege	1412	svchost.exe
Token: SeTakeOwnershipPrivilege	1412	svchost.exe
Token: SeLoadDriverPrivilege	1412	svchost.exe
Token: SeSystemProfilePrivilege	1412	svchost.exe
Token: SeSystemtimePrivilege	1412	svchost.exe
Token: SeProfSingleProcessPrivilege	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: SeCreatePagefilePrivilege	1412	svchost.exe
Token: SeBackupPrivilege	1412	svchost.exe
Token: SeRestorePrivilege	1412	svchost.exe
Token: SeShutdownPrivilege	1412	svchost.exe
Token: SeDebugPrivilege	1412	svchost.exe
Token: SeSystemEnvironmentPrivilege	1412	svchost.exe
Token: SeRemoteShutdownPrivilege	1412	svchost.exe
Token: SeUndockPrivilege	1412	svchost.exe
Token: SeManageVolumePrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: 34	1412	svchost.exe
Token: 35	1412	svchost.exe
Token: 36	1412	svchost.exe
Token: SeIncreaseQuotaPrivilege	1412	svchost.exe
Token: SeSecurityPrivilege	1412	svchost.exe
Token: SeTakeOwnershipPrivilege	1412	svchost.exe
Token: SeLoadDriverPrivilege	1412	svchost.exe
Token: SeSystemProfilePrivilege	1412	svchost.exe
Token: SeSystemtimePrivilege	1412	svchost.exe
Token: SeProfSingleProcessPrivilege	1412	svchost.exe
Token: SeIncBasePriorityPrivilege	1412	svchost.exe
Token: SeCreatePagefilePrivilege	1412	svchost.exe
Token: SeBackupPrivilege	1412	svchost.exe
Token: SeRestorePrivilege	1412	svchost.exe
Token: SeShutdownPrivilege	1412	svchost.exe
Token: SeDebugPrivilege	1412	svchost.exe
Token: SeSystemEnvironmentPrivilege	1412	svchost.exe
Token: SeRemoteShutdownPrivilege	1412	svchost.exe
Token: SeUndockPrivilege	1412	svchost.exe
Token: SeManageVolumePrivilege	1412	svchost.exe
Token: 33	1412	svchost.exe
Token: 34	1412	svchost.exe
Token: 35	1412	svchost.exe
Token: 36	1412	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 1952 wrote to memory of 4132	1952	setup.exe	cmd.exe
PID 1952 wrote to memory of 4132	1952	setup.exe	cmd.exe
PID 1952 wrote to memory of 1412	1952	setup.exe	svchost.exe
PID 1952 wrote to memory of 1412	1952	setup.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
  2⤵
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
62B

MD5
bac1df08b5a2b813d82ace3a51adc67f

SHA1
bd1279e6379de4ea6ac108718010235f3b342405

SHA256
59f5244b33fe77d4dfe76e5159d44a07e037040f8790276ec84139ed3128a21b

SHA512
175b17c6e7d91aea20e6d8d3b63abfd467c0cf7fc6b8c574e39dbffeb52db8c40020816291f7a83e0411a165d0535c033ff1df299dd2c2a7e48ba8b34dcd4afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
209KB

MD5
f16db0ec9722cf4e3d7761a317097568

SHA1
0f1f15468a7db5a662909f3a1a7e03e05a6a0533

SHA256
aaf473cb17bcf36a00222fd8ca4493a4a4b0f9fda3678a1a56d2be1a52cbf5f4

SHA512
f8ed6b01473cbd9b455d88b30afe3490ebc5881b5607871e693cbdfb401460ebc6b3cff1cbf1cb554a8da26f0ec55d76f3a3778d35db55f28ca3c668da1c30c8

Download Submit
memory/1412-20-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-19-0x000000001BC40000-0x000000001BC46000-memory.dmp

Filesize
24KB

Download
memory/1412-18-0x0000000000DE0000-0x0000000000E20000-memory.dmp

Filesize
256KB

Download
memory/1412-24-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/1952-0-0x00007FF97C103000-0x00007FF97C105000-memory.dmp

Filesize
8KB

Download
memory/1952-1-0x0000000000F80000-0x0000000000FAA000-memory.dmp

Filesize
168KB

Download
memory/1952-6-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/1952-21-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads