Overview

overview

10

Static

static

3

Venom V5.exe

windows7-x64

10

Venom V5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Venom V5.exe

  • Size

    289KB

  • MD5

    121a7190a24ba74a4c49c951dd56ad72

  • SHA1

    fb5b1adf74cda03d5a77096b866942a6fbd5aa89

  • SHA256

    049e3ab43c29a82fc17b415fb88df0b0c238efea6be76a25da1f2bb88ee22a6b

  • SHA512

    b1a983027932897e97c4e3ac9865e6fe987c3b772c5847db3f3cc5b8e2b4c845e7040bf8a7e7d546b77c3f78e39c32eaeb7321f1c6f99dd28554c80fec603bb3

  • SSDEEP

    6144:6/E7c5W+sPgJJUuCm2pad2AO51SLPml16S6M6supNDdPstxChZ:UEeggJauClpjL5sar6M6supXPstw

Score
10/10
njratvictimdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Victim

C2

audio-ham.gl.at.ply.gg:52424

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Venom V5.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom V5.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\paylod.exe
      "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\Payload.exe
        "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2372
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2188
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2936
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:460
          • C:\Windows\SysWOW64\PING.EXE
            ping 0 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3044
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2648
    • C:\Users\Admin\AppData\Local\Temp\main.exe
      "C:\Users\Admin\AppData\Local\Temp\main.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\648.tmp\649.tmp\64A.bat C:\Users\Admin\AppData\Local\Temp\main.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\648.tmp\649.tmp\64A.bat
      Filesize

      3KB

      MD5

      ed10dc8c536ee4a022b94514936658e1

      SHA1

      006378f2c2837b196ecd17db6f1d6db862b8454e

      SHA256

      6851924794377b148813fd77ffe990aeb8abd363e9086b73bf76db117feedc59

      SHA512

      245a2bef61c75090b9108a5c5b81a77d1091b5a4abe8f561d5658e9c708907fe2ada359a9931dfa6decf0a06e5a0fdb08dab6ed7165a78f559512cbedf37634f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\main.exe
      Filesize

      126KB

      MD5

      fb32165caff9614efbc6311fe75da2f2

      SHA1

      674e7a93ed4b9cb097d846463a249bd68c4ab7a6

      SHA256

      41018b0dcfb3adf0ddcda481a276d98cbcee94698ac9c7dbd3644a86687e76e8

      SHA512

      65356ddd14df07f2153e740a8ac9f4d722e604a85663254f5e444850cbb66c15c35e7cedc6fece72df63677ffbbeb094122b05c11e01bf0cded917c3c4608a6d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
      Filesize

      1KB

      MD5

      f4a0764be0998ca801bb11188af40463

      SHA1

      fa8734c1d9ded2c36e00434316cb00b1f15cebe7

      SHA256

      69177b7411918b0351c057c065a58d82c8e823c6512b7d565552f22e360d8a6c

      SHA512

      84d1e978b0c8e964dad1844a7d62d900561c5e320f84fb49c73cfd48802e17f93071b8ec0b638bbad8cbebc617029241faf353744d512271bdcc90566ac533e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
      Filesize

      1018B

      MD5

      0e91c8c82ece90714abda9f7d739c844

      SHA1

      0be1b50b19982cdeb3218f85b7c2f2db58be370d

      SHA256

      6df564f3dac8a7a8d07902da236e277fda77199633728009e4ab2dadf6f4edf4

      SHA512

      3ce340f970f31a91c03bd2252ffc62f2d76da5c2e8086ae3a318ef3cd42514610efc881ce0250fcf5eb22ac19f803f3f0886c5224f5a5d771ea0039e2affa04c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\paylod.exe
      Filesize

      26KB

      MD5

      1f5545281784c48b113dde61778a4697

      SHA1

      46aee2f749bbee1fb7e4f5d8609b798bd5077673

      SHA256

      e31e3e11ce40c048eed1a0f68b0e47a15369b9289b30dcce9fe70b7f7ea26c20

      SHA512

      e262e58f15bbbee488a8423cbd5f03b2e9ab12b7af267d3278b48cb86373ff180b992d126694d3e224a8b97bff5edbaeb9c0d3493528b0d6b49e236339a1ab37

      Download Submit

    • memory/2300-25-0x000000007109E000-0x000000007109F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2300-26-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2300-29-0x000000007109E000-0x000000007109F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-22-0x0000000074590000-0x0000000074B3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2332-0-0x0000000074591000-0x0000000074592000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-2-0x0000000074590000-0x0000000074B3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2332-1-0x0000000074590000-0x0000000074B3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2788-40-0x0000000000800000-0x000000000080C000-memory.dmp

      Filesize

      48KB

      Download