Overview

overview

10

Static

static

3

3181d1dd7e...e1.exe

windows7-x64

10

3181d1dd7e...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe

  • Size

    584KB

  • MD5

    001ed9b78e44a5545679286e3872ebc4

  • SHA1

    11a7fa8453ec8a594200b66d889aaf3d3f6a132a

  • SHA256

    3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1

  • SHA512

    68ed219c2660d2a2904e2f7c69f378eeac657e11d9d57345de3f0c025ccd03a77a0e66bb095849e17ef9f7abc7a8b6f83822789e12cb02c9e38d0adc969eb84c

  • SSDEEP

    12288:NY4Sjc5JLsNiN5pa3pnISrX+t4eLMd18Sb1sDkwtkn4nQp6WIoD:NJAc79zpaZnISdeLa8Sb1AA4neDD

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6614924384:AAFfRfKSXv_nYZghPcfGxWb5r0pZZqztlKU/sendMessage?chat_id=5006597517

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe
    "C:\Users\Admin\AppData\Local\Temp\3181d1dd7eca8b6f8998ddbff6379ef5d8ece3e7a60d5838f4d099d4524b03e1.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\win.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /tn "MyApp" /tr "\"C:\Windows\system.exe"" /sc ONSTART /ru SYSTEM
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2536
      • C:\Windows\System.exe
        system.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\1.vbs"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Windows\crss.exe
            "C:\Windows\crss.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5024
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1184
          • C:\Windows\crss.exe
            "C:\Windows\crss.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "yandex" /tr "C:\Users\ToxicEye\rat.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\crss.exe.log
    Filesize

    1KB

    MD5

    381b3c83bff8b73b7f7405c966f2f747

    SHA1

    b1f298a082275932dc4129c29518f2c1002e312b

    SHA256

    13941fe4f1c6775a0ed2893353578b26d47a072447727d38e307fcb997c82545

    SHA512

    22d7599258c697ebe28d0875e8a32b340175829790cace33e8a065565c6eb1c81ff864f9ef6904aac67ca32045111a4808db1ff521fd7c90b7473070bdbff852

    Download Submit

  • C:\Windows\1.vbs
    Filesize

    123B

    MD5

    31aab08a0e1733b8196172d5901e7517

    SHA1

    cb4092011eebab5c9d3bb2e8a4b79c4111b50ff4

    SHA256

    3c7d4f1aa35d091d73fad7bc1e70112fc88e9f6e6445d8da34effcde67d3e6b8

    SHA512

    c3452c4f0f1eb1f9c5abb45b73523c6d48635653ec491202c548454aee48d06560ecac13e34c288ca078df47867ca424e3d699f31abe68500e7cb555f5252784

    Download Submit

  • C:\Windows\System.exe
    Filesize

    403KB

    MD5

    c9285b00b99565bdf3a6c04c518f6299

    SHA1

    d0e5c114019d6ef5211c7d7384d7b0ac5ab4f62b

    SHA256

    8fa065e4ed2a8ebb457326eafddc6e4f715baeb60e2da39f212d25e6281c6171

    SHA512

    b0554ec39fad010fb66e65832b9407ba3eee63d9e3fa414fc339712e486bbced6103393990fae783c8ac236b5a4f06e6dea28e2bb105b574eeb7f08a7d082bb0

    Download Submit

  • C:\Windows\crss.exe
    Filesize

    119KB

    MD5

    b8853b3517287fc33fce3bf78d2fd693

    SHA1

    3c20e9c59a8653862c0caf43272353447a458a1f

    SHA256

    581449c5fa2f3adc3e263aeb030accd55465713baecff297fbafb915a2df2fdb

    SHA512

    206189ac7614eb9a312c312810a060494c4121bebad34692de8e2b5de5db36c144bc4266be278799f0061b829b5c7e1c191bb18aadcf505737ef19936bab718a

    Download Submit

  • C:\Windows\win.bat
    Filesize

    129B

    MD5

    ec573f06f672b120d6af7289e81c8381

    SHA1

    3e067592aeab1201a1bf0ded92808591894ef9df

    SHA256

    3932a21385c1e8bda0961f3d360342972abff3345d20a30dabd9b6d157172a18

    SHA512

    89fb52aa29faa73f9e156412392e2dc62e95f4e3d4e711e557ef6e1519412262dd05119dc8f8d90f322e9deb80017f44f9fe8ef9fffae883f691caeb5228a90e

    Download Submit

  • memory/5024-19-0x0000019E25D00000-0x0000019E25D24000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5024-22-0x0000019E41980000-0x0000019E4198A000-memory.dmp

    Filesize

    40KB

    Download