Overview

overview

10

Static

static

10

.exe

windows7-x64

10

.exe

windows10-2004-x64

Analysis

  • max time kernel
    5s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 16:11

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    .exe

  • Size

    111KB

  • MD5

    f190eabe265f87543a479e6ae30a75e3

  • SHA1

    540a3361515ef8a07f0448d71ef1f5a9987bf8f0

  • SHA256

    d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6

  • SHA512

    792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e

  • SSDEEP

    3072:MbF/tHT+X4rWXFiWkkkQDDKbuq0tQW5zCrAZuu1B:s/tHT+X4UdkkkQDDKbLg

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8220.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8220.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3428
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 3644"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:3612
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:3628
        • C:\Users\yanak\yanak.exe
          "yanak.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8220.tmp.bat
      Filesize

      176B

      MD5

      6ddf1db23fbba195517f30ff63159420

      SHA1

      dcebd63d602bf0e26901d093b3b2a53a45804407

      SHA256

      172a3ad7699f60f4f338e9d604e3e5faef15229500ea08ec45d2db6b008e07e7

      SHA512

      c72eca656ffe397f9f9f8d0328393593f4ffae8d22c2ee08fc5d83e1505b1abac2319fa4ca91304657dbed57acb69adc97650de5cf1491040a65e3dab167aace

      Download Submit

    • C:\Users\yanak\yanak.exe
      Filesize

      111KB

      MD5

      f190eabe265f87543a479e6ae30a75e3

      SHA1

      540a3361515ef8a07f0448d71ef1f5a9987bf8f0

      SHA256

      d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6

      SHA512

      792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e

      Download Submit

    • memory/3644-0-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3644-1-0x000002B9C0910000-0x000002B9C0932000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3644-2-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3644-6-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

      Filesize

      10.8MB

      Download