Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 15:16
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240903-en
General
-
Target
Client.exe
-
Size
74KB
-
MD5
6d047d603a107c3193aef35717af7b6f
-
SHA1
32034f120ac1c1132e137ddba1e6220aacb702a2
-
SHA256
ea3c775091e46699351431b25485fae1526c063a3b1be543cdc1c5c4ee397d92
-
SHA512
00ea5f0686d40dbae3958cb67324fdf8c0f1d493af497b84d0989437c14166e10ffae370f62d8c0eeb929e9ca65aa20ffcc815b8d585a9b2f53c062b04cd2639
-
SSDEEP
1536:9UOgcxLVNCBWPMVWe9VdQuDI6H1bf/4VAQzcmLVclN:9UfcxLfaWPMVWe9VdQsH1bfgeQ/BY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
bgflrgweuset
-
delay
1
-
install
true
-
install_file
defender.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral1/memory/2712-1-0x0000000000E40000-0x0000000000E58000-memory.dmp VenomRAT behavioral1/files/0x00080000000173fb-16.dat VenomRAT behavioral1/memory/2888-18-0x0000000000E50000-0x0000000000E68000-memory.dmp VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000173fb-16.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2888 defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2724 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2712 Client.exe 2712 Client.exe 2712 Client.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe 2888 defender.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2712 Client.exe Token: SeDebugPrivilege 2888 defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2888 defender.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2436 2712 Client.exe 30 PID 2712 wrote to memory of 2436 2712 Client.exe 30 PID 2712 wrote to memory of 2436 2712 Client.exe 30 PID 2712 wrote to memory of 2232 2712 Client.exe 31 PID 2712 wrote to memory of 2232 2712 Client.exe 31 PID 2712 wrote to memory of 2232 2712 Client.exe 31 PID 2232 wrote to memory of 2724 2232 cmd.exe 34 PID 2232 wrote to memory of 2724 2232 cmd.exe 34 PID 2232 wrote to memory of 2724 2232 cmd.exe 34 PID 2436 wrote to memory of 2316 2436 cmd.exe 35 PID 2436 wrote to memory of 2316 2436 cmd.exe 35 PID 2436 wrote to memory of 2316 2436 cmd.exe 35 PID 2232 wrote to memory of 2888 2232 cmd.exe 36 PID 2232 wrote to memory of 2888 2232 cmd.exe 36 PID 2232 wrote to memory of 2888 2232 cmd.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defender" /tr '"C:\Users\Admin\AppData\Roaming\defender.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defender" /tr '"C:\Users\Admin\AppData\Roaming\defender.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A3D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2724
-
-
C:\Users\Admin\AppData\Roaming\defender.exe"C:\Users\Admin\AppData\Roaming\defender.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d4087e935b7e04193a8647cd28f00010
SHA11125ea70765d520aba007b2f955e584dc0827011
SHA256572bf65a2cb79a27ce2fe4c742458a6036ad29db5b58f0f294a99e2d9c0eb553
SHA512594a330a27c59df12064bad4fa9b804c60fd74830d83ffec088d66e108e39908c5279706bafbc79fa74815d8a8a918fa5af83335b3d3499429163e13cff09592
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD56d047d603a107c3193aef35717af7b6f
SHA132034f120ac1c1132e137ddba1e6220aacb702a2
SHA256ea3c775091e46699351431b25485fae1526c063a3b1be543cdc1c5c4ee397d92
SHA51200ea5f0686d40dbae3958cb67324fdf8c0f1d493af497b84d0989437c14166e10ffae370f62d8c0eeb929e9ca65aa20ffcc815b8d585a9b2f53c062b04cd2639