Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 15:16
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240903-en
General
-
Target
Client.exe
-
Size
74KB
-
MD5
6d047d603a107c3193aef35717af7b6f
-
SHA1
32034f120ac1c1132e137ddba1e6220aacb702a2
-
SHA256
ea3c775091e46699351431b25485fae1526c063a3b1be543cdc1c5c4ee397d92
-
SHA512
00ea5f0686d40dbae3958cb67324fdf8c0f1d493af497b84d0989437c14166e10ffae370f62d8c0eeb929e9ca65aa20ffcc815b8d585a9b2f53c062b04cd2639
-
SSDEEP
1536:9UOgcxLVNCBWPMVWe9VdQuDI6H1bf/4VAQzcmLVclN:9UfcxLfaWPMVWe9VdQsH1bfgeQ/BY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:4449
bgflrgweuset
-
delay
1
-
install
true
-
install_file
defender.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral2/memory/552-1-0x0000000000CE0000-0x0000000000CF8000-memory.dmp VenomRAT behavioral2/files/0x0008000000023bb9-12.dat VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023bb9-12.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 1 IoCs
pid Process 4092 defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4884 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 552 Client.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe 4092 defender.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 552 Client.exe Token: SeDebugPrivilege 4092 defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4092 defender.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 552 wrote to memory of 752 552 Client.exe 83 PID 552 wrote to memory of 752 552 Client.exe 83 PID 552 wrote to memory of 5108 552 Client.exe 84 PID 552 wrote to memory of 5108 552 Client.exe 84 PID 5108 wrote to memory of 4884 5108 cmd.exe 87 PID 5108 wrote to memory of 4884 5108 cmd.exe 87 PID 752 wrote to memory of 2756 752 cmd.exe 88 PID 752 wrote to memory of 2756 752 cmd.exe 88 PID 5108 wrote to memory of 4092 5108 cmd.exe 90 PID 5108 wrote to memory of 4092 5108 cmd.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "defender" /tr '"C:\Users\Admin\AppData\Roaming\defender.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "defender" /tr '"C:\Users\Admin\AppData\Roaming\defender.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4884
-
-
C:\Users\Admin\AppData\Roaming\defender.exe"C:\Users\Admin\AppData\Roaming\defender.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD537641cc2c70396c676a5d2e6b1e1f9a5
SHA1c615bd5b4a8cef765bc1185c5b261bf385372603
SHA2567b1cc77d13cfbc508be69a7676d1cd6fe755f8c68440ab99713fe1b84e7b8844
SHA512e956faa7ffd44d6a2fbe0faeaa7cc9c22bdadbb04d23c3d3e7c23c1853b76d23dedf5e6b47e5d3bcff619ebdcc865040ed2df50917501e8c2015e30cc830e4f0
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
74KB
MD56d047d603a107c3193aef35717af7b6f
SHA132034f120ac1c1132e137ddba1e6220aacb702a2
SHA256ea3c775091e46699351431b25485fae1526c063a3b1be543cdc1c5c4ee397d92
SHA51200ea5f0686d40dbae3958cb67324fdf8c0f1d493af497b84d0989437c14166e10ffae370f62d8c0eeb929e9ca65aa20ffcc815b8d585a9b2f53c062b04cd2639