Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 16:04
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20241010-en
General
-
Target
Client.exe
-
Size
74KB
-
MD5
ff9957be040ba821afc9248d7f3c9e74
-
SHA1
19bf5b47a05a06f8c448286979c17364df9b9d8a
-
SHA256
f0de46c374e87a43f8e8d977ed7920271beb883f0cc19492698301ea412498e5
-
SHA512
2b283049ffaecb665006453bf5757ea7adc95a678ded145285bf8529a824a1ec10d1e92c319553d436d4aea4e665fe995db6748a22fa72898faf8adbeef17703
-
SSDEEP
1536:SUaAcx2l/Cx2PMVie9VdQuDI6H1bf/3EQzcuLVclN:SUDcx2Bq2PMVie9VdQsH1bffEQnBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Linas
127.0.0.1:4449
185.241.61.180:4449
lxvckrzncz
-
delay
1
-
install
true
-
install_file
Defender.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
resource yara_rule behavioral2/memory/848-1-0x0000000000E80000-0x0000000000E98000-memory.dmp VenomRAT behavioral2/files/0x000b000000023b79-11.dat VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000b000000023b79-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 1 IoCs
pid Process 1320 Defender.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4556 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 848 Client.exe 1320 Defender.exe 1320 Defender.exe 1320 Defender.exe 1320 Defender.exe 1320 Defender.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 848 Client.exe Token: SeDebugPrivilege 1320 Defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1320 Defender.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 848 wrote to memory of 924 848 Client.exe 83 PID 848 wrote to memory of 924 848 Client.exe 83 PID 848 wrote to memory of 1540 848 Client.exe 85 PID 848 wrote to memory of 1540 848 Client.exe 85 PID 924 wrote to memory of 4536 924 cmd.exe 87 PID 924 wrote to memory of 4536 924 cmd.exe 87 PID 1540 wrote to memory of 4556 1540 cmd.exe 88 PID 1540 wrote to memory of 4556 1540 cmd.exe 88 PID 1540 wrote to memory of 1320 1540 cmd.exe 90 PID 1540 wrote to memory of 1320 1540 cmd.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender" /tr '"C:\Users\Admin\AppData\Roaming\Defender.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Defender" /tr '"C:\Users\Admin\AppData\Roaming\Defender.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DAC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4556
-
-
C:\Users\Admin\AppData\Roaming\Defender.exe"C:\Users\Admin\AppData\Roaming\Defender.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fa798a160b17c5c42d2db11285b32f22
SHA1f99007dd3cf57bb21387737c6ceec46cfaaeb2f9
SHA256156923f06a1549d50008acb21e195fc5fd57de1befdd2a47c3be9e465e70ea20
SHA51216628bb024fad9990c479a083d4f2944fc5c091c5c5bf3becf41e8e6502523c1157643f7a57691029d65e09cc26bcc273545bdf9da3e67a234996b8bd293fae6
-
Filesize
74KB
MD5ff9957be040ba821afc9248d7f3c9e74
SHA119bf5b47a05a06f8c448286979c17364df9b9d8a
SHA256f0de46c374e87a43f8e8d977ed7920271beb883f0cc19492698301ea412498e5
SHA5122b283049ffaecb665006453bf5757ea7adc95a678ded145285bf8529a824a1ec10d1e92c319553d436d4aea4e665fe995db6748a22fa72898faf8adbeef17703
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b