Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe
Resource
win7-20240729-en
General
-
Target
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe
-
Size
810KB
-
MD5
87c051a77edc0cc77a4d791ef72367d1
-
SHA1
5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
-
SHA256
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
-
SHA512
259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c
-
SSDEEP
12288:FCxMe2dk7YgL+OsQdFGHjaRYf9bquEZ68ufU3wqB2ydPsW/w0bvf:FsMe2KYIDpSO5vZ68FwqB2aPsW3
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Default
47.238.55.14:4449
rqwcncaesrdtlckoweu
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2568 created 1200 2568 Thermal.pif 21 -
resource yara_rule behavioral1/memory/1956-33-0x0000000000090000-0x00000000000A8000-memory.dmp VenomRAT behavioral1/memory/1956-36-0x0000000000090000-0x00000000000A8000-memory.dmp VenomRAT behavioral1/memory/1956-35-0x0000000000090000-0x00000000000A8000-memory.dmp VenomRAT -
Venomrat family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2568 Thermal.pif 1956 RegAsm.exe -
Loads dropped DLL 3 IoCs
pid Process 2776 cmd.exe 2568 Thermal.pif 1956 RegAsm.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2580 tasklist.exe 2688 tasklist.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\MonsterRaymond b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\FirewireBros b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\PortugalCharges b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\PgJune b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\ReceptorsTeeth b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe File opened for modification C:\Windows\PorcelainExhaust b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Thermal.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif 1956 RegAsm.exe 1956 RegAsm.exe 1956 RegAsm.exe 1956 RegAsm.exe 1956 RegAsm.exe 1956 RegAsm.exe 1956 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2580 tasklist.exe Token: SeDebugPrivilege 2688 tasklist.exe Token: SeDebugPrivilege 1956 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2568 Thermal.pif 2568 Thermal.pif 2568 Thermal.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1956 RegAsm.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2776 2184 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 30 PID 2184 wrote to memory of 2776 2184 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 30 PID 2184 wrote to memory of 2776 2184 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 30 PID 2184 wrote to memory of 2776 2184 b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe 30 PID 2776 wrote to memory of 2580 2776 cmd.exe 32 PID 2776 wrote to memory of 2580 2776 cmd.exe 32 PID 2776 wrote to memory of 2580 2776 cmd.exe 32 PID 2776 wrote to memory of 2580 2776 cmd.exe 32 PID 2776 wrote to memory of 2160 2776 cmd.exe 33 PID 2776 wrote to memory of 2160 2776 cmd.exe 33 PID 2776 wrote to memory of 2160 2776 cmd.exe 33 PID 2776 wrote to memory of 2160 2776 cmd.exe 33 PID 2776 wrote to memory of 2688 2776 cmd.exe 35 PID 2776 wrote to memory of 2688 2776 cmd.exe 35 PID 2776 wrote to memory of 2688 2776 cmd.exe 35 PID 2776 wrote to memory of 2688 2776 cmd.exe 35 PID 2776 wrote to memory of 2572 2776 cmd.exe 36 PID 2776 wrote to memory of 2572 2776 cmd.exe 36 PID 2776 wrote to memory of 2572 2776 cmd.exe 36 PID 2776 wrote to memory of 2572 2776 cmd.exe 36 PID 2776 wrote to memory of 2624 2776 cmd.exe 37 PID 2776 wrote to memory of 2624 2776 cmd.exe 37 PID 2776 wrote to memory of 2624 2776 cmd.exe 37 PID 2776 wrote to memory of 2624 2776 cmd.exe 37 PID 2776 wrote to memory of 2648 2776 cmd.exe 38 PID 2776 wrote to memory of 2648 2776 cmd.exe 38 PID 2776 wrote to memory of 2648 2776 cmd.exe 38 PID 2776 wrote to memory of 2648 2776 cmd.exe 38 PID 2776 wrote to memory of 3052 2776 cmd.exe 39 PID 2776 wrote to memory of 3052 2776 cmd.exe 39 PID 2776 wrote to memory of 3052 2776 cmd.exe 39 PID 2776 wrote to memory of 3052 2776 cmd.exe 39 PID 2776 wrote to memory of 2568 2776 cmd.exe 40 PID 2776 wrote to memory of 2568 2776 cmd.exe 40 PID 2776 wrote to memory of 2568 2776 cmd.exe 40 PID 2776 wrote to memory of 2568 2776 cmd.exe 40 PID 2776 wrote to memory of 1700 2776 cmd.exe 41 PID 2776 wrote to memory of 1700 2776 cmd.exe 41 PID 2776 wrote to memory of 1700 2776 cmd.exe 41 PID 2776 wrote to memory of 1700 2776 cmd.exe 41 PID 2568 wrote to memory of 2948 2568 Thermal.pif 42 PID 2568 wrote to memory of 2948 2568 Thermal.pif 42 PID 2568 wrote to memory of 2948 2568 Thermal.pif 42 PID 2568 wrote to memory of 2948 2568 Thermal.pif 42 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44 PID 2568 wrote to memory of 1956 2568 Thermal.pif 44
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe"C:\Users\Admin\AppData\Local\Temp\b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"4⤵
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"4⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 7245984⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "WowLiberalCalOfficer" Weight4⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y4⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pifThermal.pif y4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\Admin\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD5a65498ab3a69a64ead790db5bb2f48aa
SHA1eb8cd723dab355ff507b356b9286f09b9ffcd968
SHA2569ad27753646f1eec5009be7ed43bcdfc4e9ab8dffc6fe3ff4adc558a1f32f5cd
SHA5129cfcb7873c3bad12109a85516eaf62393aa905b5a7fa93e8bc808ef0911070ea89f0e41953e67b45b74409bf0ac046fd7f4a12ab612edf7bf01a46c459ba1cef
-
Filesize
90KB
MD5975bfc19287c2c5b74a1b228f30f14b0
SHA18f5feec00b337529a7e193f452c45f6063ad37a1
SHA25691e28eface5e10865887b9a13420b1bfd3a8673255785e3bfc65745da63d1322
SHA51218d8c41ebcba5667cb3ac3fa1270d78cad2fd9e8fc69dd32969b693fedc6354e3de12f74830e68b55c6aa7c5a0fbb388599f827cb94d71732231f4ebbf580f85
-
Filesize
58KB
MD501d7374bf51507454392d1081d9b309e
SHA1034378159b5f4b6089a95064aec9ff210da7c3df
SHA256eecdd8dfd2dd6d9d1c55077ee6515a9c59d3046112d014b7a5e87fdabb8157a2
SHA512de64b35bfd2c279a77d552f7c518421bffcf2f5d14e78fa3f80e21b97aeb5dc287340452d61ca19c9aa5ce426c61ec6605786727d844282aa5457a1d8c4f94f4
-
Filesize
17KB
MD5f15a876fe95af76d09e4f26593b4502e
SHA153d14a9f7b44de6fd9aba018e0f4738175a4e3a0
SHA2564ddf695422db24b6917750a923db6d55e9973a4463cf3b60f0c732d34f7728d1
SHA512cbc944366518fea910cc685c6ac99caafa20ffd91ba8572b5e33feeb9529cea6684e83365c5851d6798bcd3dc265e9157ae80e60f56f061c2b78e6c935e48741
-
Filesize
865KB
MD5260377b64080b872ffd57234ff7d097e
SHA1f9ea953f328a1ec1cac31ac05a6353ae27519238
SHA25629826de3343c0a6f753f3cdcc551e755e12059e79b0658be1048e5f893e1c0d3
SHA512a01a781d352ac7cb98fd17f91db6114147188519819106d27a183f8bc114713de8d0e78524dcab8833187e365f2207da5e4cd77fc8d787f63b48a04bf17b6de5
-
Filesize
10KB
MD5b5a2ce2534752d3a6033f59c8436d7b6
SHA18e184055af6e0f7dcd83d832bd565e784a7b8e80
SHA256c142ebc3005012c982b366c6e4b03db5b477c721eed245592a6f2c585ec314c3
SHA512c2f5480e23fcd32ac7111fc9e507b7660ee551477a1dc18f188bd5796bf29bc93cc10926908f9f6483e906bfc07dde07be7223bc0b4b4c5dbc0fa1c0f2d43f2c
-
Filesize
7KB
MD54192ba712a2fdc09914b07d144f06e20
SHA10a3320eea12b490fd589b9f2cb878579108be555
SHA256265661fdddd79aefcfba0fc456cf864c05439b8281da8345d200283f5664a229
SHA512543248b976f061c835329adbccbb249922ebeb671bb158d7a0e70284e0fe9d723c18e8a2e4f198202cfa20dc3d0f341efd4e78c64f4d5e56e8d2a08745417948
-
Filesize
96KB
MD5b7c64d91870c30f6d27b86c9294ca361
SHA141ea994169f7bea9752f6bd40d9833d6577ede49
SHA25691a57858547382fa34e5aad2a6c8546c4eaeaa32b515693e42e84ad190149a6a
SHA512d6d3625a28a8ab2aad5e5e80cb10798d3602e0e189d521e4fecbee4f4015f07e7d2c6f9cdbec4c9efcc5c903c3ebaaf9b6abbf30d615748316992a5c398bc1b6
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558