Analysis
-
max time kernel
154s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 14:27
Static task
static1
Behavioral task
behavioral1
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
URFT06GSBAWRP_001_PDF.exe
Resource
win10v2004-20241007-en
General
-
Target
URFT06GSBAWRP_001_PDF.exe
-
Size
300.0MB
-
MD5
464753cd8a6523de0fba921ce6846177
-
SHA1
6b3b77af1129f9ad86acc31163d8450eacb4dbd3
-
SHA256
3221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
-
SHA512
589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
SSDEEP
3072:1iJZ3k2p8jrvVIYkwur2JMBZ6kINhCRFuaABOUEs64BRg40nOFblHTgr4:1OyRr9u1KJkZ6dIYBUeBRgOlWU
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
resulttoday2.duckdns.org:6111
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 2 IoCs
pid Process 2968 opetr.exe 1800 opetr.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3032 set thread context of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 2968 set thread context of 1680 2968 opetr.exe 43 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opetr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language URFT06GSBAWRP_001_PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opetr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe 572 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2696 vbc.exe Token: SeDebugPrivilege 1680 vbc.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2976 3032 URFT06GSBAWRP_001_PDF.exe 30 PID 3032 wrote to memory of 2976 3032 URFT06GSBAWRP_001_PDF.exe 30 PID 3032 wrote to memory of 2976 3032 URFT06GSBAWRP_001_PDF.exe 30 PID 3032 wrote to memory of 2976 3032 URFT06GSBAWRP_001_PDF.exe 30 PID 2976 wrote to memory of 2700 2976 cmd.exe 32 PID 2976 wrote to memory of 2700 2976 cmd.exe 32 PID 2976 wrote to memory of 2700 2976 cmd.exe 32 PID 2976 wrote to memory of 2700 2976 cmd.exe 32 PID 3032 wrote to memory of 2884 3032 URFT06GSBAWRP_001_PDF.exe 33 PID 3032 wrote to memory of 2884 3032 URFT06GSBAWRP_001_PDF.exe 33 PID 3032 wrote to memory of 2884 3032 URFT06GSBAWRP_001_PDF.exe 33 PID 3032 wrote to memory of 2884 3032 URFT06GSBAWRP_001_PDF.exe 33 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 3032 wrote to memory of 2696 3032 URFT06GSBAWRP_001_PDF.exe 35 PID 836 wrote to memory of 2968 836 taskeng.exe 37 PID 836 wrote to memory of 2968 836 taskeng.exe 37 PID 836 wrote to memory of 2968 836 taskeng.exe 37 PID 836 wrote to memory of 2968 836 taskeng.exe 37 PID 2968 wrote to memory of 580 2968 opetr.exe 38 PID 2968 wrote to memory of 580 2968 opetr.exe 38 PID 2968 wrote to memory of 580 2968 opetr.exe 38 PID 2968 wrote to memory of 580 2968 opetr.exe 38 PID 2968 wrote to memory of 332 2968 opetr.exe 40 PID 2968 wrote to memory of 332 2968 opetr.exe 40 PID 2968 wrote to memory of 332 2968 opetr.exe 40 PID 2968 wrote to memory of 332 2968 opetr.exe 40 PID 580 wrote to memory of 572 580 cmd.exe 41 PID 580 wrote to memory of 572 580 cmd.exe 41 PID 580 wrote to memory of 572 580 cmd.exe 41 PID 580 wrote to memory of 572 580 cmd.exe 41 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 2968 wrote to memory of 1680 2968 opetr.exe 43 PID 836 wrote to memory of 1800 836 taskeng.exe 44 PID 836 wrote to memory of 1800 836 taskeng.exe 44 PID 836 wrote to memory of 1800 836 taskeng.exe 44 PID 836 wrote to memory of 1800 836 taskeng.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BB519A60-6AB2-417F-948F-51C821282FFD} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\opetr.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"3⤵
- System Location Discovery: System Language Discovery
PID:332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
-
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800
-