Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 09:14
Static task
static1
Behavioral task
behavioral1
Sample
Veno.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Veno.exe
Resource
win10v2004-20241007-en
General
-
Target
Veno.exe
-
Size
5.2MB
-
MD5
1fd54055c3703fba5e110b0e68fd434b
-
SHA1
26845bbcd373bb281891699f49541454598edfcf
-
SHA256
c74979f0e2b603d690941c512cf4aa6824aea56aa6de9c333d2be13f4dde65f6
-
SHA512
50f5688c5a97de64f8f78cd767a18e52fe830ec1321744535f3dc84d2f6a7a68af247171a5d7e0b6b8528c098aaaae09cde1b70a896838a82ef580064e81722b
-
SSDEEP
98304:Aqw6Y+PiWjIOMLRqWqZD0ofvE7TY5kGdRUy4bz6cCMHps/KHNNiVakHoxdy:Aqw65PhVM83nEaLRU9z3CeaK0V4xI
Malware Config
Extracted
discordrat
-
discord_token
MTMxNzcyMDg5MTkzMjY3NjEyNw.GR4BZy.jjTYOTYEIjYBpgSrr1GXK-BhAoku0-amSnOglA
-
server_id
1317719739920810024
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Mapper (1).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mapper (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mapper (1).exe -
Executes dropped EXE 2 IoCs
pid Process 2320 Mapper (2).exe 560 Mapper (1).exe -
Loads dropped DLL 8 IoCs
pid Process 2160 Veno.exe 2516 Process not Found 2160 Veno.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe -
resource yara_rule behavioral1/files/0x0008000000015d9a-16.dat themida behavioral1/memory/560-20-0x000000013FEA0000-0x00000001409E6000-memory.dmp themida behavioral1/memory/560-21-0x000000013FEA0000-0x00000001409E6000-memory.dmp themida behavioral1/memory/560-28-0x000000013FEA0000-0x00000001409E6000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Mapper (1).exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 560 Mapper (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2320 2160 Veno.exe 30 PID 2160 wrote to memory of 2320 2160 Veno.exe 30 PID 2160 wrote to memory of 2320 2160 Veno.exe 30 PID 2320 wrote to memory of 2252 2320 Mapper (2).exe 32 PID 2320 wrote to memory of 2252 2320 Mapper (2).exe 32 PID 2320 wrote to memory of 2252 2320 Mapper (2).exe 32 PID 2252 wrote to memory of 2724 2252 cmd.exe 33 PID 2252 wrote to memory of 2724 2252 cmd.exe 33 PID 2252 wrote to memory of 2724 2252 cmd.exe 33 PID 2252 wrote to memory of 2776 2252 cmd.exe 34 PID 2252 wrote to memory of 2776 2252 cmd.exe 34 PID 2252 wrote to memory of 2776 2252 cmd.exe 34 PID 2252 wrote to memory of 2892 2252 cmd.exe 35 PID 2252 wrote to memory of 2892 2252 cmd.exe 35 PID 2252 wrote to memory of 2892 2252 cmd.exe 35 PID 2160 wrote to memory of 560 2160 Veno.exe 37 PID 2160 wrote to memory of 560 2160 Veno.exe 37 PID 2160 wrote to memory of 560 2160 Veno.exe 37 PID 560 wrote to memory of 2968 560 Mapper (1).exe 38 PID 560 wrote to memory of 2968 560 Mapper (1).exe 38 PID 560 wrote to memory of 2968 560 Mapper (1).exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\Veno.exe"C:\Users\Admin\AppData\Local\Temp\Veno.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe" MD54⤵PID:2724
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:2776
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:2892
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 560 -s 6043⤵
- Loads dropped DLL
PID:2968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5c0d825abe1d07e86d7b5eca9d2097fdb
SHA1db2a8ae778689500f8293fc0a0e341961317875c
SHA256b261b1c42f321c0459f59f11a68a427c73ea93871c0979c030e1e11b786a75e4
SHA512a2ef1f01b4842f2d20a6894047c6daa32e315e1e8b44861d8c3afcbea7c0178a7fe613634e40b9c331a29a9da56d20ffb851395244d7ec96dc26aa91ddb07180
-
Filesize
935KB
MD5f4c5c039bc56bba0de398c4ac3641d3c
SHA12e173c4e3013da53126d8c276041d1e1174ec349
SHA2563afa2e021f7b236a7584d401346dd2340c9d93ef5dd931692bb2f1133d4a3a38
SHA512709e8ba1e290b9361e81b7127593b3b02a5b12fedb020455552f681eeaeef1f021f879f21cb6d3049982c4c847c4d3b67423ead294449706b3c16ed4befc2519