Analysis
-
max time kernel
19s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 09:14
Static task
static1
Behavioral task
behavioral1
Sample
Veno.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Veno.exe
Resource
win10v2004-20241007-en
General
-
Target
Veno.exe
-
Size
5.2MB
-
MD5
1fd54055c3703fba5e110b0e68fd434b
-
SHA1
26845bbcd373bb281891699f49541454598edfcf
-
SHA256
c74979f0e2b603d690941c512cf4aa6824aea56aa6de9c333d2be13f4dde65f6
-
SHA512
50f5688c5a97de64f8f78cd767a18e52fe830ec1321744535f3dc84d2f6a7a68af247171a5d7e0b6b8528c098aaaae09cde1b70a896838a82ef580064e81722b
-
SSDEEP
98304:Aqw6Y+PiWjIOMLRqWqZD0ofvE7TY5kGdRUy4bz6cCMHps/KHNNiVakHoxdy:Aqw65PhVM83nEaLRU9z3CeaK0V4xI
Malware Config
Extracted
discordrat
-
discord_token
MTMxNzcyMDg5MTkzMjY3NjEyNw.GR4BZy.jjTYOTYEIjYBpgSrr1GXK-BhAoku0-amSnOglA
-
server_id
1317719739920810024
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Mapper (1).exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mapper (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mapper (1).exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Veno.exe -
Executes dropped EXE 2 IoCs
pid Process 5036 Mapper (2).exe 4924 Mapper (1).exe -
resource yara_rule behavioral2/files/0x000b000000023b85-16.dat themida behavioral2/memory/4924-26-0x00007FF701090000-0x00007FF701BD6000-memory.dmp themida behavioral2/memory/4924-27-0x00007FF701090000-0x00007FF701BD6000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Mapper (1).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 38 discord.com 39 discord.com 42 discord.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4924 Mapper (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4924 Mapper (1).exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3032 wrote to memory of 5036 3032 Veno.exe 83 PID 3032 wrote to memory of 5036 3032 Veno.exe 83 PID 5036 wrote to memory of 3548 5036 Mapper (2).exe 86 PID 5036 wrote to memory of 3548 5036 Mapper (2).exe 86 PID 3548 wrote to memory of 2236 3548 cmd.exe 87 PID 3548 wrote to memory of 2236 3548 cmd.exe 87 PID 3548 wrote to memory of 4268 3548 cmd.exe 88 PID 3548 wrote to memory of 4268 3548 cmd.exe 88 PID 3548 wrote to memory of 1772 3548 cmd.exe 89 PID 3548 wrote to memory of 1772 3548 cmd.exe 89 PID 3032 wrote to memory of 4924 3032 Veno.exe 105 PID 3032 wrote to memory of 4924 3032 Veno.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\Veno.exe"C:\Users\Admin\AppData\Local\Temp\Veno.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (2).exe" MD54⤵PID:2236
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:4268
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:1772
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mapper (1).exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5c0d825abe1d07e86d7b5eca9d2097fdb
SHA1db2a8ae778689500f8293fc0a0e341961317875c
SHA256b261b1c42f321c0459f59f11a68a427c73ea93871c0979c030e1e11b786a75e4
SHA512a2ef1f01b4842f2d20a6894047c6daa32e315e1e8b44861d8c3afcbea7c0178a7fe613634e40b9c331a29a9da56d20ffb851395244d7ec96dc26aa91ddb07180
-
Filesize
935KB
MD5f4c5c039bc56bba0de398c4ac3641d3c
SHA12e173c4e3013da53126d8c276041d1e1174ec349
SHA2563afa2e021f7b236a7584d401346dd2340c9d93ef5dd931692bb2f1133d4a3a38
SHA512709e8ba1e290b9361e81b7127593b3b02a5b12fedb020455552f681eeaeef1f021f879f21cb6d3049982c4c847c4d3b67423ead294449706b3c16ed4befc2519