Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
QWEDFGHNM01LKJNB70.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QWEDFGHNM01LKJNB70.exe
Resource
win10v2004-20241007-en
General
-
Target
QWEDFGHNM01LKJNB70.exe
-
Size
300.0MB
-
MD5
dc03290442587a0f396214227b2a95c3
-
SHA1
6c25ed2e5f38277405b11c162c6e347dd13f80b1
-
SHA256
3a0c56f5de394f437e20cd22718e1feb0a3d66aeb13fb60f4b5a61e04bfea2f6
-
SHA512
e5a62ef9d41b66e5f7e5ffd6861bcdbb7d34ee81ec40aa6c6801441e1e0460f3e262ecd270d7641aa332fa468e385da36c9ffeb54eab2cc7372a1bb9be5259eb
-
SSDEEP
3072:NtX+qpAgYWQAZWy6tQ3bNwymWIi7sGe8IsPsBAAAAAAAAAAAAAAAAAASY:OqpTQAZz6+Nwe8Ge8XC
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
g896696.duckdns.org:7343
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 2 IoCs
pid Process 1684 poijh.exe 1624 poijh.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2392 set thread context of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 1684 set thread context of 768 1684 poijh.exe 43 PID 1624 set thread context of 2520 1624 poijh.exe 50 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QWEDFGHNM01LKJNB70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2820 schtasks.exe 1048 schtasks.exe 1284 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2844 vbc.exe Token: SeDebugPrivilege 768 vbc.exe Token: SeDebugPrivilege 2520 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1916 2392 QWEDFGHNM01LKJNB70.exe 30 PID 2392 wrote to memory of 1916 2392 QWEDFGHNM01LKJNB70.exe 30 PID 2392 wrote to memory of 1916 2392 QWEDFGHNM01LKJNB70.exe 30 PID 2392 wrote to memory of 1916 2392 QWEDFGHNM01LKJNB70.exe 30 PID 2392 wrote to memory of 2748 2392 QWEDFGHNM01LKJNB70.exe 32 PID 2392 wrote to memory of 2748 2392 QWEDFGHNM01LKJNB70.exe 32 PID 2392 wrote to memory of 2748 2392 QWEDFGHNM01LKJNB70.exe 32 PID 2392 wrote to memory of 2748 2392 QWEDFGHNM01LKJNB70.exe 32 PID 1916 wrote to memory of 2820 1916 cmd.exe 34 PID 1916 wrote to memory of 2820 1916 cmd.exe 34 PID 1916 wrote to memory of 2820 1916 cmd.exe 34 PID 1916 wrote to memory of 2820 1916 cmd.exe 34 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2392 wrote to memory of 2844 2392 QWEDFGHNM01LKJNB70.exe 35 PID 2228 wrote to memory of 1684 2228 taskeng.exe 37 PID 2228 wrote to memory of 1684 2228 taskeng.exe 37 PID 2228 wrote to memory of 1684 2228 taskeng.exe 37 PID 2228 wrote to memory of 1684 2228 taskeng.exe 37 PID 1684 wrote to memory of 444 1684 poijh.exe 39 PID 1684 wrote to memory of 444 1684 poijh.exe 39 PID 1684 wrote to memory of 444 1684 poijh.exe 39 PID 1684 wrote to memory of 444 1684 poijh.exe 39 PID 1684 wrote to memory of 1132 1684 poijh.exe 40 PID 1684 wrote to memory of 1132 1684 poijh.exe 40 PID 1684 wrote to memory of 1132 1684 poijh.exe 40 PID 1684 wrote to memory of 1132 1684 poijh.exe 40 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 1684 wrote to memory of 768 1684 poijh.exe 43 PID 444 wrote to memory of 1048 444 cmd.exe 44 PID 444 wrote to memory of 1048 444 cmd.exe 44 PID 444 wrote to memory of 1048 444 cmd.exe 44 PID 444 wrote to memory of 1048 444 cmd.exe 44 PID 2228 wrote to memory of 1624 2228 taskeng.exe 45 PID 2228 wrote to memory of 1624 2228 taskeng.exe 45 PID 2228 wrote to memory of 1624 2228 taskeng.exe 45 PID 2228 wrote to memory of 1624 2228 taskeng.exe 45 PID 1624 wrote to memory of 1552 1624 poijh.exe 46 PID 1624 wrote to memory of 1552 1624 poijh.exe 46 PID 1624 wrote to memory of 1552 1624 poijh.exe 46 PID 1624 wrote to memory of 1552 1624 poijh.exe 46 PID 1624 wrote to memory of 936 1624 poijh.exe 47 PID 1624 wrote to memory of 936 1624 poijh.exe 47 PID 1624 wrote to memory of 936 1624 poijh.exe 47 PID 1624 wrote to memory of 936 1624 poijh.exe 47 PID 1624 wrote to memory of 2520 1624 poijh.exe 50 PID 1624 wrote to memory of 2520 1624 poijh.exe 50 PID 1624 wrote to memory of 2520 1624 poijh.exe 50 PID 1624 wrote to memory of 2520 1624 poijh.exe 50 PID 1624 wrote to memory of 2520 1624 poijh.exe 50 PID 1624 wrote to memory of 2520 1624 poijh.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\QWEDFGHNM01LKJNB70.exe"C:\Users\Admin\AppData\Local\Temp\QWEDFGHNM01LKJNB70.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\QWEDFGHNM01LKJNB70.exe" "C:\Users\Admin\AppData\Roaming\poijh.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E09CA456-7B57-4529-AF6D-D4D5C1EEFC53} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\poijh.exeC:\Users\Admin\AppData\Roaming\poijh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1048
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\poijh.exe" "C:\Users\Admin\AppData\Roaming\poijh.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
-
C:\Users\Admin\AppData\Roaming\poijh.exeC:\Users\Admin\AppData\Roaming\poijh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f3⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\poijh.exe" "C:\Users\Admin\AppData\Roaming\poijh.exe"3⤵
- System Location Discovery: System Language Discovery
PID:936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-