Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
QWEDFGHNM01LKJNB70.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
QWEDFGHNM01LKJNB70.exe
Resource
win10v2004-20241007-en
General
-
Target
QWEDFGHNM01LKJNB70.exe
-
Size
300.0MB
-
MD5
dc03290442587a0f396214227b2a95c3
-
SHA1
6c25ed2e5f38277405b11c162c6e347dd13f80b1
-
SHA256
3a0c56f5de394f437e20cd22718e1feb0a3d66aeb13fb60f4b5a61e04bfea2f6
-
SHA512
e5a62ef9d41b66e5f7e5ffd6861bcdbb7d34ee81ec40aa6c6801441e1e0460f3e262ecd270d7641aa332fa468e385da36c9ffeb54eab2cc7372a1bb9be5259eb
-
SSDEEP
3072:NtX+qpAgYWQAZWy6tQ3bNwymWIi7sGe8IsPsBAAAAAAAAAAAAAAAAAASY:OqpTQAZz6+Nwe8Ge8XC
Malware Config
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
g896696.duckdns.org:7343
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 2 IoCs
pid Process 2424 poijh.exe 3060 poijh.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4844 set thread context of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 2424 set thread context of 5016 2424 poijh.exe 110 PID 3060 set thread context of 2140 3060 poijh.exe 117 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QWEDFGHNM01LKJNB70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3860 schtasks.exe 2196 schtasks.exe 1296 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3868 vbc.exe Token: SeDebugPrivilege 5016 vbc.exe Token: SeDebugPrivilege 2140 vbc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4844 wrote to memory of 2388 4844 QWEDFGHNM01LKJNB70.exe 99 PID 4844 wrote to memory of 2388 4844 QWEDFGHNM01LKJNB70.exe 99 PID 4844 wrote to memory of 2388 4844 QWEDFGHNM01LKJNB70.exe 99 PID 4844 wrote to memory of 2432 4844 QWEDFGHNM01LKJNB70.exe 101 PID 4844 wrote to memory of 2432 4844 QWEDFGHNM01LKJNB70.exe 101 PID 4844 wrote to memory of 2432 4844 QWEDFGHNM01LKJNB70.exe 101 PID 2388 wrote to memory of 3860 2388 cmd.exe 103 PID 2388 wrote to memory of 3860 2388 cmd.exe 103 PID 2388 wrote to memory of 3860 2388 cmd.exe 103 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 4844 wrote to memory of 3868 4844 QWEDFGHNM01LKJNB70.exe 104 PID 2424 wrote to memory of 1900 2424 poijh.exe 107 PID 2424 wrote to memory of 1900 2424 poijh.exe 107 PID 2424 wrote to memory of 1900 2424 poijh.exe 107 PID 2424 wrote to memory of 1444 2424 poijh.exe 108 PID 2424 wrote to memory of 1444 2424 poijh.exe 108 PID 2424 wrote to memory of 1444 2424 poijh.exe 108 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 2424 wrote to memory of 5016 2424 poijh.exe 110 PID 1900 wrote to memory of 2196 1900 cmd.exe 112 PID 1900 wrote to memory of 2196 1900 cmd.exe 112 PID 1900 wrote to memory of 2196 1900 cmd.exe 112 PID 3060 wrote to memory of 716 3060 poijh.exe 114 PID 3060 wrote to memory of 716 3060 poijh.exe 114 PID 3060 wrote to memory of 716 3060 poijh.exe 114 PID 3060 wrote to memory of 184 3060 poijh.exe 115 PID 3060 wrote to memory of 184 3060 poijh.exe 115 PID 3060 wrote to memory of 184 3060 poijh.exe 115 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 3060 wrote to memory of 2140 3060 poijh.exe 117 PID 716 wrote to memory of 1296 716 cmd.exe 119 PID 716 wrote to memory of 1296 716 cmd.exe 119 PID 716 wrote to memory of 1296 716 cmd.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\QWEDFGHNM01LKJNB70.exe"C:\Users\Admin\AppData\Local\Temp\QWEDFGHNM01LKJNB70.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\QWEDFGHNM01LKJNB70.exe" "C:\Users\Admin\AppData\Roaming\poijh.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Users\Admin\AppData\Roaming\poijh.exeC:\Users\Admin\AppData\Roaming\poijh.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2196
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\poijh.exe" "C:\Users\Admin\AppData\Roaming\poijh.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Roaming\poijh.exeC:\Users\Admin\AppData\Roaming\poijh.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\poijh.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1296
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\poijh.exe" "C:\Users\Admin\AppData\Roaming\poijh.exe"2⤵
- System Location Discovery: System Language Discovery
PID:184
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520B
MD53ca2f9e6a94c24c455ac9431a0bf479b
SHA1a90309eec691588990609f8f8ad9b935d6f38eb2
SHA256e84d0c64750ec6333b67eb8aef737bb21cd86c6ef6e520c6537ede13505e125e
SHA512ba66e42b384f0d865a21d9169169a0b2bd9c62ebee68acc63a191b1a67ca16f4534f955055fc84bbc4a9cd22cec11c3c22a15df7741d99b7dec456e5cabcb0b5
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1