Overview

overview

10

Static

static

10

ChromeUpdate.exe

windows7-x64

10

ChromeUpdate.exe

windows10-2004-x64

Analysis

  • max time kernel
    22s
  • max time network
    24s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2025, 13:01

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ChromeUpdate.exe

  • Size

    119KB

  • MD5

    a39f21db0576a82177ee4c806766d763

  • SHA1

    ee4676f4dedd24003ce1bd972cbce95ef51fa07f

  • SHA256

    825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db

  • SHA512

    ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133

  • SSDEEP

    3072:IAWfRzlXCwwFwOwWAmm+G/bxqH8QWqzCrAZuuyn1:IAD1SWHe/bgRY

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeUpdate.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4832
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7DFA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7DFA.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 2452"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:5068
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:508
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:696
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7DFA.tmp.bat
      Filesize

      189B

      MD5

      b18e5570c07c9f1a30e6e7cd51a52d8b

      SHA1

      e69297689bd08fe862545fb4308831c1ca5cec27

      SHA256

      09894ba9d6a1d81d0f6022066c0c1d057262b1b2b7e53ee46a2f3778f0887ebd

      SHA512

      d1282ea95ffa9caa6d4d58448d2a4c9e1a27f7b733bc46bdca2eae8f5b5008f5995619169c2f9e7c4d3b779650c2e1da2fbfa64ca2a5a8d9bab0b5e4eb4eeb40

      Download Submit

    • C:\Users\ToxicEye\rat.exe
      Filesize

      119KB

      MD5

      a39f21db0576a82177ee4c806766d763

      SHA1

      ee4676f4dedd24003ce1bd972cbce95ef51fa07f

      SHA256

      825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db

      SHA512

      ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133

      Download Submit

    • memory/2452-0-0x00007FF8E41C3000-0x00007FF8E41C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2452-1-0x0000025CF0030000-0x0000025CF0054000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2452-2-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2452-6-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

      Filesize

      10.8MB

      Download