Analysis
-
max time kernel
54s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 19:30
Static task
static1
Behavioral task
behavioral1
Sample
c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe
Resource
win10v2004-20250314-en
General
-
Target
c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe
-
Size
3.1MB
-
MD5
318dd600d5df858f9b12e161c1cdf794
-
SHA1
d4eba922ccb8c301708f1b67f8e17fb5ae09aae5
-
SHA256
c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682
-
SHA512
7ec7944dc920d464a1d7370b60b7a65cfdb2c46be731e00e6631b8cb9e2307a7bb14282b0148bc2cbe241b2357f4f1466b68dfb9595446fa80446e27f65ba8bb
-
SSDEEP
98304:DB3EVGIP9YVclwvxe3MLRWcq2cFhimdztR+Vm/2Z:DpGP9MycxijciFhrzd/2
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
178.117.80.225:3998
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00320000000174cc-20.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2600 Client.exe -
Loads dropped DLL 1 IoCs
pid Process 3028 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2140 set thread context of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2612 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2600 Client.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2612 WINWORD.EXE 2612 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 2140 wrote to memory of 3028 2140 c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe 31 PID 3028 wrote to memory of 2612 3028 RegAsm.exe 32 PID 3028 wrote to memory of 2612 3028 RegAsm.exe 32 PID 3028 wrote to memory of 2612 3028 RegAsm.exe 32 PID 3028 wrote to memory of 2612 3028 RegAsm.exe 32 PID 3028 wrote to memory of 2600 3028 RegAsm.exe 33 PID 3028 wrote to memory of 2600 3028 RegAsm.exe 33 PID 3028 wrote to memory of 2600 3028 RegAsm.exe 33 PID 3028 wrote to memory of 2600 3028 RegAsm.exe 33 PID 2612 wrote to memory of 2160 2612 WINWORD.EXE 34 PID 2612 wrote to memory of 2160 2612 WINWORD.EXE 34 PID 2612 wrote to memory of 2160 2612 WINWORD.EXE 34 PID 2612 wrote to memory of 2160 2612 WINWORD.EXE 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe"C:\Users\Admin\AppData\Local\Temp\c502384c7e37f78fdea4508cb3e33bb19e464e6a1c0a3ad3c6bbab07ad689682.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cursus seksualiteit.docx"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5176899821365a34a50d9ee5c4f4044b5
SHA1b42fe4994783ce6e1953733829725ff9b777a0af
SHA2562a97558d06310beb60ed50a09b1217bace657c2364b07d3d6437aac0e3119255
SHA512539995f36da84bd4d952e4934105c54bc87258ee23f53a89e66aad895cb3612003efb114dd58e0b51f216701ac436945551fc82653ea18b5c52c83e14b1e5ef0
-
Filesize
63KB
MD5065916df76a29b60fae9879d48f6a23c
SHA139955f523f47653e72758e4a504ba2b28f65ae67
SHA256281246ed2415cc6b47bdaa3af0910a7f0fc97a854e4b146a88469b97225bda9b
SHA512dbf17e5ed7cc22b80ccc2626dc33206d207432bc18693e51d7ecf86a93b2a8ebfc25842fecdbe69d1379bc3218f4a0017dd75bb5abc60e244465d37a15abb133