samorat | fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

General

Target

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Size

1.3MB
MD5

2042fdc08ed48544a98307aec4610251
SHA1

50a6c64a62347c6c87abb65d04803ff23832a7e8
SHA256

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SHA512

b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591

Score

10^/10

trojan samorat persistence

Malware Config

Signatures

SamoRAT
SamoRAT is a .NET malware used to receive and execute different commands on the infected system.
trojan samorat

ServiceHost packer 6 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1788-9-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1788-10-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1788-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1788-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1788-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1788-14-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 2 IoCs

Processes:

ProAlts.xyz Token Generator.exeWinServices.exe

pid process

1788 ProAlts.xyz Token Generator.exe
2072 WinServices.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 icanhazip.com

pid	process
1788	ProAlts.xyz Token Generator.exe
2072	WinServices.exe

flow	ioc
2	icanhazip.com

Modifies service 2 TTPs 27 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

WinServices.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200034002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c0045006e00640070006f0069006e007400200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0\Linkage\Export = 570069006e0064006f0077007300200057006f0072006b0066006c006f007700200046006f0075006e0064006100740069006f006e00200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET Data Provider for SqlServer\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage	WinServices.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rdyboost\Performance\1023 = "132387741355857358"	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET Data Provider for Oracle\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage\Export = 4d0053004400540043002000420072006900640067006500200034002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c004f007000650072006100740069006f006e00200033002e0030002e0030002e00300000000000	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 4.0.0.0\Linkage\Export = 53004d0053007600630048006f0073007400200034002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Networking 4.0.0.0\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage\Export = 2e004e004500540020004d0065006d006f0072007900200043006100630068006500200034002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 4.0.0.0\Linkage	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NET CLR Data\Linkage	WinServices.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage\Export = 53006500720076006900630065004d006f00640065006c005300650072007600690063006500200033002e0030002e0030002e00300000000000	WinServices.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage	WinServices.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

64 1788 WerFault.exe ProAlts.xyz Token Generator.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4004 schtasks.exe

pid	pid_target	process	target process
64	1788	WerFault.exe	ProAlts.xyz Token Generator.exe

pid	process
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

WinServices.exeWerFault.exe

pid	process
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
64	WerFault.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe
2072	WinServices.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WinServices.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2072	WinServices.exe
Token: SeRestorePrivilege	64	WerFault.exe
Token: SeBackupPrivilege	64	WerFault.exe
Token: SeDebugPrivilege	64	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.execmd.exe

description	pid	process	target process
PID 1720 wrote to memory of 1788	1720	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	ProAlts.xyz Token Generator.exe
PID 1720 wrote to memory of 1788	1720	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	ProAlts.xyz Token Generator.exe
PID 1720 wrote to memory of 1788	1720	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	ProAlts.xyz Token Generator.exe
PID 1720 wrote to memory of 2072	1720	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	WinServices.exe
PID 1720 wrote to memory of 2072	1720	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	WinServices.exe
PID 1720 wrote to memory of 2072	1720	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	WinServices.exe
PID 2072 wrote to memory of 3832	2072	WinServices.exe	cmd.exe
PID 2072 wrote to memory of 3832	2072	WinServices.exe	cmd.exe
PID 2072 wrote to memory of 3832	2072	WinServices.exe	cmd.exe
PID 3832 wrote to memory of 4004	3832	cmd.exe	schtasks.exe
PID 3832 wrote to memory of 4004	3832	cmd.exe	schtasks.exe
PID 3832 wrote to memory of 4004	3832	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
"C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\ProgramData\ProAlts.xyz Token Generator.exe
"C:\ProgramData\ProAlts.xyz Token Generator.exe"
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1088
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\ProgramData\WinServices.exe
"C:\ProgramData\WinServices.exe"
2⤵
- Executes dropped EXE
- Modifies service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
4⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ProAlts.xyz Token Generator.exe

Download Submit
C:\ProgramData\ProAlts.xyz Token Generator.exe

Download Submit
C:\ProgramData\WinServices.exe

Download Submit
C:\ProgramData\WinServices.exe

Download Submit
memory/64-15-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/64-8-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/1788-13-0x0000000000000000-mapping.dmp

Download
memory/1788-10-0x0000000000000000-mapping.dmp

Download
memory/1788-14-0x0000000000000000-mapping.dmp

Download
memory/1788-9-0x0000000000000000-mapping.dmp

Download
memory/1788-0-0x0000000000000000-mapping.dmp

Download
memory/1788-11-0x0000000000000000-mapping.dmp

Download
memory/1788-12-0x0000000000000000-mapping.dmp

Download
memory/2072-16-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2072-3-0x0000000000000000-mapping.dmp

Download
memory/2072-17-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2072-18-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2072-19-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2072-20-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2072-21-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2072-40-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3832-6-0x0000000000000000-mapping.dmp

Download
memory/4004-7-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads