Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 06:57
Static task
static1
Behavioral task
behavioral1
Sample
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe
Resource
win7-en-20210920
General
-
Target
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe
-
Size
1.7MB
-
MD5
8e6fb813fdbfb1b6815c8f7c47a5ac13
-
SHA1
4b8c92a3a6c63d6c296b0c121619b23599168030
-
SHA256
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30
-
SHA512
374fab3c87d3e03fd14081939833b1ac6192d7c35d86e6fef936bc6fd15f80e4b9f6fa09dd1bf8ba60b75f97e5603783c1b28fc673e47a4c9bc44bbaebdf28f4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RAT.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\Chrome.exe" RAT.EXE -
Modifies security service 2 TTPs 1 IoCs
Processes:
Chrome.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Chrome.exe -
Executes dropped EXE 5 IoCs
Processes:
CHROME.EXERAT.EXECHROME.EXEChrome.exeCHROME.EXEpid process 4196 CHROME.EXE 4088 RAT.EXE 4376 CHROME.EXE 4556 Chrome.exe 4604 CHROME.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RAT.EXE upx C:\Users\Admin\AppData\Local\Temp\RAT.EXE upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe upx -
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RAT.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\Chrome.exe" RAT.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Chrome.exepid process 4556 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
RAT.EXEChrome.exedescription pid process Token: SeIncreaseQuotaPrivilege 4088 RAT.EXE Token: SeSecurityPrivilege 4088 RAT.EXE Token: SeTakeOwnershipPrivilege 4088 RAT.EXE Token: SeLoadDriverPrivilege 4088 RAT.EXE Token: SeSystemProfilePrivilege 4088 RAT.EXE Token: SeSystemtimePrivilege 4088 RAT.EXE Token: SeProfSingleProcessPrivilege 4088 RAT.EXE Token: SeIncBasePriorityPrivilege 4088 RAT.EXE Token: SeCreatePagefilePrivilege 4088 RAT.EXE Token: SeBackupPrivilege 4088 RAT.EXE Token: SeRestorePrivilege 4088 RAT.EXE Token: SeShutdownPrivilege 4088 RAT.EXE Token: SeDebugPrivilege 4088 RAT.EXE Token: SeSystemEnvironmentPrivilege 4088 RAT.EXE Token: SeChangeNotifyPrivilege 4088 RAT.EXE Token: SeRemoteShutdownPrivilege 4088 RAT.EXE Token: SeUndockPrivilege 4088 RAT.EXE Token: SeManageVolumePrivilege 4088 RAT.EXE Token: SeImpersonatePrivilege 4088 RAT.EXE Token: SeCreateGlobalPrivilege 4088 RAT.EXE Token: 33 4088 RAT.EXE Token: 34 4088 RAT.EXE Token: 35 4088 RAT.EXE Token: 36 4088 RAT.EXE Token: SeIncreaseQuotaPrivilege 4556 Chrome.exe Token: SeSecurityPrivilege 4556 Chrome.exe Token: SeTakeOwnershipPrivilege 4556 Chrome.exe Token: SeLoadDriverPrivilege 4556 Chrome.exe Token: SeSystemProfilePrivilege 4556 Chrome.exe Token: SeSystemtimePrivilege 4556 Chrome.exe Token: SeProfSingleProcessPrivilege 4556 Chrome.exe Token: SeIncBasePriorityPrivilege 4556 Chrome.exe Token: SeCreatePagefilePrivilege 4556 Chrome.exe Token: SeBackupPrivilege 4556 Chrome.exe Token: SeRestorePrivilege 4556 Chrome.exe Token: SeShutdownPrivilege 4556 Chrome.exe Token: SeDebugPrivilege 4556 Chrome.exe Token: SeSystemEnvironmentPrivilege 4556 Chrome.exe Token: SeChangeNotifyPrivilege 4556 Chrome.exe Token: SeRemoteShutdownPrivilege 4556 Chrome.exe Token: SeUndockPrivilege 4556 Chrome.exe Token: SeManageVolumePrivilege 4556 Chrome.exe Token: SeImpersonatePrivilege 4556 Chrome.exe Token: SeCreateGlobalPrivilege 4556 Chrome.exe Token: 33 4556 Chrome.exe Token: 34 4556 Chrome.exe Token: 35 4556 Chrome.exe Token: 36 4556 Chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Chrome.exepid process 4556 Chrome.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exeRAT.EXEcmd.execmd.exeChrome.exedescription pid process target process PID 3608 wrote to memory of 4088 3608 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 3608 wrote to memory of 4088 3608 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 3608 wrote to memory of 4088 3608 f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe RAT.EXE PID 4088 wrote to memory of 3940 4088 RAT.EXE cmd.exe PID 4088 wrote to memory of 3940 4088 RAT.EXE cmd.exe PID 4088 wrote to memory of 3940 4088 RAT.EXE cmd.exe PID 4088 wrote to memory of 1908 4088 RAT.EXE cmd.exe PID 4088 wrote to memory of 1908 4088 RAT.EXE cmd.exe PID 4088 wrote to memory of 1908 4088 RAT.EXE cmd.exe PID 3940 wrote to memory of 4336 3940 cmd.exe attrib.exe PID 3940 wrote to memory of 4336 3940 cmd.exe attrib.exe PID 3940 wrote to memory of 4336 3940 cmd.exe attrib.exe PID 1908 wrote to memory of 4352 1908 cmd.exe attrib.exe PID 1908 wrote to memory of 4352 1908 cmd.exe attrib.exe PID 1908 wrote to memory of 4352 1908 cmd.exe attrib.exe PID 4088 wrote to memory of 4556 4088 RAT.EXE Chrome.exe PID 4088 wrote to memory of 4556 4088 RAT.EXE Chrome.exe PID 4088 wrote to memory of 4556 4088 RAT.EXE Chrome.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe PID 4556 wrote to memory of 4508 4556 Chrome.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chrome.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Chrome.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4336 attrib.exe 4352 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe"C:\Users\Admin\AppData\Local\Temp\f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RAT.EXE"C:\Users\Admin\AppData\Local\Temp\RAT.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RAT.EXE" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RAT.EXE" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"3⤵
- Executes dropped EXE
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe"3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exeMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exeMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
ea66582423b8ed237daae8b927191f22
SHA13430aaba69b10b33853e3187f640c91fa50f97cc
SHA256fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1
SHA5122d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8
-
C:\Users\Admin\AppData\Local\Temp\RAT.EXEMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
C:\Users\Admin\AppData\Local\Temp\RAT.EXEMD5
f5f8623a89fd87a2cfd4a16976ae1a86
SHA1a3324a1def25c62b5999956acd4707368f724bb6
SHA2561a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd
SHA5120f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938
-
memory/1908-121-0x0000000000000000-mapping.dmp
-
memory/3940-120-0x0000000000000000-mapping.dmp
-
memory/4088-124-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/4088-117-0x0000000000000000-mapping.dmp
-
memory/4336-125-0x0000000000000000-mapping.dmp
-
memory/4352-126-0x0000000000000000-mapping.dmp
-
memory/4508-133-0x0000000000000000-mapping.dmp
-
memory/4508-134-0x0000000000810000-0x00000000008BE000-memory.dmpFilesize
696KB
-
memory/4556-127-0x0000000000000000-mapping.dmp
-
memory/4556-132-0x00000000006A0000-0x00000000007EA000-memory.dmpFilesize
1.3MB