Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 16:47
Static task
static1
Behavioral task
behavioral1
Sample
13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll
Resource
win10v2004-20220414-en
General
-
Target
13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll
-
Size
4.0MB
-
MD5
a37a6a4e999d48740013ee70916a392c
-
SHA1
c7cbab63161c97a309b94cd9960660b72fb8eb67
-
SHA256
13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174
-
SHA512
542a32839881c42b877ff6aa5f296cae21357a7fb4c04fb37ca07da6623941dcc74a1b9a6b8e577a43fd5853c68d8a6d2f51d5ecc4c3185b258d7554edcca18a
Malware Config
Signatures
-
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vanilla Rat Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/584-80-0x0000000000400000-0x0000000000422000-memory.dmp vanillarat behavioral1/memory/584-81-0x0000000000400000-0x0000000000422000-memory.dmp vanillarat behavioral1/memory/584-83-0x000000000041DC2E-mapping.dmp vanillarat behavioral1/memory/584-82-0x0000000000400000-0x0000000000422000-memory.dmp vanillarat behavioral1/memory/584-86-0x0000000000400000-0x0000000000422000-memory.dmp vanillarat behavioral1/memory/584-88-0x0000000000400000-0x0000000000422000-memory.dmp vanillarat -
Executes dropped EXE 4 IoCs
Processes:
pcstat.exeRandoInjector.exeFATALITTTT.exesvhost.exepid process 1432 pcstat.exe 2020 RandoInjector.exe 304 FATALITTTT.exe 584 svhost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeFATALITTTT.exepid process 908 rundll32.exe 304 FATALITTTT.exe 304 FATALITTTT.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pcstat.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce pcstat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" pcstat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 908 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FATALITTTT.exedescription pid process target process PID 304 set thread context of 584 304 FATALITTTT.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeRandoInjector.exeFATALITTTT.exepid process 908 rundll32.exe 2020 RandoInjector.exe 304 FATALITTTT.exe 304 FATALITTTT.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
FATALITTTT.exedescription pid process Token: SeDebugPrivilege 304 FATALITTTT.exe Token: 33 304 FATALITTTT.exe Token: SeIncBasePriorityPrivilege 304 FATALITTTT.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
rundll32.exerundll32.exepcstat.exeFATALITTTT.execmd.exedescription pid process target process PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 548 wrote to memory of 908 548 rundll32.exe rundll32.exe PID 908 wrote to memory of 1432 908 rundll32.exe pcstat.exe PID 908 wrote to memory of 1432 908 rundll32.exe pcstat.exe PID 908 wrote to memory of 1432 908 rundll32.exe pcstat.exe PID 908 wrote to memory of 1432 908 rundll32.exe pcstat.exe PID 1432 wrote to memory of 2020 1432 pcstat.exe RandoInjector.exe PID 1432 wrote to memory of 2020 1432 pcstat.exe RandoInjector.exe PID 1432 wrote to memory of 2020 1432 pcstat.exe RandoInjector.exe PID 1432 wrote to memory of 2020 1432 pcstat.exe RandoInjector.exe PID 1432 wrote to memory of 304 1432 pcstat.exe FATALITTTT.exe PID 1432 wrote to memory of 304 1432 pcstat.exe FATALITTTT.exe PID 1432 wrote to memory of 304 1432 pcstat.exe FATALITTTT.exe PID 1432 wrote to memory of 304 1432 pcstat.exe FATALITTTT.exe PID 304 wrote to memory of 1864 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 1864 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 1864 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 1864 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 916 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 916 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 916 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 916 304 FATALITTTT.exe cmd.exe PID 916 wrote to memory of 1112 916 cmd.exe reg.exe PID 916 wrote to memory of 1112 916 cmd.exe reg.exe PID 916 wrote to memory of 1112 916 cmd.exe reg.exe PID 916 wrote to memory of 1112 916 cmd.exe reg.exe PID 304 wrote to memory of 268 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 268 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 268 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 268 304 FATALITTTT.exe cmd.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe PID 304 wrote to memory of 584 304 FATALITTTT.exe svhost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13273e8bbcd46160e0f3e1e7095b0a0ed79fe4f592871661a34a3068c0c1a174.dll,#12⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcstat.exe"C:\Users\Admin\AppData\Local\Temp\pcstat.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RandoInjector.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RandoInjector.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/IXP000.TMP/FATALITTTT.exe" "%temp%\FolderN\name.exe" /Y5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier5⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
383KB
MD5689828bf189ae19dc11c6064f55e35f9
SHA1a43eeb3c93bad1de4779c0b4249ef0189d89cbbd
SHA2562e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e
SHA512f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exeFilesize
383KB
MD5689828bf189ae19dc11c6064f55e35f9
SHA1a43eeb3c93bad1de4779c0b4249ef0189d89cbbd
SHA2562e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e
SHA512f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FATALITTTT.exeFilesize
383KB
MD5689828bf189ae19dc11c6064f55e35f9
SHA1a43eeb3c93bad1de4779c0b4249ef0189d89cbbd
SHA2562e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e
SHA512f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RandoInjector.exeFilesize
280KB
MD5a746fe2e58044d6a01d10fa7f312ab57
SHA1e9b67f0a93de11b55e7299351387bc9e03e363bf
SHA256934ba617b0bf87d698b45f01a2797fd8a14418a70755e4b8f0796fd266d4de49
SHA512c2558f9091a69968a1c600d2fa7d4af37f5ea7e4d9e2c01837d0ddf5e2a536ab9487478c97688add477a77ba2162bd204207a846b9aeed0da1ae9d08092578e6
-
C:\Users\Admin\AppData\Local\Temp\pcstat.exeFilesize
1.5MB
MD50a35a7e7d511d7b0186e0e24c43d9504
SHA159f67d047bd4f63a35863670e5d698981883dbb5
SHA256eeef5dc93378dc90acc7013e947ac2297549d0a450a88354aec7fb5fe7fb409b
SHA512b5d50a8937eaa2dcbb8cf8862fe67f026832cc6d6f61d44b9512c3b776f459a01bb209b125eeab390bbbacdfabbbfe31ad394221c4fc4ed6cfc75fcdc7e8e9c0
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
383KB
MD5689828bf189ae19dc11c6064f55e35f9
SHA1a43eeb3c93bad1de4779c0b4249ef0189d89cbbd
SHA2562e2cccc03c787f2f405f66588f69b2bcfb6daf0e6b20ba41a23c4cef20a6827e
SHA512f2c8aaab424d3dd47194bc63d922bfc0f01c87e32f14b2061844a6435d7de06ccda0c6cd335f0b7b39a9153075da5ed3f5db770d4e5ec7aa65ee85b3e4b145d6
-
\Users\Admin\AppData\Local\Temp\pcstat.exeFilesize
1.5MB
MD50a35a7e7d511d7b0186e0e24c43d9504
SHA159f67d047bd4f63a35863670e5d698981883dbb5
SHA256eeef5dc93378dc90acc7013e947ac2297549d0a450a88354aec7fb5fe7fb409b
SHA512b5d50a8937eaa2dcbb8cf8862fe67f026832cc6d6f61d44b9512c3b776f459a01bb209b125eeab390bbbacdfabbbfe31ad394221c4fc4ed6cfc75fcdc7e8e9c0
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
memory/268-75-0x0000000000000000-mapping.dmp
-
memory/304-62-0x0000000000000000-mapping.dmp
-
memory/304-68-0x0000000000320000-0x0000000000344000-memory.dmpFilesize
144KB
-
memory/304-65-0x0000000001370000-0x00000000013D6000-memory.dmpFilesize
408KB
-
memory/584-80-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/584-82-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/584-88-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/584-86-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/584-83-0x000000000041DC2E-mapping.dmp
-
memory/584-81-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/584-78-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/584-77-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/908-54-0x0000000000000000-mapping.dmp
-
memory/908-66-0x0000000077BE0000-0x0000000077D60000-memory.dmpFilesize
1.5MB
-
memory/908-67-0x00000000749E0000-0x0000000074DDA000-memory.dmpFilesize
4.0MB
-
memory/908-55-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/916-71-0x0000000000000000-mapping.dmp
-
memory/1112-72-0x0000000000000000-mapping.dmp
-
memory/1432-59-0x000007FEFC281000-0x000007FEFC283000-memory.dmpFilesize
8KB
-
memory/1432-57-0x0000000000000000-mapping.dmp
-
memory/1864-70-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000000000000-mapping.dmp