e54384fe872d30bf574d7b80311ce1c6d9f86a8db7b6e47cbd03069eea1bdd61

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-12-2022 14:47

Target

HEUR-Trojan.Win32.RRAT.exe
Size

16KB
MD5

7310548654a0e1bd553ae65d58701160
SHA1

792c541411b7ab41ad6caa4df4676fa8006edebc
SHA256

e54384fe872d30bf574d7b80311ce1c6d9f86a8db7b6e47cbd03069eea1bdd61
SHA512

6c51afaa33dbe29f8eedc29ccf1de8740e0b4989c1542af954380e3b5a6472c4253a1dd57f4ef32155a3c66fe958d080b6d2e91c5b25d916155df1d039f209c1
SSDEEP

384:qpi1PKtl50TsvD9oDPlMNcLlb5sVK4yv5Ct:qpi1PKtlMOclMNEvo

Score

1^/10

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

HEUR-Trojan.Win32.RRAT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	HEUR-Trojan.Win32.RRAT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HEUR-Trojan.Win32.RRAT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HEUR-Trojan.Win32.RRAT.exe

description pid process

Token: SeDebugPrivilege 2032 HEUR-Trojan.Win32.RRAT.exe

description	pid	process
Token: SeDebugPrivilege	2032	HEUR-Trojan.Win32.RRAT.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/2032-54-0x000007FEF3C30000-0x000007FEF4653000-memory.dmp

Filesize
10.1MB

Download
memory/2032-55-0x000007FEF28F0000-0x000007FEF3986000-memory.dmp

Filesize
16.6MB

Download