2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2023 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software_Requirements.exe
Size

111KB
MD5

5b45640a3bd4fdc32df75aa462f5a167
SHA1

fdc2b61ca7b5c31ba48155d364b8797990e2eaee
SHA256

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4
SHA512

3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963
SSDEEP

3072:lb4MOYUuQaS+T8sv8X31OjqOjNhOYRbxqH8QW2zCrAZuRs5:wYUuQaS+T8sv8X31OXN1bgl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Software_Requirements.exerat.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Software_Requirements.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid	Process
4620	rat.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3560	schtasks.exe
524	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2504	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
2168	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid	Process
4620	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exe

pid	Process
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe
4620	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Software_Requirements.exetasklist.exerat.exe

description	pid	Process
Token: SeDebugPrivilege	4264	Software_Requirements.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	4620	rat.exe
Token: SeDebugPrivilege	4620	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid	Process
4620	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Software_Requirements.execmd.exerat.exe

description	pid	Process	procid_target
PID 4264 wrote to memory of 3560	4264	Software_Requirements.exe	81
PID 4264 wrote to memory of 3560	4264	Software_Requirements.exe	81
PID 4264 wrote to memory of 1576	4264	Software_Requirements.exe	83
PID 4264 wrote to memory of 1576	4264	Software_Requirements.exe	83
PID 1576 wrote to memory of 2168	1576	cmd.exe	85
PID 1576 wrote to memory of 2168	1576	cmd.exe	85
PID 1576 wrote to memory of 2316	1576	cmd.exe	86
PID 1576 wrote to memory of 2316	1576	cmd.exe	86
PID 1576 wrote to memory of 2504	1576	cmd.exe	87
PID 1576 wrote to memory of 2504	1576	cmd.exe	87
PID 1576 wrote to memory of 4620	1576	cmd.exe	88
PID 1576 wrote to memory of 4620	1576	cmd.exe	88
PID 4620 wrote to memory of 524	4620	rat.exe	90
PID 4620 wrote to memory of 524	4620	rat.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Software_Requirements.exe
"C:\Users\Admin\AppData\Local\Temp\Software_Requirements.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6B03.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6B03.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4264"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2316
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2504
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6B03.tmp.bat

Filesize
198B

MD5
ee52e5d6b3b0ba6cdc9b10d7a63440d8

SHA1
732529e23332c71c04b36834302a26102dcee599

SHA256
e5920ef17dd9a2ac7c00a99789a1d89a2eb3b0923b17793f75dc4dec7a59e01d

SHA512
2d4796038abe05365812ea4e40517782a1604c10ba6b40e6a92cc51e01be021ea12bf403cbf34043030d0db57110b403c3ec18f17b78f7ab4bb9c95b25581f71

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
5b45640a3bd4fdc32df75aa462f5a167

SHA1
fdc2b61ca7b5c31ba48155d364b8797990e2eaee

SHA256
2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

SHA512
3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
5b45640a3bd4fdc32df75aa462f5a167

SHA1
fdc2b61ca7b5c31ba48155d364b8797990e2eaee

SHA256
2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

SHA512
3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963

Download Submit
memory/4264-133-0x0000027E07850000-0x0000027E07872000-memory.dmp

Filesize
136KB

Download
memory/4264-134-0x0000027E22C20000-0x0000027E22C30000-memory.dmp

Filesize
64KB

Download
memory/4620-142-0x000001F05A630000-0x000001F05A640000-memory.dmp

Filesize
64KB

Download
memory/4620-143-0x000001F05A630000-0x000001F05A640000-memory.dmp

Filesize
64KB

Download
memory/4620-144-0x000001F076420000-0x000001F076496000-memory.dmp

Filesize
472KB

Download
memory/4620-145-0x000001F076550000-0x000001F0765FA000-memory.dmp

Filesize
680KB

Download
memory/4620-146-0x000001F076120000-0x000001F07613E000-memory.dmp

Filesize
120KB

Download
memory/4620-147-0x000001F05A630000-0x000001F05A640000-memory.dmp

Filesize
64KB

Download
memory/4620-148-0x000001F05A630000-0x000001F05A640000-memory.dmp

Filesize
64KB

Download