8b3bdad2dd69a75334ed5434f78dff3dbcc9d9654bdc696be84e75ce69d19a6a

General

Target

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
Size

111KB
MD5

5b45640a3bd4fdc32df75aa462f5a167
SHA1

fdc2b61ca7b5c31ba48155d364b8797990e2eaee
SHA256

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4
SHA512

3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963
SSDEEP

3072:lb4MOYUuQaS+T8sv8X31OjqOjNhOYRbxqH8QW2zCrAZuRs5:wYUuQaS+T8sv8X31OXN1bgl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	1580	WerFault.exe	37

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1512	schtasks.exe
1936	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1016	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
824	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1580	rat.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1580	rat.exe
1580	rat.exe
1580	rat.exe
1580	rat.exe
1580	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
Token: SeDebugPrivilege	824	tasklist.exe
Token: SeDebugPrivilege	1580	rat.exe
Token: SeDebugPrivilege	1580	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	rat.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1512	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	30
PID 1192 wrote to memory of 1512	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	30
PID 1192 wrote to memory of 1512	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	30
PID 1192 wrote to memory of 1928	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	32
PID 1192 wrote to memory of 1928	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	32
PID 1192 wrote to memory of 1928	1192	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	32
PID 1928 wrote to memory of 824	1928	cmd.exe	34
PID 1928 wrote to memory of 824	1928	cmd.exe	34
PID 1928 wrote to memory of 824	1928	cmd.exe	34
PID 1928 wrote to memory of 1676	1928	cmd.exe	35
PID 1928 wrote to memory of 1676	1928	cmd.exe	35
PID 1928 wrote to memory of 1676	1928	cmd.exe	35
PID 1928 wrote to memory of 1016	1928	cmd.exe	36
PID 1928 wrote to memory of 1016	1928	cmd.exe	36
PID 1928 wrote to memory of 1016	1928	cmd.exe	36
PID 1928 wrote to memory of 1580	1928	cmd.exe	37
PID 1928 wrote to memory of 1580	1928	cmd.exe	37
PID 1928 wrote to memory of 1580	1928	cmd.exe	37
PID 1580 wrote to memory of 1936	1580	rat.exe	39
PID 1580 wrote to memory of 1936	1580	rat.exe	39
PID 1580 wrote to memory of 1936	1580	rat.exe	39
PID 1580 wrote to memory of 572	1580	rat.exe	41
PID 1580 wrote to memory of 572	1580	rat.exe	41
PID 1580 wrote to memory of 572	1580	rat.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
"C:\Users\Admin\AppData\Local\Temp\2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1CF4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1CF4.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1192"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1676
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1016
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:1936
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1580 -s 1736
      4⤵
      Program crash
      PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1CF4.tmp.bat

Filesize
241B

MD5
bdaa517121b0b0f9c651f5d70df2a687

SHA1
d5ea69d82174c719572f962f325d215f38c47749

SHA256
546875c7b58caf7fcb3079f6033e7f551b3cf25f24022300ab88136141dfd902

SHA512
e8a752980a02805455a82301b0c6b0843e3d268127c2762f34cf7750bad4e324d8356d552f7467b99ee65a9c5fd95eb9e2f9f48b87e2b8db22ea54612b28bd7f

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
5b45640a3bd4fdc32df75aa462f5a167

SHA1
fdc2b61ca7b5c31ba48155d364b8797990e2eaee

SHA256
2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

SHA512
3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
5b45640a3bd4fdc32df75aa462f5a167

SHA1
fdc2b61ca7b5c31ba48155d364b8797990e2eaee

SHA256
2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

SHA512
3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963

Download Submit
memory/1192-54-0x0000000000150000-0x0000000000172000-memory.dmp

Filesize
136KB

Download
memory/1192-55-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/1580-62-0x0000000001210000-0x0000000001232000-memory.dmp

Filesize
136KB

Download
memory/1580-63-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download
memory/1580-64-0x000000001B060000-0x000000001B0E0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads