8b3bdad2dd69a75334ed5434f78dff3dbcc9d9654bdc696be84e75ce69d19a6a

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
Size

111KB
MD5

5b45640a3bd4fdc32df75aa462f5a167
SHA1

fdc2b61ca7b5c31ba48155d364b8797990e2eaee
SHA256

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4
SHA512

3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963
SSDEEP

3072:lb4MOYUuQaS+T8sv8X31OjqOjNhOYRbxqH8QW2zCrAZuRs5:wYUuQaS+T8sv8X31OXN1bgl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exerat.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid	Process
4428	rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
648	schtasks.exe
3088	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2408	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
3156	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid	Process
4428	rat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exe

pid	Process
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe
4428	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exetasklist.exerat.exe

description	pid	Process
Token: SeDebugPrivilege	4664	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
Token: SeDebugPrivilege	3156	tasklist.exe
Token: SeDebugPrivilege	4428	rat.exe
Token: SeDebugPrivilege	4428	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid	Process
4428	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.execmd.exerat.exe

description	pid	Process	procid_target
PID 4664 wrote to memory of 648	4664	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	87
PID 4664 wrote to memory of 648	4664	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	87
PID 4664 wrote to memory of 4456	4664	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	89
PID 4664 wrote to memory of 4456	4664	2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe	89
PID 4456 wrote to memory of 3156	4456	cmd.exe	91
PID 4456 wrote to memory of 3156	4456	cmd.exe	91
PID 4456 wrote to memory of 4728	4456	cmd.exe	92
PID 4456 wrote to memory of 4728	4456	cmd.exe	92
PID 4456 wrote to memory of 2408	4456	cmd.exe	93
PID 4456 wrote to memory of 2408	4456	cmd.exe	93
PID 4456 wrote to memory of 4428	4456	cmd.exe	94
PID 4456 wrote to memory of 4428	4456	cmd.exe	94
PID 4428 wrote to memory of 3088	4428	rat.exe	98
PID 4428 wrote to memory of 3088	4428	rat.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe
"C:\Users\Admin\AppData\Local\Temp\2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp124F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp124F.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4664"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4728
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2408
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:3088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp124F.tmp.bat

Filesize
241B

MD5
19e0c3a438b1767c51a4b91f98c38053

SHA1
d549a9dcd7934a71d9e67560f3daed37ae707abb

SHA256
3935a7d2946d755f8131b01bdb28cf2c10e4cd7aaab69e744dab82983e0dd9f2

SHA512
782ddbe919b53e4721947d0e1b5875844961980f38c2e5d90baef465732a505c48694191a48127d9038ba98c90602377769f631b44d09a62beb634e0e92a8448

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
5b45640a3bd4fdc32df75aa462f5a167

SHA1
fdc2b61ca7b5c31ba48155d364b8797990e2eaee

SHA256
2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

SHA512
3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
5b45640a3bd4fdc32df75aa462f5a167

SHA1
fdc2b61ca7b5c31ba48155d364b8797990e2eaee

SHA256
2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4

SHA512
3f3e86e14f0a09bafd374da2417452bc69741e14c2d4e1a4b208a94e1a2c9cd3a0c4336ec23e9b046bcad051aac8d6f05d4477cb516c3700b27f21e023106963

Download Submit
memory/4428-142-0x0000023733AE0000-0x0000023733AF0000-memory.dmp

Filesize
64KB

Download
memory/4428-143-0x0000023733AE0000-0x0000023733AF0000-memory.dmp

Filesize
64KB

Download
memory/4428-144-0x0000023733AE0000-0x0000023733AF0000-memory.dmp

Filesize
64KB

Download
memory/4428-145-0x0000023733AE0000-0x0000023733AF0000-memory.dmp

Filesize
64KB

Download
memory/4664-133-0x000001EB84080000-0x000001EB840A2000-memory.dmp

Filesize
136KB

Download
memory/4664-134-0x000001EB85F30000-0x000001EB85F40000-memory.dmp

Filesize
64KB

Download