Analysis
-
max time kernel
358s -
max time network
317s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
09/04/2023, 12:06
Behavioral task
behavioral1
Sample
S_-_500_RAT_G3_2022_Anonymous.rar
Resource
win10-20230220-en
General
-
Target
S_-_500_RAT_G3_2022_Anonymous.rar
-
Size
30.6MB
-
MD5
20a1303c72dc7dd859982e9bf45c70c0
-
SHA1
d1c3a802e0fba35c1aeed1c8720aaf4323a66294
-
SHA256
2199752fcd7d8761556b8da40c3509c9fdaa4627e031f0fa32f3d6c103789a3e
-
SHA512
c69d718ad5f406697f42a080f92c90d9846e160631c0d90beb290536017e3d21600181d6cf4ea367a09b56aa67d8bfbbccd5bc20d9da29ad242d51a49b28fecc
-
SSDEEP
393216:JPRH+eRBy7LmiHueI8BdRxvRZopLo4sOxKlpPL4XBnQUbOK+VLAG8RMq9bnAMRkv:HJRqLUAjRxvQsOxKXP8xnSl8RTRZp2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4836 S500RAT.exe -
Loads dropped DLL 1 IoCs
pid Process 4836 S500RAT.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x000600000001afa7-578.dat agile_net behavioral1/memory/4836-579-0x000001E7C1AB0000-0x000001E7C1CA2000-memory.dmp agile_net -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 4836 S500RAT.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1512 OpenWith.exe 3056 7zFM.exe 828 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 3056 7zFM.exe Token: 35 3056 7zFM.exe Token: SeSecurityPrivilege 3056 7zFM.exe Token: SeDebugPrivilege 828 taskmgr.exe Token: SeSystemProfilePrivilege 828 taskmgr.exe Token: SeCreateGlobalPrivilege 828 taskmgr.exe Token: SeRestorePrivilege 4148 7zG.exe Token: 35 4148 7zG.exe Token: SeSecurityPrivilege 4148 7zG.exe Token: SeSecurityPrivilege 4148 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3056 7zFM.exe 3056 7zFM.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 4148 7zG.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe 828 taskmgr.exe -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 1512 OpenWith.exe 4836 S500RAT.exe 4836 S500RAT.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous.rar1⤵
- Modifies registry class
PID:3036
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3604
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3056
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:828
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\" -spe -an -ai#7zMap24880:138:7zEvent31911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4148
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe"C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4836
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\Certificate\ServerCertificate.p12
Filesize4KB
MD5c60e527a85f285ddc66c2fcf160b1be7
SHA1abcf2b6bffea9f0f30190783f6eae2434ef7a9a8
SHA25635c46a9e9dc60a74a25572e743794a31fecd08672813d349a39f2d13b01e789f
SHA51277a661544c2d7f2d8b870cdd503b806aea6de3a2b5aee19327c05aeef137a1df3661d249219fe73e7a300189c732efeb5d2004226c6e429fa024f1d3b1dec84e
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\Guna.UI2.dll
Filesize1.9MB
MD50f07705bd42d86d77dab085c42775244
SHA17e4b5c367183f4753a8d610e353c458c3def3888
SHA256cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe
Filesize17.2MB
MD522e3b5c6b876c3a3195301daa78a74c9
SHA1120e4286764977253acf63d7db8bb33880c3f8d2
SHA25602c370db69059ca56ef2346846ec0a23f4e56185a9c13f50a13dd0db894e2d0c
SHA512ce3e51c28a87cdff9c6531b8f4ac321c91a8fb2b31eb0fd03b19da8aaea4d040c755585c488c3446a5cfb843b60a8c28998f3babfc3e2bce47d4e8d6af46401d
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\S500RAT.exe
Filesize17.2MB
MD522e3b5c6b876c3a3195301daa78a74c9
SHA1120e4286764977253acf63d7db8bb33880c3f8d2
SHA25602c370db69059ca56ef2346846ec0a23f4e56185a9c13f50a13dd0db894e2d0c
SHA512ce3e51c28a87cdff9c6531b8f4ac321c91a8fb2b31eb0fd03b19da8aaea4d040c755585c488c3446a5cfb843b60a8c28998f3babfc3e2bce47d4e8d6af46401d
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\SunnyUI.Common.dll
Filesize221KB
MD517cbdd9e4cb0ede2fad8c08c05fdaa84
SHA174bc0ea3e8bd64c6752b6c0adac1bfe2b313416c
SHA256d975bc4711655e6fd2361ae9b056c617051f616ced5b46ce7772255a85712441
SHA5121948c20585ecb9984cd9452a74bcb75e81c35ca37f0cf0e1d3f211ad71b9e40c215f4784af7803cec9baef9984f682a32817a85806aefad21830b13b6a0a6a4a
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\SunnyUI.dll
Filesize2.2MB
MD5af527b22b92a23c38a492c5961cf2643
SHA115106adfa13415287b3e9d8deba21df53cb92eda
SHA2564208c9293c5684d2fc3c8f5a269a1120adee32fbd2766bbb73410aab2d491b7a
SHA512543cce9b5e4c9558bf0bd0da9d6af8c1ad2f7d62e2d65a9aa4e3af9e4840ce6fb6bbe8952bd20f6f1e3a6d3b5e5e5b3417a60b6d955bfa4e23a653262677b49c
-
C:\Users\Admin\AppData\Local\Temp\S_-_500_RAT_G3_2022_Anonymous\S - 500 RAT G3 2022_Anonymous\initialization.dll
Filesize19KB
MD53aaae3cec15b86693ae9fb8e1507c872
SHA1ed8d0a139c609eb886482718ec2ecf96cbbe8c84
SHA256a027b6b344e5a637bc8377fe58166273d2b76e92ff8c66bd505d46c21fe3b21b
SHA512407558e01ade1832bb021b5af0209e7a6bef98ab35b9f4723a1add48362bd13f566697a8fb41af48c0bb15ca13585f9c09ac8d5da0feb322798c778b09cf4463
-
Filesize
142KB
MD59c43f77cb7cff27cb47ed67babe3eda5
SHA1b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7
-
Filesize
142KB
MD59c43f77cb7cff27cb47ed67babe3eda5
SHA1b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7