Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
09-07-2023 14:55
Behavioral task
behavioral1
Sample
download.exe
Resource
win7-20230705-en
General
-
Target
download.exe
-
Size
114KB
-
MD5
3d31c31ef4a60bf94a3d70abc8c6dfe3
-
SHA1
03912837c3f31bcd0c6f0c2aaa68cd3535d8cc99
-
SHA256
6957a1d41318c04e7086774c6822dff2684a62300ece32225e1080cd0acc8a49
-
SHA512
5ba7dd53e3b4af4442b8f33d8882b19698fb6c9262b5bc2fcbc6841b8ce9cc85c9e7eea8a317358aba9849fd33d86c82abf39bc6d44f8b9b98a7cd93b5baeed1
-
SSDEEP
3072:AJZKnPE2YyJzELtyTRyYeY8lNgoiJ+sX8HFvytbwN4:AJZKBI0RyYeY4eoiJ+sCFvj
Malware Config
Signatures
-
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
-
Vanilla Rat payload 7 IoCs
resource yara_rule behavioral1/memory/1984-54-0x00000000010B0000-0x00000000010D2000-memory.dmp vanillarat behavioral1/memory/1984-55-0x0000000001000000-0x0000000001040000-memory.dmp vanillarat behavioral1/files/0x000b000000013a15-58.dat vanillarat behavioral1/files/0x000b000000013a15-61.dat vanillarat behavioral1/files/0x000b000000013a15-62.dat vanillarat behavioral1/memory/2320-63-0x0000000000E10000-0x0000000000E32000-memory.dmp vanillarat behavioral1/memory/2320-64-0x0000000004B70000-0x0000000004BB0000-memory.dmp vanillarat -
Executes dropped EXE 1 IoCs
pid Process 2320 download.exe -
Loads dropped DLL 1 IoCs
pid Process 1984 download.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\download = "C:\\Users\\Admin\\AppData\\Roaming\\download.exe" download.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1984 download.exe Token: SeDebugPrivilege 2320 download.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2320 download.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2320 1984 download.exe 27 PID 1984 wrote to memory of 2320 1984 download.exe 27 PID 1984 wrote to memory of 2320 1984 download.exe 27 PID 1984 wrote to memory of 2320 1984 download.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Roaming\download.exe"C:\Users\Admin\AppData\Roaming\download.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2320
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD53d31c31ef4a60bf94a3d70abc8c6dfe3
SHA103912837c3f31bcd0c6f0c2aaa68cd3535d8cc99
SHA2566957a1d41318c04e7086774c6822dff2684a62300ece32225e1080cd0acc8a49
SHA5125ba7dd53e3b4af4442b8f33d8882b19698fb6c9262b5bc2fcbc6841b8ce9cc85c9e7eea8a317358aba9849fd33d86c82abf39bc6d44f8b9b98a7cd93b5baeed1
-
Filesize
114KB
MD53d31c31ef4a60bf94a3d70abc8c6dfe3
SHA103912837c3f31bcd0c6f0c2aaa68cd3535d8cc99
SHA2566957a1d41318c04e7086774c6822dff2684a62300ece32225e1080cd0acc8a49
SHA5125ba7dd53e3b4af4442b8f33d8882b19698fb6c9262b5bc2fcbc6841b8ce9cc85c9e7eea8a317358aba9849fd33d86c82abf39bc6d44f8b9b98a7cd93b5baeed1
-
Filesize
114KB
MD53d31c31ef4a60bf94a3d70abc8c6dfe3
SHA103912837c3f31bcd0c6f0c2aaa68cd3535d8cc99
SHA2566957a1d41318c04e7086774c6822dff2684a62300ece32225e1080cd0acc8a49
SHA5125ba7dd53e3b4af4442b8f33d8882b19698fb6c9262b5bc2fcbc6841b8ce9cc85c9e7eea8a317358aba9849fd33d86c82abf39bc6d44f8b9b98a7cd93b5baeed1