Analysis Overview
SHA256
661cb7d69264a4953e0ec5d87b533e9e79c1b893b090d720a79692f7fb8f2a50
Threat Level: Known bad
The file Firefox Installer.exe was found to be: Known bad.
Malicious Activity Summary
VanillaRat
Vanilla Rat payload
Vanillarat family
Vanilla Rat payload
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-10 16:09
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-10 16:09
Reported
2023-07-10 16:12
Platform
win10-20230703-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings | C:\Windows\SysWOW64\control.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\winver.exe
winver
C:\Windows\SysWOW64\whoami.exe
whoami
C:\Windows\SysWOW64\whoami.exe
whoami
C:\Windows\SysWOW64\control.exe
control
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\control.exe
control
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:14034 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 39.102.125.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:14034 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 75.249.158.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/4144-117-0x0000000000BE0000-0x0000000000C16000-memory.dmp
memory/4144-118-0x00000000055F0000-0x000000000568C000-memory.dmp
C:\Users\Admin\svchost.exe
| MD5 | d171fba5b90821656b0bd8a16c577652 |
| SHA1 | a9aee6e9e269c16a490563ac9a731e8d09c40a66 |
| SHA256 | 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6 |
| SHA512 | 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468 |
C:\Users\Admin\svchost.exe
| MD5 | d171fba5b90821656b0bd8a16c577652 |
| SHA1 | a9aee6e9e269c16a490563ac9a731e8d09c40a66 |
| SHA256 | 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6 |
| SHA512 | 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468 |
memory/2944-126-0x0000000000C90000-0x0000000000CB2000-memory.dmp
memory/2944-127-0x0000000006100000-0x00000000065FE000-memory.dmp
memory/2944-128-0x0000000005A40000-0x0000000005AD2000-memory.dmp
memory/2944-129-0x0000000005C00000-0x0000000005D00000-memory.dmp
memory/2944-130-0x0000000001A00000-0x0000000001A0A000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | d171fba5b90821656b0bd8a16c577652 |
| SHA1 | a9aee6e9e269c16a490563ac9a731e8d09c40a66 |
| SHA256 | 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6 |
| SHA512 | 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | d171fba5b90821656b0bd8a16c577652 |
| SHA1 | a9aee6e9e269c16a490563ac9a731e8d09c40a66 |
| SHA256 | 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6 |
| SHA512 | 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | d171fba5b90821656b0bd8a16c577652 |
| SHA1 | a9aee6e9e269c16a490563ac9a731e8d09c40a66 |
| SHA256 | 7cfbea8b7f2d149337c086793a3fc24ec7c0836ad4f5994a7aac5e55bd6855e6 |
| SHA512 | 5dee382e8bd03b391dd2c3cbce4a5b5d219dd913722e9a7430196024019490d0fc021bfed7a5b6273375a7555c36e3807ce7a485ac0fad1948d5c5088d136468 |
memory/368-136-0x0000000005A00000-0x0000000005B00000-memory.dmp
memory/368-137-0x0000000009C30000-0x0000000009C96000-memory.dmp
memory/368-138-0x000000000A010000-0x000000000A022000-memory.dmp
memory/368-139-0x000000000A640000-0x000000000A67E000-memory.dmp
memory/368-140-0x0000000005A00000-0x0000000005B00000-memory.dmp
memory/368-141-0x0000000005A00000-0x0000000005B00000-memory.dmp
memory/368-142-0x0000000005A00000-0x0000000005B00000-memory.dmp