vanillarat | 3c94526aebbd26379525871418cb3121f87f5a3511274a3bed9d5d0570509f40

Analysis

max time kernel
275s
max time network
294s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bat_To_Exe_Converter.exe
Size

267KB
MD5

286567d99f950717e9391f472d030218
SHA1

880ab32fbcdc20a0a21b5c2370c201b37096d1a3
SHA256

3c94526aebbd26379525871418cb3121f87f5a3511274a3bed9d5d0570509f40
SHA512

bf939b46e0e1bdddb360b5afdad7dfd979f5c2382423029eda7a484d9831c62f63687e6e136306509091f7e06d6e7d36cc482851dd4d55b83d5b5b6209d816db
SSDEEP

6144:XJZKBI0RyYeY4eoiJ+sCFvvKd/LZZ3Ru79kkkkkkkkkkkkkkkkskkkkkkkkkkkkq:OyYrZos+xFvERupkkkkkkkkkkkkkkkkZ

Score

10^/10

vanillarat persistence ransomware rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 14 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3040-54-0x0000000000950000-0x000000000099A000-memory.dmp	vanillarat
\Users\Admin\svchost.exe	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
behavioral1/memory/2892-63-0x0000000001390000-0x00000000013B2000-memory.dmp	vanillarat
behavioral1/memory/2892-64-0x0000000004E10000-0x0000000004E50000-memory.dmp	vanillarat
\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
behavioral1/memory/1928-72-0x0000000000F80000-0x0000000000FA2000-memory.dmp	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
behavioral1/memory/1928-73-0x0000000004D60000-0x0000000004DA0000-memory.dmp	vanillarat
behavioral1/memory/1928-74-0x0000000004D60000-0x0000000004DA0000-memory.dmp	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat

Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

2892 svchost.exe
1928 svchost.exe
592 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

Bat_To_Exe_Converter.exesvchost.exe

pid process

3040 Bat_To_Exe_Converter.exe
2892 svchost.exe

pid	process
2892	svchost.exe
1928	svchost.exe
592	svchost.exe

pid	process
3040	Bat_To_Exe_Converter.exe
2892	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\wallpaperl.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\wallpaper.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\wallpaper.jpg"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bat_To_Exe_Converter.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3040 Bat_To_Exe_Converter.exe
Token: SeDebugPrivilege 2892 svchost.exe
Token: SeDebugPrivilege 1928 svchost.exe

description	pid	process
Token: SeDebugPrivilege	3040	Bat_To_Exe_Converter.exe
Token: SeDebugPrivilege	2892	svchost.exe
Token: SeDebugPrivilege	1928	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Bat_To_Exe_Converter.exesvchost.exesvchost.exesvchost.execmd.exe

description	pid	process	target process
PID 3040 wrote to memory of 2892	3040	Bat_To_Exe_Converter.exe	svchost.exe
PID 3040 wrote to memory of 2892	3040	Bat_To_Exe_Converter.exe	svchost.exe
PID 3040 wrote to memory of 2892	3040	Bat_To_Exe_Converter.exe	svchost.exe
PID 3040 wrote to memory of 2892	3040	Bat_To_Exe_Converter.exe	svchost.exe
PID 2892 wrote to memory of 1928	2892	svchost.exe	svchost.exe
PID 2892 wrote to memory of 1928	2892	svchost.exe	svchost.exe
PID 2892 wrote to memory of 1928	2892	svchost.exe	svchost.exe
PID 2892 wrote to memory of 1928	2892	svchost.exe	svchost.exe
PID 1928 wrote to memory of 592	1928	svchost.exe	svchost.exe
PID 1928 wrote to memory of 592	1928	svchost.exe	svchost.exe
PID 1928 wrote to memory of 592	1928	svchost.exe	svchost.exe
PID 1928 wrote to memory of 592	1928	svchost.exe	svchost.exe
PID 592 wrote to memory of 2484	592	svchost.exe	cmd.exe
PID 592 wrote to memory of 2484	592	svchost.exe	cmd.exe
PID 592 wrote to memory of 2484	592	svchost.exe	cmd.exe
PID 592 wrote to memory of 2484	592	svchost.exe	cmd.exe
PID 2484 wrote to memory of 1108	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1108	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1108	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 1108	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2504	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2504	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2504	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2504	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2696	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2696	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2696	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2696	2484	cmd.exe	reg.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe
PID 2484 wrote to memory of 2576	2484	cmd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\Users\Admin\wallpaperl.jpg /f
        6⤵
        Sets desktop wallpaper using registry
        
        PID:1108
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\Users\Admin\wallpaper.jpg /f
        6⤵
        Sets desktop wallpaper using registry
        
        PID:2504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\wallpaper.jpg" /f
        6⤵
        Sets desktop wallpaper using registry
        
        PID:2696
      - C:\Windows\SysWOW64\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        6⤵
        
        PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
C:\Users\wallpaper.jpg

Filesize
42KB

MD5
6d668e9525905205163f5944418d69d4

SHA1
032f909c5b8a005f5910fb616cf070d5333d1cfe

SHA256
2dc8dca3def7b5af4fdd08a23a31596c720cbb00c265ce88079551df412115f4

SHA512
ef57b057d4b6e76b1290804adcb8bf1c7095fce730f3570150911aa003f2a92a9ba880e40a79dab9fb5e42778ec58271f9a95cedd7e1da46e669b3c04947be3f

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
\Users\Admin\svchost.exe

Filesize
115KB

MD5
21324d0ec7105239fcf0cd5777f33e2f

SHA1
e53172b06136e8e15a9e7458be12e4abac3204f8

SHA256
2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672

SHA512
b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

Download Submit
memory/592-77-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/592-78-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/1928-72-0x0000000000F80000-0x0000000000FA2000-memory.dmp

Filesize
136KB

Download
memory/1928-73-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/1928-74-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2892-64-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2892-63-0x0000000001390000-0x00000000013B2000-memory.dmp

Filesize
136KB

Download
memory/3040-54-0x0000000000950000-0x000000000099A000-memory.dmp

Filesize
296KB

Download