Analysis Overview
SHA256
3c94526aebbd26379525871418cb3121f87f5a3511274a3bed9d5d0570509f40
Threat Level: Known bad
The file Bat_To_Exe_Converter.exe was found to be: Known bad.
Malicious Activity Summary
Vanilla Rat payload
Vanillarat family
VanillaRat
Vanilla Rat payload
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-10 16:53
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-10 16:53
Reported
2023-07-10 16:59
Platform
win7-20230705-en
Max time kernel
275s
Max time network
294s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\wallpaperl.jpg" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\wallpaper.jpg" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\wallpaper.jpg" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\Users\Admin\wallpaperl.jpg /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\Users\Admin\wallpaper.jpg /f
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\wallpaper.jpg" /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.161.133:11427 | 5.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.64.4.198:11427 | 5.tcp.eu.ngrok.io | tcp |
Files
memory/3040-54-0x0000000000950000-0x000000000099A000-memory.dmp
\Users\Admin\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
C:\Users\Admin\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
C:\Users\Admin\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
C:\Users\Admin\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
memory/2892-63-0x0000000001390000-0x00000000013B2000-memory.dmp
memory/2892-64-0x0000000004E10000-0x0000000004E50000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
memory/1928-72-0x0000000000F80000-0x0000000000FA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
memory/1928-73-0x0000000004D60000-0x0000000004DA0000-memory.dmp
memory/1928-74-0x0000000004D60000-0x0000000004DA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 21324d0ec7105239fcf0cd5777f33e2f |
| SHA1 | e53172b06136e8e15a9e7458be12e4abac3204f8 |
| SHA256 | 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672 |
| SHA512 | b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b |
memory/592-77-0x00000000009C0000-0x0000000000A00000-memory.dmp
memory/592-78-0x00000000009C0000-0x0000000000A00000-memory.dmp
C:\Users\wallpaper.jpg
| MD5 | 6d668e9525905205163f5944418d69d4 |
| SHA1 | 032f909c5b8a005f5910fb616cf070d5333d1cfe |
| SHA256 | 2dc8dca3def7b5af4fdd08a23a31596c720cbb00c265ce88079551df412115f4 |
| SHA512 | ef57b057d4b6e76b1290804adcb8bf1c7095fce730f3570150911aa003f2a92a9ba880e40a79dab9fb5e42778ec58271f9a95cedd7e1da46e669b3c04947be3f |