Malware Analysis Report

2024-10-23 20:55

Sample ID 230710-veaf3acb29
Target Bat_To_Exe_Converter.exe
SHA256 3c94526aebbd26379525871418cb3121f87f5a3511274a3bed9d5d0570509f40
Tags
rat vanillarat persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c94526aebbd26379525871418cb3121f87f5a3511274a3bed9d5d0570509f40

Threat Level: Known bad

The file Bat_To_Exe_Converter.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence ransomware

Vanilla Rat payload

Vanillarat family

VanillaRat

Vanilla Rat payload

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-10 16:53

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-10 16:53

Reported

2023-07-10 16:59

Platform

win7-20230705-en

Max time kernel

275s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\wallpaperl.jpg" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\wallpaper.jpg" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\wallpaper.jpg" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 3040 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 2892 wrote to memory of 1928 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2892 wrote to memory of 1928 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2892 wrote to memory of 1928 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2892 wrote to memory of 1928 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1928 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 592 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe

"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\Users\Admin\wallpaperl.jpg /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\Users\Admin\wallpaper.jpg /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\wallpaper.jpg" /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.67.161.133:11427 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.64.4.198:11427 5.tcp.eu.ngrok.io tcp

Files

memory/3040-54-0x0000000000950000-0x000000000099A000-memory.dmp

\Users\Admin\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

C:\Users\Admin\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

C:\Users\Admin\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

C:\Users\Admin\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

memory/2892-63-0x0000000001390000-0x00000000013B2000-memory.dmp

memory/2892-64-0x0000000004E10000-0x0000000004E50000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

memory/1928-72-0x0000000000F80000-0x0000000000FA2000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

memory/1928-73-0x0000000004D60000-0x0000000004DA0000-memory.dmp

memory/1928-74-0x0000000004D60000-0x0000000004DA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 21324d0ec7105239fcf0cd5777f33e2f
SHA1 e53172b06136e8e15a9e7458be12e4abac3204f8
SHA256 2314ebcf731c9d8ea2e84220a1a5d803d15e5a82f307e2e17ab55b875cd6f672
SHA512 b01c18d393fdf605ae4777c40fa5d9fc34d1e18e615732ab5003a9f4d3c06eb8a88e533c8857ddca9bfc3da53783e20df7ce0856b4b96fcf554a5c05b131982b

memory/592-77-0x00000000009C0000-0x0000000000A00000-memory.dmp

memory/592-78-0x00000000009C0000-0x0000000000A00000-memory.dmp

C:\Users\wallpaper.jpg

MD5 6d668e9525905205163f5944418d69d4
SHA1 032f909c5b8a005f5910fb616cf070d5333d1cfe
SHA256 2dc8dca3def7b5af4fdd08a23a31596c720cbb00c265ce88079551df412115f4
SHA512 ef57b057d4b6e76b1290804adcb8bf1c7095fce730f3570150911aa003f2a92a9ba880e40a79dab9fb5e42778ec58271f9a95cedd7e1da46e669b3c04947be3f