Analysis
-
max time kernel
584s -
max time network
603s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
11-07-2023 13:47
Behavioral task
behavioral1
Sample
Bat_To_Exe_Converter.exe
Resource
win7-20230705-en
General
-
Target
Bat_To_Exe_Converter.exe
-
Size
267KB
-
MD5
1cdbfa6e2373ae9f65dfff190837b6b8
-
SHA1
94f13d2c9b5480810f99311d219a4af05fbe0852
-
SHA256
13c586ad6509932afac77a9fafe673766fe4cf5a0289346af637f12f509dfdf5
-
SHA512
b71354e69b4bc5b5c4d99510606ecfb354fd28f1d6cfbb60d81f3fa039d5fbf515d369fc0bdf7ef6a9b08dc4beb5c8326a950d8bcaf92cd086bdc1115f53c7f7
-
SSDEEP
6144:5JZKBI0RyYeY4eoiJ+sCFvrKN/LZZ3Ru79kkkkkkkkkkkkkkkkskkkkkkkkkkkkq:AyYrZos+xFv0RupkkkkkkkkkkkkkkkkZ
Malware Config
Signatures
-
VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
-
Vanilla Rat payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/3064-54-0x00000000003C0000-0x000000000040A000-memory.dmp vanillarat \Users\Admin\svchost.exe vanillarat C:\Users\Admin\svchost.exe vanillarat C:\Users\Admin\svchost.exe vanillarat C:\Users\Admin\svchost.exe vanillarat behavioral1/memory/2344-63-0x0000000001390000-0x00000000013B2000-memory.dmp vanillarat \Users\Admin\AppData\Roaming\svchost.exe vanillarat C:\Users\Admin\AppData\Roaming\svchost.exe vanillarat behavioral1/memory/1608-72-0x00000000010C0000-0x00000000010E2000-memory.dmp vanillarat C:\Users\Admin\AppData\Roaming\svchost.exe vanillarat behavioral1/memory/1608-73-0x0000000004BC0000-0x0000000004C00000-memory.dmp vanillarat C:\Users\Admin\AppData\Roaming\svchost.exe vanillarat behavioral1/memory/2924-77-0x00000000048F0000-0x0000000004930000-memory.dmp vanillarat -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 2344 svchost.exe 1608 svchost.exe 2924 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
Bat_To_Exe_Converter.exesvchost.exepid process 3064 Bat_To_Exe_Converter.exe 2344 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\wallpaper.jpg" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Bat_To_Exe_Converter.exesvchost.exesvchost.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 3064 Bat_To_Exe_Converter.exe Token: SeDebugPrivilege 2344 svchost.exe Token: SeDebugPrivilege 1608 svchost.exe Token: 33 2592 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2592 AUDIODG.EXE Token: 33 2592 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2592 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Bat_To_Exe_Converter.exesvchost.exesvchost.exesvchost.execmd.exedescription pid process target process PID 3064 wrote to memory of 2344 3064 Bat_To_Exe_Converter.exe svchost.exe PID 3064 wrote to memory of 2344 3064 Bat_To_Exe_Converter.exe svchost.exe PID 3064 wrote to memory of 2344 3064 Bat_To_Exe_Converter.exe svchost.exe PID 3064 wrote to memory of 2344 3064 Bat_To_Exe_Converter.exe svchost.exe PID 2344 wrote to memory of 1608 2344 svchost.exe svchost.exe PID 2344 wrote to memory of 1608 2344 svchost.exe svchost.exe PID 2344 wrote to memory of 1608 2344 svchost.exe svchost.exe PID 2344 wrote to memory of 1608 2344 svchost.exe svchost.exe PID 1608 wrote to memory of 2052 1608 svchost.exe cmd.exe PID 1608 wrote to memory of 2052 1608 svchost.exe cmd.exe PID 1608 wrote to memory of 2052 1608 svchost.exe cmd.exe PID 1608 wrote to memory of 2052 1608 svchost.exe cmd.exe PID 1608 wrote to memory of 2924 1608 svchost.exe svchost.exe PID 1608 wrote to memory of 2924 1608 svchost.exe svchost.exe PID 1608 wrote to memory of 2924 1608 svchost.exe svchost.exe PID 1608 wrote to memory of 2924 1608 svchost.exe svchost.exe PID 2924 wrote to memory of 2080 2924 svchost.exe cmd.exe PID 2924 wrote to memory of 2080 2924 svchost.exe cmd.exe PID 2924 wrote to memory of 2080 2924 svchost.exe cmd.exe PID 2924 wrote to memory of 2080 2924 svchost.exe cmd.exe PID 2080 wrote to memory of 2632 2080 cmd.exe reg.exe PID 2080 wrote to memory of 2632 2080 cmd.exe reg.exe PID 2080 wrote to memory of 2632 2080 cmd.exe reg.exe PID 2080 wrote to memory of 2632 2080 cmd.exe reg.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe PID 2080 wrote to memory of 2644 2080 cmd.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\wallpaper.jpg" /f6⤵
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x55c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
C:\Users\Admin\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
C:\Users\Admin\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
C:\Users\Admin\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
\Users\Admin\svchost.exeFilesize
115KB
MD55b1f5da635d45c9ba0dc903264d9058b
SHA16062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374
-
memory/1608-72-0x00000000010C0000-0x00000000010E2000-memory.dmpFilesize
136KB
-
memory/1608-73-0x0000000004BC0000-0x0000000004C00000-memory.dmpFilesize
256KB
-
memory/1608-74-0x0000000004BC0000-0x0000000004C00000-memory.dmpFilesize
256KB
-
memory/2344-64-0x0000000000D00000-0x0000000000D40000-memory.dmpFilesize
256KB
-
memory/2344-63-0x0000000001390000-0x00000000013B2000-memory.dmpFilesize
136KB
-
memory/2924-77-0x00000000048F0000-0x0000000004930000-memory.dmpFilesize
256KB
-
memory/2924-78-0x00000000048F0000-0x0000000004930000-memory.dmpFilesize
256KB
-
memory/3064-54-0x00000000003C0000-0x000000000040A000-memory.dmpFilesize
296KB