Analysis Overview
SHA256
13c586ad6509932afac77a9fafe673766fe4cf5a0289346af637f12f509dfdf5
Threat Level: Known bad
The file Bat_To_Exe_Converter.exe was found to be: Known bad.
Malicious Activity Summary
Vanilla Rat payload
VanillaRat
Vanillarat family
Vanilla Rat payload
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-11 13:47
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-11 13:47
Reported
2023-07-11 13:57
Platform
win7-20230705-en
Max time kernel
584s
Max time network
603s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\wallpaper.jpg" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\wallpaper.jpg" /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.192.93.86:15208 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.157.68.73:15208 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.192.93.86:15208 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.5:15208 | 2.tcp.eu.ngrok.io | tcp |
| DE | 18.197.239.5:15208 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.156.13.209:15208 | 2.tcp.eu.ngrok.io | tcp |
| DE | 18.156.13.209:15208 | 2.tcp.eu.ngrok.io | tcp |
Files
memory/3064-54-0x00000000003C0000-0x000000000040A000-memory.dmp
\Users\Admin\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
C:\Users\Admin\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
C:\Users\Admin\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
C:\Users\Admin\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
memory/2344-63-0x0000000001390000-0x00000000013B2000-memory.dmp
memory/2344-64-0x0000000000D00000-0x0000000000D40000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
memory/1608-72-0x00000000010C0000-0x00000000010E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
memory/1608-73-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/1608-74-0x0000000004BC0000-0x0000000004C00000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 5b1f5da635d45c9ba0dc903264d9058b |
| SHA1 | 6062e2abc52514dd512ee2f2c15c8d58b04458dd |
| SHA256 | 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6 |
| SHA512 | 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374 |
memory/2924-77-0x00000000048F0000-0x0000000004930000-memory.dmp
memory/2924-78-0x00000000048F0000-0x0000000004930000-memory.dmp