Malware Analysis Report

2024-10-23 20:55

Sample ID 230711-q3phnshd42
Target Bat_To_Exe_Converter.exe
SHA256 13c586ad6509932afac77a9fafe673766fe4cf5a0289346af637f12f509dfdf5
Tags
rat vanillarat persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13c586ad6509932afac77a9fafe673766fe4cf5a0289346af637f12f509dfdf5

Threat Level: Known bad

The file Bat_To_Exe_Converter.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence ransomware

Vanilla Rat payload

VanillaRat

Vanillarat family

Vanilla Rat payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-11 13:47

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-11 13:47

Reported

2023-07-11 13:57

Platform

win7-20230705-en

Max time kernel

584s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\wallpaper.jpg" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 3064 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 3064 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 3064 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe C:\Users\Admin\svchost.exe
PID 2344 wrote to memory of 1608 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2344 wrote to memory of 1608 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2344 wrote to memory of 1608 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2344 wrote to memory of 1608 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1608 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1608 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1608 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2924 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe

"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\wallpaper.jpg" /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x55c

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.192.93.86:15208 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:15208 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.192.93.86:15208 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.197.239.5:15208 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:15208 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.156.13.209:15208 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:15208 2.tcp.eu.ngrok.io tcp

Files

memory/3064-54-0x00000000003C0000-0x000000000040A000-memory.dmp

\Users\Admin\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

C:\Users\Admin\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

C:\Users\Admin\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

C:\Users\Admin\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

memory/2344-63-0x0000000001390000-0x00000000013B2000-memory.dmp

memory/2344-64-0x0000000000D00000-0x0000000000D40000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

memory/1608-72-0x00000000010C0000-0x00000000010E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

memory/1608-73-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/1608-74-0x0000000004BC0000-0x0000000004C00000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 5b1f5da635d45c9ba0dc903264d9058b
SHA1 6062e2abc52514dd512ee2f2c15c8d58b04458dd
SHA256 542a120c462c5554a6954b0ae8d9a61eb381637ba2a71a2d54e863c7d6ca50a6
SHA512 680018c073f6711746639ce56616e6eb70575b720b27be093ff2d7a4d08dd289387709a6829fd15d64e61fd0514439f9af0122e6f66735c1b4d1a9f37cc8d374

memory/2924-77-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/2924-78-0x00000000048F0000-0x0000000004930000-memory.dmp