vanillarat | 99cb2f3bcdecd478de5ac0bd47297fc73356a094baa1d9ad806ae1e684cd4096

General

Target

Bat_To_Exe_Converter.exe
Size

267KB
MD5

4c8b09399380e02a5ec45eec25749cec
SHA1

36a2dbc5184edaa3f3b205a7c2ddf0ca4a4112ae
SHA256

99cb2f3bcdecd478de5ac0bd47297fc73356a094baa1d9ad806ae1e684cd4096
SHA512

bb6336caaf560b6df9b819882692104039620705affe252fe3c6146750bca97249e68f8e489729e347626f3597b049eed2b80aaf80441c3858f3938e5be9ca83
SSDEEP

6144:9JZKBI0RyYeY4eoiJ+sCFvyKj/LZZ3Ru79kkkkkkkkkkkkkkkkskkkkkkkkkkkkq:0yYrZos+xFvTRupkkkkkkkkkkkkkkkkZ

Score

10^/10

vanillarat persistence ransomware rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5028-117-0x0000000000230000-0x000000000027A000-memory.dmp	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
C:\Users\Admin\svchost.exe	vanillarat
behavioral2/memory/4560-125-0x0000000000570000-0x0000000000592000-memory.dmp	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat
C:\Users\Admin\AppData\Roaming\svchost.exe	vanillarat

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4560 svchost.exe
5044 svchost.exe

pid	process
4560	svchost.exe
5044	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Control Panel\Desktop\Wallpaper = "C:\\users\\wallpaper.jpg"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

404 taskkill.exe
4876 taskkill.exe

pid	process
404	taskkill.exe
4876	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 6 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Bat_To_Exe_Converter.exesvchost.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5028	Bat_To_Exe_Converter.exe
Token: SeDebugPrivilege	4560	svchost.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

4460 explorer.exe
4460 explorer.exe

pid	process
4460	explorer.exe
4460	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Bat_To_Exe_Converter.exesvchost.exesvchost.execmd.exe

description	pid	process	target process
PID 5028 wrote to memory of 4560	5028	Bat_To_Exe_Converter.exe	svchost.exe
PID 5028 wrote to memory of 4560	5028	Bat_To_Exe_Converter.exe	svchost.exe
PID 5028 wrote to memory of 4560	5028	Bat_To_Exe_Converter.exe	svchost.exe
PID 4560 wrote to memory of 5044	4560	svchost.exe	svchost.exe
PID 4560 wrote to memory of 5044	4560	svchost.exe	svchost.exe
PID 4560 wrote to memory of 5044	4560	svchost.exe	svchost.exe
PID 5044 wrote to memory of 4400	5044	svchost.exe	cmd.exe
PID 5044 wrote to memory of 4400	5044	svchost.exe	cmd.exe
PID 5044 wrote to memory of 4400	5044	svchost.exe	cmd.exe
PID 4400 wrote to memory of 2528	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 2528	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 2528	4400	cmd.exe	reg.exe
PID 4400 wrote to memory of 4876	4400	cmd.exe	taskkill.exe
PID 4400 wrote to memory of 4876	4400	cmd.exe	taskkill.exe
PID 4400 wrote to memory of 4876	4400	cmd.exe	taskkill.exe
PID 4400 wrote to memory of 404	4400	cmd.exe	taskkill.exe
PID 4400 wrote to memory of 404	4400	cmd.exe	taskkill.exe
PID 4400 wrote to memory of 404	4400	cmd.exe	taskkill.exe
PID 4400 wrote to memory of 3664	4400	cmd.exe	explorer.exe
PID 4400 wrote to memory of 3664	4400	cmd.exe	explorer.exe
PID 4400 wrote to memory of 3664	4400	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe
"C:\Users\Admin\AppData\Local\Temp\Bat_To_Exe_Converter.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /d "C:\users\wallpaper.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer
        5⤵
        Modifies registry class
        
        PID:3664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
60693deb183633f99736c90e9469d405

SHA1
f1dbd699f0d0694ccf54204f5894806d1eb5fa24

SHA256
88375a89edfe2edc1032abc6acc7debf6c0df55b15b8b1c5dfe3655a303f5977

SHA512
6cca558d8d4014adaab2ca67d7f932d42ff4f10ef857861ef6dc3d1f385c4767fa121e129ee5c957ced2fa0d2f175a1bc0b64d5c8b727cc3822da20bd92cf696

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
60693deb183633f99736c90e9469d405

SHA1
f1dbd699f0d0694ccf54204f5894806d1eb5fa24

SHA256
88375a89edfe2edc1032abc6acc7debf6c0df55b15b8b1c5dfe3655a303f5977

SHA512
6cca558d8d4014adaab2ca67d7f932d42ff4f10ef857861ef6dc3d1f385c4767fa121e129ee5c957ced2fa0d2f175a1bc0b64d5c8b727cc3822da20bd92cf696

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
115KB

MD5
60693deb183633f99736c90e9469d405

SHA1
f1dbd699f0d0694ccf54204f5894806d1eb5fa24

SHA256
88375a89edfe2edc1032abc6acc7debf6c0df55b15b8b1c5dfe3655a303f5977

SHA512
6cca558d8d4014adaab2ca67d7f932d42ff4f10ef857861ef6dc3d1f385c4767fa121e129ee5c957ced2fa0d2f175a1bc0b64d5c8b727cc3822da20bd92cf696

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
60693deb183633f99736c90e9469d405

SHA1
f1dbd699f0d0694ccf54204f5894806d1eb5fa24

SHA256
88375a89edfe2edc1032abc6acc7debf6c0df55b15b8b1c5dfe3655a303f5977

SHA512
6cca558d8d4014adaab2ca67d7f932d42ff4f10ef857861ef6dc3d1f385c4767fa121e129ee5c957ced2fa0d2f175a1bc0b64d5c8b727cc3822da20bd92cf696

Download Submit
C:\Users\Admin\svchost.exe

Filesize
115KB

MD5
60693deb183633f99736c90e9469d405

SHA1
f1dbd699f0d0694ccf54204f5894806d1eb5fa24

SHA256
88375a89edfe2edc1032abc6acc7debf6c0df55b15b8b1c5dfe3655a303f5977

SHA512
6cca558d8d4014adaab2ca67d7f932d42ff4f10ef857861ef6dc3d1f385c4767fa121e129ee5c957ced2fa0d2f175a1bc0b64d5c8b727cc3822da20bd92cf696

Download Submit
memory/4560-127-0x0000000005A00000-0x0000000005EFE000-memory.dmp

Filesize
5.0MB

Download
memory/4560-128-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/4560-129-0x0000000005700000-0x0000000005800000-memory.dmp

Filesize
1024KB

Download
memory/4560-130-0x0000000002C70000-0x0000000002C7A000-memory.dmp

Filesize
40KB

Download
memory/4560-125-0x0000000000570000-0x0000000000592000-memory.dmp

Filesize
136KB

Download
memory/5028-117-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/5028-118-0x0000000004A90000-0x0000000004B2C000-memory.dmp

Filesize
624KB

Download
memory/5044-136-0x0000000005300000-0x0000000005400000-memory.dmp

Filesize
1024KB

Download
memory/5044-137-0x00000000095D0000-0x0000000009636000-memory.dmp

Filesize
408KB

Download
memory/5044-138-0x0000000005300000-0x0000000005400000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads