Overview

overview

10

Static

static

10

up.zip

windows7-x64

1

up.zip

windows10-2004-x64

1

Cloakedbgf...so.iso

windows7-x64

3

Cloakedbgf...so.iso

windows10-2004-x64

3

Information.lnk

windows7-x64

3

Information.lnk

windows10-2004-x64

6

_

windows7-x64

1

_

windows10-2004-x64

1

agenda.exe

windows7-x64

1

agenda.exe

windows10-2004-x64

6

vcruntime140.dll

windows7-x64

1

vcruntime140.dll

windows10-2004-x64

8

vctool140.dll

windows7-x64

1

vctool140.dll

windows10-2004-x64

8

Guloaderbg...so.iso

windows7-x64

3

Guloaderbg...so.iso

windows10-2004-x64

3

Iisbgfhaci...ll.dll

windows7-x64

3

Iisbgfhaci...ll.dll

windows10-2004-x64

3

Iranbggaia...xe.exe

windows7-x64

7

Iranbggaia...xe.exe

windows10-2004-x64

7

Knotweedbg...ll.dll

windows7-x64

1

Knotweedbg...ll.dll

windows10-2004-x64

1

Magicratbg...xe.exe

windows7-x64

10

Magicratbg...xe.exe

windows10-2004-x64

10

Newcoppers...xe.exe

windows7-x64

4

Newcoppers...xe.exe

windows10-2004-x64

4

Newlogfors...xe.exe

windows7-x64

4

Newlogfors...xe.exe

windows10-2004-x64

4

Purecrypte...xe.dll

windows7-x64

1

Purecrypte...xe.dll

windows10-2004-x64

1

Purecrypte...xe.dll

windows7-x64

1

Purecrypte...xe.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2023 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Magicratbggdhgejff1_browsingExe.exe

  • Size

    18.5MB

  • MD5

    b4c9b903dfd18bd67a3824b0109f955b

  • SHA1

    a3555a77826df6c8b2886cc0f40e7d7a2bd99610

  • SHA256

    f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

  • SHA512

    73ec5620b9c607c96e883d95ac6ea4033444cb74def871d16875bb90cdf6560e592c1dcb9d6e9b406cd7d238464f46f61ca5f95bf07b0367ee826971ff151aed

  • SSDEEP

    196608:99rTfn5Mp6Z9j2ujTh4e9q77AJsv6tWKFdu9CqK:9F+p6Z3Ph4e9qoJsv6tWKFdu9C

Score
10/10
magicratrattrojan

Malware Config

Signatures

  • Detected MagicRAT payload 14 IoCs
  • magicrat

    MagicRAT is a remote access trojan developed and operated by the Lazarus APT group.

    trojanratmagicrat
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe
    "C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\system32\cmd.exe
      cmd.exe /c bcdedit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\bcdedit.exe
        bcdedit
        3⤵
          PID:3028
      • C:\Windows\system32\cmd.exe
        cmd.exe /c schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
          3⤵
          • Creates scheduled task(s)
          PID:2776
      • C:\Windows\system32\cmd.exe
        cmd.exe /c schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
          3⤵
            PID:2796
        • C:\Windows\system32\cmd.exe
          cmd.exe /c bcdedit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\system32\bcdedit.exe
            bcdedit
            3⤵
              PID:2672
          • C:\Windows\system32\cmd.exe
            cmd.exe /c schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\system32\schtasks.exe
              schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
              3⤵
              • Creates scheduled task(s)
              PID:2704

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1228-59-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-60-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-79-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-80-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-81-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-82-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-83-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-84-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-85-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-86-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-87-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-88-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-89-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1228-90-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download