Analysis
-
max time kernel
44s -
max time network
114s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
01/08/2023, 21:07
General
-
Target
d083cf99cd6478e12f12c03e812503f2d1cf2a457a7861caa482e9618d95e8be.exe
-
Size
1.4MB
-
MD5
075420196363f53aa988f5f6859de5b7
-
SHA1
7211a1d53092691c9fea9de96e10b1664f888866
-
SHA256
d083cf99cd6478e12f12c03e812503f2d1cf2a457a7861caa482e9618d95e8be
-
SHA512
3599d211b5e80f7740c54e66d8622a779e6a876d3e32590e26f67365431a1bb3d579a3899ab11317dea07bc9d6c0410fcc6c5921329ffaa0cc5d137770a85cb5
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d083cf99cd6478e12f12c03e812503f2d1cf2a457a7861caa482e9618d95e8be.exe"C:\Users\Admin\AppData\Local\Temp\d083cf99cd6478e12f12c03e812503f2d1cf2a457a7861caa482e9618d95e8be.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="CXVLSGIX" set AutomaticManagedPagefile=False5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 66⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 136⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\Music\rot.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 85⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 85⤵
- Runs ping.exe
-
-
C:\Users\Admin\Music\rot.exe"C:\Users\Admin\Music\rot.exe"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
363.6MB
MD5801a9b2db5b7134b8a414764414ad69c
SHA1b2c5464f7a065f6c8b7749ef10ca55e977a54769
SHA2565feac03709ba11aaa293704f4fe7946bb40907b530b6d960005e22a23ac6c32c
SHA512cf2624f7f239dcac09b7472671db88471737fe15f99f246fb18ff7f0ca06fa7220155e555aee984a7f781317be5a23202e52e258e9a5a75ee63cac9694761072
-
Filesize
314.4MB
MD5a8453cb91f53ba0294c0e67fafcc9346
SHA1e6548beb805b94387a35fba360e4df8e3593c3cc
SHA256913732614ff4b4bf76aec23dfdb8d0d96556d14bdf20b81144e886d97f587d7d
SHA512aec6a712524872abc3f100487103898edd6fbab37ac491fb53f607e239f2304e6b27c9e1ec2b3b9f14b42755d1930f47506c2ba1752be7fc3d3c987f56a0ef97
-
Filesize
1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
Filesize
1KB
MD59e104e9aa0cfdec0753de24cbe3f587b
SHA1f63b8d0b29c65e518be6a9412e7499c9de11be78
SHA25659a9f13de0e003ea4adcd0193477f147b0c91ae847eebc744e91a4efe167223f
SHA5128253854159ceac2d84eb371c9672730831505dea52ac3bc2cca45ee5308717ca3f11734602d0a409974b137084a8c20e6b7653640991e45708f692c65ac4933b
-
Filesize
12KB
MD5b049bff862d1c1791472a97f620ac07d
SHA1824e5f76ac0a9b9c8bd50c50d795566b58b5324d
SHA256b1458d14e65df997debbd71b9647781d75b956693430e45e0a27e64a1865ac82
SHA51250650b5b77327370f2191f7f40044c0bf58fd0f193d2afd1bbed2f5b3a9e86116ba95b2b6c45fcafdc43bf4e44d2df80abcca3d75788c01f2a4f2545ed47be7d
-
Filesize
12KB
MD5b89fdc36801529899ba3be9fb7f5e8b0
SHA1355de50005a6b34f994354535a237b6c31a2d814
SHA25681ef856097e6827fb85973ad110b69e899be017b3217e9b88ef693e7faa08e90
SHA512a9d1619def9fb2f8971d00d4cfcd86dd99c7a9504cd424bbcaef88d1fd63db4e2379ac692458fd2721cdcda3f924f03bb5480d8f4d7037a16de3beb099141be3
-
Filesize
12KB
MD5dc71ab63a99a01d4da6a028d1fbb9654
SHA1c6fdca1a09385724da96f4b06ef7bc2140435cb4
SHA256d9953a5466c0f26adc453fe4b54a85879d3bc0239bbb8771fba88bce7f65eeb0
SHA5120507c2bdb30f20a57f5325611a0220e82fdf9bba1beb3a435c7cd529f3380dea60b9bd251871bae2e0b20fc8c60c23a8f8db2ddcdf4e0f664b0270f9b7305137
-
Filesize
12KB
MD5cc479a22258e9ce77b6923361454997c
SHA1c2092e9dce4e4d0b4dc44c201d1c5505bf3925e1
SHA2560473f49857c60c20090a734d9e9fe198b4a1b6e14a7db59896450d236600fbcf
SHA51274819897601763fb41c0713a201cbcf56f889ea3ad8a4d25a293dd194ca44ca3882d18e8aac3abd6c723fa30517e4102e4b820d7dd9f183ccdf5492cdb6084f0
-
Filesize
12KB
MD547439b53d22319a0241f912a5a8a3e32
SHA13919f73392d027e3945eebfba846c70d62006e1d
SHA25636242a8aaa3e673aaa176ec61be9605af2baee22b49b0d79cd5a7cc4c0f59d4c
SHA5127eb91c2a416200201f81d0437a7dc2f0974a1f01b76936ba9dd324e6efba0f17a1dcc4754112db407c82ab417aa04f3ef614b603e2ff8694ccaddda3ae6e4594
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
Filesize
613.6MB
MD5233e115e4dc77e1dce5ba39c2d78de59
SHA1b6a6727b642adb519f67fa5a9f5f70a5acc7021d
SHA256b4ad52515ff134e4bad28e71310f674b5d09785f7d7772a6c00e94c0e01f494f
SHA5122f0a4ca708b1d27b4c258292de669b81ffea1b59c3c1e24ea208fbfa3a55373ee68826a453c2ed17f48ed187d73b3b69690a8d92860cb5071a0edf58807af581
-
Filesize
242.0MB
MD5213af7028d4ddec20a3df606d895f448
SHA1df58df3645c73949cb11607fccb5f48acb4df38e
SHA2560170a586dce450c07ab4d94aee09a864943138c8338322ad2c0a81ce7db3ef54
SHA51212f920f299a7705d967fc00510286fe1735953ed41c81e26a1c957ebb25273b67618f5e9b9146ab31b9a4bc70624ec21d88e6bd39ca6ac4885d4b7deeb5e9766
-
Filesize
139.9MB
MD58cf4853aa67ae6e332c44a81740cbde5
SHA18cd17f49fead4104e006c011cd9ce8a8bcc3723b
SHA256dc3ef26038ceba446a97a67dfc126b66fc3d5263dfe837319aedefcbdc679637
SHA51216386ca3b46fa50915744b7014c17171f1d76616952a3fa1bd28d0c069f25148f6277d633a6e35a1c6e882bfe1e966620cf213c798194dd4cd2d4b7721cbf782
-
Filesize
9.7MB
MD5a78fdd656962631750f390a6f599b1da
SHA1b52e7274e81727b10fa15eb00b5cf8fd2c6a4294
SHA2567393d1a888f7690d49dd54690f304e3cb12bccc2b0e103477336b0ff8a462314
SHA512d8a9b926df2bb8c1bd30864c5e4c21274953ab54e85422225bc96a1f35c6e8f16bed38c6cc22c1c3460753c968622fc6228c94a8081662ccc5037f425aabbf17
-
Filesize
10.0MB
MD58a9508738ad9ab77d09645478cbb2643
SHA14a1dc7eff388e9f3a03d0ebd850aa584d375504d
SHA2560845475a1fc911bc2663b2483f163228b3bbb010f60aefc30c459caf76f25d2f
SHA5125faeef7856545fa59f9ba5c342dd8d1e62da9f01bfef0e3a6b5465928b3212626a56d9f62e733a5fb8b2875d0d9e480e4174df23a10753f101f4ec537e9cfc19
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
1.7MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
280KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
6.9MB
-
Filesize
200KB
-
Filesize
904KB
-
Filesize
200KB
-
Filesize
6.9MB
-
Filesize
660KB
-
Filesize
3.3MB
-
Filesize
300KB
-
Filesize
6.9MB
-
Filesize
204KB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.0MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
6.9MB
-
Filesize
112KB
-
Filesize
300KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB