Overview

overview

10

Static

static

10

Magicratbg...xe.exe

windows7-x64

10

Magicratbg...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2023 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Magicratbggdhgejff1_browsingExe.exe

  • Size

    18.5MB

  • MD5

    b4c9b903dfd18bd67a3824b0109f955b

  • SHA1

    a3555a77826df6c8b2886cc0f40e7d7a2bd99610

  • SHA256

    f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

  • SHA512

    73ec5620b9c607c96e883d95ac6ea4033444cb74def871d16875bb90cdf6560e592c1dcb9d6e9b406cd7d238464f46f61ca5f95bf07b0367ee826971ff151aed

  • SSDEEP

    196608:99rTfn5Mp6Z9j2ujTh4e9q77AJsv6tWKFdu9CqK:9F+p6Z3Ph4e9qoJsv6tWKFdu9C

Score
10/10
magicratrattrojan

Malware Config

Signatures

  • Detected MagicRAT payload 12 IoCs
  • magicrat

    MagicRAT is a remote access trojan developed and operated by the Lazarus APT group.

    trojanratmagicrat
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe
    "C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c bcdedit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\system32\bcdedit.exe
        bcdedit
        3⤵
          PID:1552
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
          3⤵
          • Creates scheduled task(s)
          PID:2464
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
          3⤵
            PID:3444
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c bcdedit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4092
          • C:\Windows\system32\bcdedit.exe
            bcdedit
            3⤵
              PID:1468
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Windows\system32\schtasks.exe
              schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
              3⤵
              • Creates scheduled task(s)
              PID:2188
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2392 -s 1064
            2⤵
            • Program crash
            PID:2908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2392-138-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-139-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-140-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-146-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-147-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-148-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-149-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-150-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-151-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-152-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-153-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/2392-154-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download