Overview

overview

10

Static

static

10

Magicratbg...xe.exe

windows7-x64

10

Magicratbg...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2023 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Magicratbggdhgejff1_browsingExe.exe

  • Size

    18.5MB

  • MD5

    b4c9b903dfd18bd67a3824b0109f955b

  • SHA1

    a3555a77826df6c8b2886cc0f40e7d7a2bd99610

  • SHA256

    f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

  • SHA512

    73ec5620b9c607c96e883d95ac6ea4033444cb74def871d16875bb90cdf6560e592c1dcb9d6e9b406cd7d238464f46f61ca5f95bf07b0367ee826971ff151aed

  • SSDEEP

    196608:99rTfn5Mp6Z9j2ujTh4e9q77AJsv6tWKFdu9CqK:9F+p6Z3Ph4e9qoJsv6tWKFdu9C

Score
10/10
magicratrattrojan

Malware Config

Signatures

  • Detected MagicRAT payload 14 IoCs
  • magicrat

    MagicRAT is a remote access trojan developed and operated by the Lazarus APT group.

    trojanratmagicrat
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe
    "C:\Users\Admin\AppData\Local\Temp\Magicratbggdhgejff1_browsingExe.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\system32\cmd.exe
      cmd.exe /c bcdedit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\system32\bcdedit.exe
        bcdedit
        3⤵
          PID:1400
      • C:\Windows\system32\cmd.exe
        cmd.exe /c schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe" /sc daily /st 10:30:30 /ru SYSTEM
          3⤵
          • Creates scheduled task(s)
          PID:2728
      • C:\Windows\system32\cmd.exe
        cmd.exe /c schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
          3⤵
            PID:2876
        • C:\Windows\system32\cmd.exe
          cmd.exe /c bcdedit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\system32\bcdedit.exe
            bcdedit
            3⤵
              PID:2712
          • C:\Windows\system32\cmd.exe
            cmd.exe /c schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\system32\schtasks.exe
              schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/Magicratbggdhgejff1_browsingExe.exe /sc onstart /ru SYSTEM
              3⤵
              • Creates scheduled task(s)
              PID:2208

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1016-58-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-59-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-70-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-71-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-72-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-73-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-74-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-75-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-76-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-77-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-78-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-79-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-80-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download

        • memory/1016-81-0x0000000000400000-0x000000000167E000-memory.dmp

          Filesize

          18.5MB

          Download