Overview
overview
10Static
static
10MMLo7.Rat.rar
windows7-x64
7MMLo7.Rat.rar
windows10-1703-x64
7MMLo7.Rat.rar
windows10-2004-x64
10MMLo7 Rat.exe
windows7-x64
1MMLo7 Rat.exe
windows10-1703-x64
5MMLo7 Rat.exe
windows10-2004-x64
10turingmachine.exe
windows7-x64
1turingmachine.exe
windows10-1703-x64
5turingmachine.exe
windows10-2004-x64
10Analysis
-
max time kernel
1768s -
max time network
1588s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
22-08-2023 10:15
Behavioral task
behavioral1
Sample
MMLo7.Rat.rar
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
MMLo7.Rat.rar
Resource
win10-20230703-en
Behavioral task
behavioral3
Sample
MMLo7.Rat.rar
Resource
win10v2004-20230703-en
Behavioral task
behavioral4
Sample
MMLo7 Rat.exe
Resource
win7-20230712-en
Behavioral task
behavioral5
Sample
MMLo7 Rat.exe
Resource
win10-20230703-en
Behavioral task
behavioral6
Sample
MMLo7 Rat.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
turingmachine.exe
Resource
win7-20230712-en
Behavioral task
behavioral8
Sample
turingmachine.exe
Resource
win10-20230703-en
General
-
Target
MMLo7.Rat.rar
-
Size
5.7MB
-
MD5
4747547f047d47bd37bc0d1b65625694
-
SHA1
827e3f9ca857ed95ef8185c80e5fa85fdffa28e4
-
SHA256
091833fb986ac8a78a9a33ae7852d2b02d510348bdcb915d4e2e51a6de27f64a
-
SHA512
3336de360626d125c4777d626a0790c69faf209c642d99d085cd72f92b9e5ba93aca9f9c92d81cb1e3b2ee21f6ff12cf9c6fe6ecbe9554ad846fa1cd74874241
-
SSDEEP
98304:HtkSjvhd8cMOBhzp1svAJFF5N7nicdRaDzmLW/nJHksov7iUsPIUDjvEQnQLligi:HtBjJd8vazEQFPN7tAeaBLNUsPIUvMUL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 700 MMLo7 Rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2156 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2156 vlc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2624 7zG.exe Token: 35 2624 7zG.exe Token: SeSecurityPrivilege 2624 7zG.exe Token: SeSecurityPrivilege 2624 7zG.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2624 7zG.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe 2156 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2156 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2712 2292 cmd.exe 29 PID 2292 wrote to memory of 2712 2292 cmd.exe 29 PID 2292 wrote to memory of 2712 2292 cmd.exe 29 PID 2712 wrote to memory of 2156 2712 rundll32.exe 30 PID 2712 wrote to memory of 2156 2712 rundll32.exe 30 PID 2712 wrote to memory of 2156 2712 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:852
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\" -spe -an -ai#7zMap9300:98:7zEvent312671⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2624
-
C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\MMLo7 Rat.exe"C:\Users\Admin\AppData\Local\Temp\MMLo7.Rat\MMLo7 Rat.exe"1⤵
- Executes dropped EXE
PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD52dc24c81438806bd03b492b9a3f3c55c
SHA11b62f6d53570d7cd3c8d04e6ea7e349b5de5cc89
SHA2563edd74d68dd78681ed9eae3973ee2fb878c60e6e24dfa313ea2b4547008b1149
SHA512f03ef03ffd926c35a6c88be065a8b6174af323a9fc633fc8d0c1ee55bf8b2eb5ef824d9c9feda21104dd10ff7f0d8d0660e9d4ba0cd8a932dd5d8e342f023ce1
-
Filesize
161B
MD5c16b0746faa39818049fe38709a82c62
SHA13fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c