56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf

Analysis

max time kernel
9s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe
Size

1.4MB
MD5

c25453dc66909fff1943754702a5ff60
SHA1

001b5ff77b39a1c381e8ce1102f16e654210c5d2
SHA256

56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf
SHA512

2bdf991f3278e59bfc3ec4b3bc80506189897f9dd6d750e1fc3dad34fc090f1c2171792f6b7b6d64ea8fad1fc936d427a6f5cb767afdc73ebab5ca282d79c224
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
924	netsh.exe
4288	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002324c-104.dat	acprotect
behavioral2/files/0x000600000002324c-103.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002324d-102.dat	upx
behavioral2/memory/1252-101-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x000600000002324d-100.dat	upx
behavioral2/files/0x000600000002324c-104.dat	upx
behavioral2/files/0x000600000002324c-103.dat	upx
behavioral2/memory/1252-105-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/1252-107-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/1252-109-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/1252-112-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
4544	PING.EXE
2700	PING.EXE
4540	PING.EXE
2420	PING.EXE
3064	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2360	1260	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	84
PID 1260 wrote to memory of 2360	1260	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	84
PID 1260 wrote to memory of 2360	1260	56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe	84
PID 2360 wrote to memory of 3176	2360	cmd.exe	88
PID 2360 wrote to memory of 3176	2360	cmd.exe	88
PID 2360 wrote to memory of 3176	2360	cmd.exe	88
PID 3176 wrote to memory of 1424	3176	cmd.exe	87
PID 3176 wrote to memory of 1424	3176	cmd.exe	87
PID 3176 wrote to memory of 1424	3176	cmd.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe
"C:\Users\Admin\AppData\Local\Temp\56e15dc05ade0295f95d1a9c969e2f27f1eb47f87db4d2ef35ea8af51cdb51cf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:3792
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:924
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic computersystem where name="HFPAJDPV" set AutomaticManagedPagefile=False
        5⤵
        
        PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=20000
        5⤵
        
        PID:2424
  - - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        6⤵
        Runs ping.exe
        
        PID:4544
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:1516
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 13
        6⤵
        Runs ping.exe
        
        PID:2700
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"
      4⤵
      Views/modifies file attributes
      PID:2880
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\ratt.exe
    "ratt.exe"
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:4540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"
        5⤵
        
        PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 19 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 19 > nul && "C:\Users\Admin\Music\rot.exe"
      4⤵
      PID:4664
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 19
        5⤵
        Runs ping.exe
        
        PID:3064
    - - C:\Users\Admin\Music\rot.exe
        
        "C:\Users\Admin\Music\rot.exe"
        5⤵
        
        PID:3040
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:2732
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:1836
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:984

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
1⤵
PID:1424

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 19
1⤵
- Runs ping.exe
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
43.5MB

MD5
cecdae039254f2eb204cc6ba50180a71

SHA1
454cb5522176b6d08a3d992d8695c15393afcc33

SHA256
f29db2573ad105bda0de5bf370316faac4d1af3ee5aa7d3439ce0462250e0422

SHA512
e43973838ea64a012dad09ccd085b75bfe5f4d34d82f0d2fa177afe2df8ca02798fc05dd0eb679d19805f03034022cd41ad57a668a84c60b24d97d7ace903b71

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe

Filesize
39.9MB

MD5
e94df13ed5bea2b13c8a8e567e85bcfd

SHA1
7501d2f045a6ad8bf4645b24471f7a95a956677a

SHA256
52c7fa4e1c87720e1d32968c1d9b8c4ac00fc5ec09f2cc5b9c978bcb84c2d58d

SHA512
3cb4f19c44f3d5ac214fb0429369608f9731453fe936cd2ddd123183fce5d4b8b5d91bfe0cd823da814136644d71c5512ee41e0cb07dfcd7d5cb15f3c8bb5f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ratt.exe.log

Filesize
1KB

MD5
9a2d0ce437d2445330f2646472703087

SHA1
33c83e484a15f35c2caa3af62d5da6b7713a20ae

SHA256
30ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c

SHA512
a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
99aaf4df3dcb2305134d9f9d083af3e0

SHA1
f32a096b3d72f797cc07c95e60907afcd2b408da

SHA256
16d85adac3f78fed4d36484c221a948ee50bc22702cd75c212a1008666c9ba1a

SHA512
e9ab91a704a2dce7fd455fc33b03394dda03be4927b24ddf3b978f0b56937f648a490554d491c2a23fdc1d9643d35adf2437eab850edc83a6d1202e8199aec0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7d786387d483e6ff8babd7cea1395d65

SHA1
3e771ec8168d27ed0ad26b2ab5d17ccff44a081d

SHA256
090c77ff6d07290ddfd942b3c5925d76710e40110c350471769729495c513305

SHA512
5acdea120846bca263ac300362f8e28cee79f9fe353ccbba68f024789d51c38de0e73f3770a1c46e25d2c3e526d639f0b84ecd9871097fe4c5031c52dd80f61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7f5f83036668ca7b5b5c658c8a2d985f

SHA1
eb64db1cdec7edac40532cab4ecd2329dfa43e5a

SHA256
dcfb0495b1d9d1c7898496a647572811abe06e708f7c2852c7cadf6f4463dc1a

SHA512
444ed3c1605ad280c848a5fcc1d9a6e9206e5081aa4e3f271b3aedc37940e97a992fff109c7987336b482652f46c7af7f33835b67ae6aca0dd7f267f49a18dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
959e739f227f847b093cc84a9ff8a49d

SHA1
a38fd3b49001b2317fb8a94adc2451f22d42ad6d

SHA256
8122cf73d2663701adf6033fc69ec63047ef2655b5bbb48b143fbaff171649b6

SHA512
14acd02fccdbbac9d92c4354bf8254193cd88684e6095c918691c36b485210810fa4455f5002a5fcbb4a43c1bced5d2d825f39114fc8da0b00b35486cdffca13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
08b58112a422fd837c79d51445cb6b89

SHA1
a8a881a82c5bb4e8e7aab377461696dd6f100fd6

SHA256
d90004fc6c875c03298e820b1beac2e6ce31327fd280761587f4d28c1b4f5dee

SHA512
0dcca02cb865130d788d388357eeca16194d423f292efb13be71a7f651459963c0b8c34a726cb9b614fde9c1f22b203b38a2475275bb0d44949d680a3e3870c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yjkzc24.jtl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
48.5MB

MD5
5fa2cdc34d479f384ea71cadf2e610af

SHA1
06bb3bc22c68f7b7fee0df344dd52f6409e1c0f1

SHA256
7e917f442500eac6f37c7b3a07ead2b2eda55dd18d2c231e5525f5dac04c6711

SHA512
7ac8bb09f65f8b1fb99e2fc64966a01e1530c884697a0bb2e6e01231ceb03645a9f37ced77b3e572a43d45ba6b3d9f16ddbb922b3755cff4e428e261aeba3a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
35.5MB

MD5
9b144363250a18e41da9e1361cc6bb6c

SHA1
7fe4d232a6e39e66c87665bd91345806198c4873

SHA256
6c9180568290b5dd816fada1e2df620928d6678a2f8740c460ab869b01bd902a

SHA512
ca87b197cc329cb1c2c30de469e0260ae7e8346a1a161385c9155f58bb4971ef3005609d3eb79930587e529319436161ffdbf22c5bc2b7953fbb6d494ae37f8f

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
22.1MB

MD5
9fad2a4cf0dda8db0bfb58320ca3216a

SHA1
c37e7f531feb252041edeacba93602a6f4b17392

SHA256
e148eb6d33e26fd396c5ebefb21e2e4af011dc77a7dda937ad114d9d7968ad3f

SHA512
7fcc451ad6df675cdda57d1ea9f152ccaa3a53e12db93a9c3cec5964dd9e0dc27ef164bed5e80f6b961a25bc7978dced4d1861ed375e35274fe18b72aa2fe09e

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
9.2MB

MD5
07fcc4acaa2fc24a15ce007ffa924c76

SHA1
0ffafac9699ca615652c59fb408df68aacd51c43

SHA256
bf35b07f375668751aa13eeb9895950325803e17905313644f7c6f863c9210d5

SHA512
f5409ae8c3492bb48ec6d22bdeb3090a063cf831202091a27d85254c34d6bc9e48fb226c256ac49479ac79f81bc8af3824d151456eb4d316d3001106e0bb0d07

Download Submit
C:\Users\Admin\Music\rot.exe

Filesize
10.9MB

MD5
ebfda87836220800f07177e21baa4afc

SHA1
99db7b0dbd5fcde3e8b9f15dd242dbcef345a295

SHA256
8ea0dcaf319a11f1f17cb745f499ef55c6a947c05f4b424e9a94e8e2a8c279b3

SHA512
80b65cf3777ac93eb2493bcf7f7237db64ba347de45146626b91e3b96d3f852af89a1dc16e371d0f8cc93b66b8c6cf0f6041173264dd1a3014ab044d59a8fd75

Download Submit
memory/1252-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1252-109-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1252-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1252-105-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1252-101-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1532-152-0x0000000007D90000-0x0000000007DAA000-memory.dmp

Filesize
104KB

Download
memory/1532-160-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1532-169-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-158-0x0000000008CD0000-0x0000000009274000-memory.dmp

Filesize
5.6MB

Download
memory/1532-157-0x0000000007E00000-0x0000000007E22000-memory.dmp

Filesize
136KB

Download
memory/1532-156-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1532-155-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1532-154-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/1532-153-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-151-0x0000000007C80000-0x0000000007C94000-memory.dmp

Filesize
80KB

Download
memory/1532-150-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/1532-149-0x0000000007C50000-0x0000000007C61000-memory.dmp

Filesize
68KB

Download
memory/1532-148-0x0000000007CF0000-0x0000000007D86000-memory.dmp

Filesize
600KB

Download
memory/1532-147-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/1532-146-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/1532-145-0x00000000080A0000-0x000000000871A000-memory.dmp

Filesize
6.5MB

Download
memory/1532-144-0x0000000007950000-0x00000000079F3000-memory.dmp

Filesize
652KB

Download
memory/1532-143-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/1532-133-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/1532-132-0x0000000007910000-0x0000000007942000-memory.dmp

Filesize
200KB

Download
memory/1532-131-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1532-116-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/1532-117-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1532-118-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1532-129-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/3392-163-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3392-170-0x00000000057B0000-0x00000000057F6000-memory.dmp

Filesize
280KB

Download
memory/3392-168-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/3392-166-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/3392-165-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/3392-164-0x00000000006F0000-0x00000000008A6000-memory.dmp

Filesize
1.7MB

Download
memory/3792-85-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/3792-96-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/3792-84-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/3792-83-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3792-98-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-38-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-50-0x00000000048A0000-0x00000000048B0000-memory.dmp

Filesize
64KB

Download
memory/3848-51-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3920-19-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/3920-33-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3920-13-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/3920-16-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3920-31-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/3920-15-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3920-14-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/3920-17-0x0000000004DA0000-0x00000000053C8000-memory.dmp

Filesize
6.2MB

Download
memory/3920-30-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-18-0x0000000004C60000-0x0000000004C82000-memory.dmp

Filesize
136KB

Download
memory/3920-32-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/3920-21-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/3920-36-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4436-52-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4436-53-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4436-54-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4436-65-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4436-67-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-81-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/4632-69-0x0000000005A90000-0x0000000005DE4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-82-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-68-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads