45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 02:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe
Size

1.4MB
MD5

60df2956f8cf3be6ae3a74e7b134d5c1
SHA1

a6033caac66b7823fa7ed3b64270442ae87deb08
SHA256

45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3
SHA512

9a0febbb9c892adbda31fd69c7237974440661ca13ae0ed866bb141827114a5ad0dab3d86cf970944ff7c79acf7ad81180a74e31ec968d3e0945d0495194d401
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2244	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2692	1980	45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe	28
PID 1980 wrote to memory of 2692	1980	45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe	28
PID 1980 wrote to memory of 2692	1980	45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe	28
PID 1980 wrote to memory of 2692	1980	45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe	28
PID 2692 wrote to memory of 2680	2692	cmd.exe	30
PID 2692 wrote to memory of 2680	2692	cmd.exe	30
PID 2692 wrote to memory of 2680	2692	cmd.exe	30
PID 2692 wrote to memory of 2680	2692	cmd.exe	30
PID 2680 wrote to memory of 2596	2680	cmd.exe	31
PID 2680 wrote to memory of 2596	2680	cmd.exe	31
PID 2680 wrote to memory of 2596	2680	cmd.exe	31
PID 2680 wrote to memory of 2596	2680	cmd.exe	31
PID 2692 wrote to memory of 3064	2692	cmd.exe	32
PID 2692 wrote to memory of 3064	2692	cmd.exe	32
PID 2692 wrote to memory of 3064	2692	cmd.exe	32
PID 2692 wrote to memory of 3064	2692	cmd.exe	32
PID 3064 wrote to memory of 2580	3064	cmd.exe	33
PID 3064 wrote to memory of 2580	3064	cmd.exe	33
PID 3064 wrote to memory of 2580	3064	cmd.exe	33
PID 3064 wrote to memory of 2580	3064	cmd.exe	33
PID 2692 wrote to memory of 2244	2692	cmd.exe	37
PID 2692 wrote to memory of 2244	2692	cmd.exe	37
PID 2692 wrote to memory of 2244	2692	cmd.exe	37
PID 2692 wrote to memory of 2244	2692	cmd.exe	37
PID 2692 wrote to memory of 2860	2692	cmd.exe	38
PID 2692 wrote to memory of 2860	2692	cmd.exe	38
PID 2692 wrote to memory of 2860	2692	cmd.exe	38
PID 2692 wrote to memory of 2860	2692	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe
"C:\Users\Admin\AppData\Local\Temp\45be8a0189906a67c6c9c05085b7e3eeb1812be2c66cd571d1c8760fc352fdc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MYP53E5KIW7ZMUEXFNT5.temp

Filesize
7KB

MD5
a5d22af957f6d3a809b5d75445cc8ce2

SHA1
a5176cc19be8b03fb27ab94213513c66a807476b

SHA256
8b42419dcce3b1819f53ae957980f15696b16e3106699ad56369a09553c9579e

SHA512
453499819be2f9bdebef8eb1429a7540794f51b2b87ff86a7e5681146bb1b56ec11c9f47051d168f7527dd82b17b794e57a667a2796fae5581e6b1e5f97265d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
61a0305e9c061849485ba4c06937227e

SHA1
1fba3e91f17c67422cb5b5eb89e6e1295237208d

SHA256
bebde10bdfd55833199d54ded67833556c52ef5f62cf7c523ef3534067abfc88

SHA512
6a4a771cefb618ce3888824b70e3b0e0e7b149dcb7bc8172477f6196e89fe92f6ef9df9f0784b2b993d7bb595d6192731bae78615b2beaf532eee5c5e8b0073e

Download Submit
memory/2244-28-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2244-36-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-30-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-31-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2244-32-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2244-33-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2244-34-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2244-29-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2244-27-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-26-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-42-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-43-0x0000000001D70000-0x0000000001DB0000-memory.dmp

Filesize
256KB

Download
memory/2860-44-0x0000000001D70000-0x0000000001DB0000-memory.dmp

Filesize
256KB

Download
memory/2860-45-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download