c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981

Analysis

max time kernel
153s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe
Size

1.4MB
MD5

1cb17dc61d606aa16fdbd0d31a9f287f
SHA1

a92e023c79f4da9d096d97653d58de7fefd37e26
SHA256

c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981
SHA512

286f83e9567c078321f4030c2c59f37170f44a661ef967531b34974cc4ae7e37918139615c0ec19cdbf614bf34c7895d32ffbe954b9fa26a937f4b09a324ba46
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2836	2072	c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe	30
PID 2072 wrote to memory of 2836	2072	c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe	30
PID 2072 wrote to memory of 2836	2072	c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe	30
PID 2072 wrote to memory of 2836	2072	c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe	30
PID 2836 wrote to memory of 2704	2836	cmd.exe	32
PID 2836 wrote to memory of 2704	2836	cmd.exe	32
PID 2836 wrote to memory of 2704	2836	cmd.exe	32
PID 2836 wrote to memory of 2704	2836	cmd.exe	32
PID 2704 wrote to memory of 2508	2704	cmd.exe	33
PID 2704 wrote to memory of 2508	2704	cmd.exe	33
PID 2704 wrote to memory of 2508	2704	cmd.exe	33
PID 2704 wrote to memory of 2508	2704	cmd.exe	33
PID 2836 wrote to memory of 2716	2836	cmd.exe	34
PID 2836 wrote to memory of 2716	2836	cmd.exe	34
PID 2836 wrote to memory of 2716	2836	cmd.exe	34
PID 2836 wrote to memory of 2716	2836	cmd.exe	34
PID 2716 wrote to memory of 2800	2716	cmd.exe	35
PID 2716 wrote to memory of 2800	2716	cmd.exe	35
PID 2716 wrote to memory of 2800	2716	cmd.exe	35
PID 2716 wrote to memory of 2800	2716	cmd.exe	35
PID 2836 wrote to memory of 2916	2836	cmd.exe	37
PID 2836 wrote to memory of 2916	2836	cmd.exe	37
PID 2836 wrote to memory of 2916	2836	cmd.exe	37
PID 2836 wrote to memory of 2916	2836	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe
"C:\Users\Admin\AppData\Local\Temp\c4193a77dee5e484ee9f4f1b284810b41f40596d568e1188e31ea5f1bdede981.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
memory/2916-26-0x0000000073CB0000-0x000000007425B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-28-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2916-27-0x0000000073CB0000-0x000000007425B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-29-0x0000000073CB0000-0x000000007425B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-30-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download