9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b

Analysis

max time kernel
208s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe
Size

1.4MB
MD5

3f67be83722c1b395fc4bcec2dd81866
SHA1

d67e4a209f94b6a051d96a12d609f32e453416c4
SHA256

9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b
SHA512

7517fe15e10e67a21b59869443b2154c39d334c63f3750ca20daa05d815d31c231143a16caf30923a205e858ffde195bea44164e4feb8aa01c5e837d8a8621a8
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4280	powershell.exe
4280	powershell.exe
372	powershell.exe
372	powershell.exe
4400	powershell.exe
4400	powershell.exe
4784	powershell.exe
4784	powershell.exe
4564	powershell.exe
4564	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1392	4716	9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe	88
PID 4716 wrote to memory of 1392	4716	9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe	88
PID 4716 wrote to memory of 1392	4716	9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe	88
PID 1392 wrote to memory of 4420	1392	cmd.exe	91
PID 1392 wrote to memory of 4420	1392	cmd.exe	91
PID 1392 wrote to memory of 4420	1392	cmd.exe	91
PID 4420 wrote to memory of 4332	4420	cmd.exe	92
PID 4420 wrote to memory of 4332	4420	cmd.exe	92
PID 4420 wrote to memory of 4332	4420	cmd.exe	92
PID 1392 wrote to memory of 4564	1392	cmd.exe	93
PID 1392 wrote to memory of 4564	1392	cmd.exe	93
PID 1392 wrote to memory of 4564	1392	cmd.exe	93
PID 4564 wrote to memory of 1520	4564	cmd.exe	94
PID 4564 wrote to memory of 1520	4564	cmd.exe	94
PID 4564 wrote to memory of 1520	4564	cmd.exe	94
PID 1392 wrote to memory of 4280	1392	cmd.exe	99
PID 1392 wrote to memory of 4280	1392	cmd.exe	99
PID 1392 wrote to memory of 4280	1392	cmd.exe	99
PID 1392 wrote to memory of 372	1392	cmd.exe	108
PID 1392 wrote to memory of 372	1392	cmd.exe	108
PID 1392 wrote to memory of 372	1392	cmd.exe	108
PID 1392 wrote to memory of 4400	1392	cmd.exe	109
PID 1392 wrote to memory of 4400	1392	cmd.exe	109
PID 1392 wrote to memory of 4400	1392	cmd.exe	109
PID 1392 wrote to memory of 4784	1392	cmd.exe	110
PID 1392 wrote to memory of 4784	1392	cmd.exe	110
PID 1392 wrote to memory of 4784	1392	cmd.exe	110
PID 1392 wrote to memory of 4564	1392	cmd.exe	111
PID 1392 wrote to memory of 4564	1392	cmd.exe	111
PID 1392 wrote to memory of 4564	1392	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe
"C:\Users\Admin\AppData\Local\Temp\9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
dcf69db2b1b63f172f029c36d4ef2a9a

SHA1
3d99f278ae3d23503ad46d2bc35b6d2af51b9075

SHA256
a91ef753da80481ff6ae18a24538bc2206e5f6aaa45c5304d4d8f01720600517

SHA512
1e399b9d42d37ac1949bc6d165500e51f995a87daef408108873ec1a455721304c785885acfc4693264fe850b309a4eddbd12fcce09f45bf6f09329927e4e0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
024c42a454d3be2960eb1a3eb1013132

SHA1
08835edec4b9c8876a7d7db9bcbfc3107a0b943b

SHA256
4db5fef1596041805b1684a1e3308d3c68be744c5dae1bb8ecffb837054f91ab

SHA512
86ca6186201ff8f906938794094445a33da0adcd3b736fe726a87dee8136b66b6e9dca7353f71f3d574980fc0643e2f707f22ab0c5a6e76f74fefc97c5c08660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d23df12d73b10858aa5339098e2ac13e

SHA1
9b86148ea68aafc312d08db974a582f60b5c8e39

SHA256
5af66a746fca3e0af897a6adb7723a826047ef380de74b9c011b0ad7ed6d3af7

SHA512
655b134de99390f5c00a6caec7c5bb35ff0c799708cf0714c24d6b634cb7bd9cab7a331a9627714cc40cd363f55fdcaa85c6a0220d44f52032592d1e3a9d24be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
86a701f8515a4917228a769f82fb10e0

SHA1
06326ef8d3a63a5d509e16a826d9be0f7bc6505d

SHA256
829904d91768e2885b2c85309b087c6f6a32efe1f9182416216247820fbb572a

SHA512
138694588030cbf0e41661d6192d9eacceff7757e941a95ad688fecb574f17a4ce68a24238003b47f3bbb46746fbfb56c88cda3cf8344dca8f6bd57e269bbe27

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g23l0jla.yil.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
memory/372-55-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/372-53-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/372-51-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/372-41-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/372-40-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4280-30-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/4280-15-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/4280-34-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/4280-35-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/4280-38-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4280-32-0x0000000006380000-0x00000000063CC000-memory.dmp

Filesize
304KB

Download
memory/4280-31-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/4280-25-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4280-19-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/4280-18-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/4280-17-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/4280-16-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/4280-14-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4280-33-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4280-13-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download
memory/4400-57-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4400-58-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4400-70-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/4400-72-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4400-73-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4400-56-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4400-68-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/4564-91-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/4564-89-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4564-90-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/4564-103-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/4564-104-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4784-86-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/4784-88-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4784-75-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/4784-74-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download