Analysis
-
max time kernel
840s -
max time network
819s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 18:47
Behavioral task
behavioral1
Sample
Chinese-Rat.rar
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Chinese-Rat.rar
Resource
win10v2004-20230915-en
General
-
Target
Chinese-Rat.rar
-
Size
235.1MB
-
MD5
37f249f004fcb1a0c5457fed3defd662
-
SHA1
26befe465eaebcfa026f97dc87f4327857b54d0a
-
SHA256
7f16bbad32fe87a9dbaf60d0958428192dc9b118df58e7d941ade00a56c8951a
-
SHA512
dddab9f58147f56c3247526145529143afc0c2f5e57eacb3bf0e1b63770b527ba963972e01481c4f775bb677a86d16cbcf7f34b7bc6a2fe57c2cf5f9bf66191d
-
SSDEEP
6291456:l5JvhykkRm0yP8SkD0StzoBeO0i+T8Ldu:l5JLd78wStzo50ig8xu
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2512 Keygen.exe 912 銘羊天下.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1892 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4120 7zG.exe Token: 35 4120 7zG.exe Token: SeSecurityPrivilege 4120 7zG.exe Token: SeSecurityPrivilege 4120 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4120 7zG.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe 1892 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Chinese-Rat.rar1⤵
- Modifies registry class
PID:2348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1892
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4232
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\" -spe -an -ai#7zMap32025:102:7zEvent193061⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120
-
C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Keygen.exe"C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Keygen.exe"1⤵
- Executes dropped EXE
PID:2512
-
C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\銘羊天下.exe"C:\Users\Admin\AppData\Local\Temp\Chinese-Rat\Chinese-Rat\銘羊天下.exe"1⤵
- Executes dropped EXE
PID:912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.4MB
MD5e8174cee7f6fbd3996ce8904d39d5337
SHA16fbc5c1fdd135861109e1961109ea0070479b5f9
SHA256ce12c2e789e9e576af4a7fc267b015e4adc3f6377c37ac3842307b4d62ae78f5
SHA512e6ef23ab687381ea25f4291823d06faf32a6c9929c20b3a59ab668e1db9b01afd872c99ba9124d6d161c811eecb7ddbbf056d180df898b5ed32a74f2e7fa0551
-
Filesize
42.8MB
MD5d2be20f8eeb82b07a494e9441828d571
SHA1ef55c6a21edaf3148e45586fb728296ddee7185f
SHA2565ab666279fcb89b95fa27f7a1bf108998656515312f38e674b9ae720a428af52
SHA5123059a02702856958280f13b5c61ad3c70b436303a05268f53507cadcd4f5601e73ea2239e016f846f9fa00b1e1842af748ea55d6e54beace1c315da80402a40b
-
Filesize
42.8MB
MD5d2be20f8eeb82b07a494e9441828d571
SHA1ef55c6a21edaf3148e45586fb728296ddee7185f
SHA2565ab666279fcb89b95fa27f7a1bf108998656515312f38e674b9ae720a428af52
SHA5123059a02702856958280f13b5c61ad3c70b436303a05268f53507cadcd4f5601e73ea2239e016f846f9fa00b1e1842af748ea55d6e54beace1c315da80402a40b
-
Filesize
5KB
MD5ce7aff41b893a07cb610151d4f732002
SHA1d5655dcc3b292b12980fabe71bf9653b68ce17c4
SHA2560b182848cc93a7b90e26a0d1846a1d4639f0116ea13bbe90c5c7b239895fb18f
SHA512c07009e1f9bae9cbc8a4309ca49eb171b0f2633459c1eb59734927cbeadd4af49fae639051cdf5f55c9813bd12c139c55a2c6e890f2b1fd97173914d3b320943
-
Filesize
5KB
MD5ce7aff41b893a07cb610151d4f732002
SHA1d5655dcc3b292b12980fabe71bf9653b68ce17c4
SHA2560b182848cc93a7b90e26a0d1846a1d4639f0116ea13bbe90c5c7b239895fb18f
SHA512c07009e1f9bae9cbc8a4309ca49eb171b0f2633459c1eb59734927cbeadd4af49fae639051cdf5f55c9813bd12c139c55a2c6e890f2b1fd97173914d3b320943