samorat | fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

General

Target

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Size

1.3MB
MD5

2042fdc08ed48544a98307aec4610251
SHA1

50a6c64a62347c6c87abb65d04803ff23832a7e8
SHA256

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SHA512

b102fc8105b0a7cca5c33711e83af818dd9c37ff377d252edec69cbb05052387013426bbce38650c0360fb8c94f4796a8232b93f4c5d438caf031a50c4cae591
SSDEEP

24576:LXFgZi7M93fxOLHvVCGvlxcXBVDCU7EIRxCiQVhR5CUQOufa/8gU:LXFuZOraCIxghRxQRr

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/5028-30-0x00000000032D0000-0x00000000032DC000-memory.dmp	disable_win_def

SamoRAT
SamoRAT is a .NET malware used to receive and execute different commands on the infected system.
trojan samorat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WinServices.exe

Executes dropped EXE 2 IoCs

Processes:

ProAlts.xyz Token Generator.exeWinServices.exe

pid process

1476 ProAlts.xyz Token Generator.exe
5028 WinServices.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 icanhazip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1476	ProAlts.xyz Token Generator.exe
5028	WinServices.exe

flow	ioc
19	icanhazip.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinServices.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinServices.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WinServices.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1596 schtasks.exe

pid	process
1596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

WinServices.exe

pid	process
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe
5028	WinServices.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WinServices.exe

description pid process

Token: SeDebugPrivilege 5028 WinServices.exe

description	pid	process
Token: SeDebugPrivilege	5028	WinServices.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exeWinServices.execmd.exe

description	pid	process	target process
PID 2484 wrote to memory of 1476	2484	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	ProAlts.xyz Token Generator.exe
PID 2484 wrote to memory of 1476	2484	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	ProAlts.xyz Token Generator.exe
PID 2484 wrote to memory of 1476	2484	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	ProAlts.xyz Token Generator.exe
PID 2484 wrote to memory of 5028	2484	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	WinServices.exe
PID 2484 wrote to memory of 5028	2484	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	WinServices.exe
PID 2484 wrote to memory of 5028	2484	fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe	WinServices.exe
PID 5028 wrote to memory of 4528	5028	WinServices.exe	cmd.exe
PID 5028 wrote to memory of 4528	5028	WinServices.exe	cmd.exe
PID 5028 wrote to memory of 4528	5028	WinServices.exe	cmd.exe
PID 4528 wrote to memory of 1596	4528	cmd.exe	schtasks.exe
PID 4528 wrote to memory of 1596	4528	cmd.exe	schtasks.exe
PID 4528 wrote to memory of 1596	4528	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe
"C:\Users\Admin\AppData\Local\Temp\fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2484

C:\ProgramData\WinServices.exe
"C:\ProgramData\WinServices.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn WinServices /tr '"C:\Users\Admin\AppData\Local\Microsoft\Networking\WinServices.exe"'
4⤵
- Creates scheduled task(s)
PID:1596

C:\ProgramData\ProAlts.xyz Token Generator.exe
"C:\ProgramData\ProAlts.xyz Token Generator.exe"
2⤵
- Executes dropped EXE
PID:1476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ProAlts.xyz Token Generator.exe
Filesize
672KB

MD5
2086fb707a48f239399ec752feaabd7e

SHA1
bb7d8008b21a6ae038074479f6e423a257fb5260

SHA256
a2cf0de9e63aeaf15700f4df455273183cf8334e732e888b0d3c1090ff84ba34

SHA512
cd14867bca10f5167fd28614bb6692576b5b6807c458bef6c8ee19169daa8e713383fbfaa3cc90e4f96f3b1cbbb7dcd8ab15d105a9d435cee9fdd52046b2d5d0

Download Submit
C:\ProgramData\WinServices.exe
Filesize
188KB

MD5
4bb3e58d375714e27744d106143cf61b

SHA1
802803b91e9439c5bc0a59f73629d2a191e9f4dc

SHA256
f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea

SHA512
64cf58bbc58f05d6d08bdf59ce5b7496bf4a4ae97135d8a96c4ed6af7ae319a2b146d79059ff718d481f26198b1f80874fb7111c8bd79fda039e21db3f9424f7

Download Submit
C:\ProgramData\WinServices.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\CrashReport.png
Filesize
355KB

MD5
f91e8aa934fb279c7901ea9fe23321e2

SHA1
157251f685c5b5b2f41b9f4d2386d65b036a0a1f

SHA256
b9ea96806c7afe472192ce0fd5783a39ea19276d9f8672aa54851b7f178e33b3

SHA512
8ddcc4632ff396500952295ca6c7fc6d9935ab2010c07a07751afc48a2cda511d435177607c12acf0424c03a2e2ccbb6fc14bd34abf29be33cbc09628fe41414

Download Submit
memory/1476-37-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1476-34-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/1476-41-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1476-27-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/1476-26-0x0000000000AA0000-0x0000000000B4C000-memory.dmp

Filesize
688KB

Download
memory/1476-31-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1476-47-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1476-43-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/1476-46-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/1476-36-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/2484-0-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-1-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/2484-25-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-2-0x0000000074E10000-0x00000000753C1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-33-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/5028-30-0x00000000032D0000-0x00000000032DC000-memory.dmp

Filesize
48KB

Download
memory/5028-32-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/5028-44-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/5028-45-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/5028-38-0x0000000006190000-0x000000000622C000-memory.dmp

Filesize
624KB

Download
memory/5028-35-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/5028-50-0x0000000006820000-0x0000000006896000-memory.dmp

Filesize
472KB

Download
memory/5028-51-0x0000000007860000-0x000000000787E000-memory.dmp

Filesize
120KB

Download
memory/5028-29-0x0000000000F50000-0x0000000000F84000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads