6baa72f1363b421eb90a55654ba36c34521a42a9cddb2ed6a0b8a90c953274f7

Analysis

max time kernel
845s
max time network
851s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Raptor_MultiTool.rar
Size

4.7MB
MD5

1124c04a788197ef980f95cbdc31721b
SHA1

0e84f7e09740e4486715df88d7ecf651fec7fe87
SHA256

6baa72f1363b421eb90a55654ba36c34521a42a9cddb2ed6a0b8a90c953274f7
SHA512

b9dcd24f6967645706f450c66ff470eccf07b789817145e3868e6b4da54f13cf140d86af4366591bdd563141f0c9d8a6ba7e12795ec8de9a69fe6e2ec5b98ac2
SSDEEP

98304:KhAmwOWmEMiXFZCmCUbDdoRI16c22xxGAFdIEMBQm0OSyHgeLluQX3Q4Nqr:KhbPWmEbHCRIrdxMBQm0OHgwXA2a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	chromedriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2628	7zFM.exe
Token: 35	2628	7zFM.exe
Token: SeSecurityPrivilege	2628	7zFM.exe
Token: SeSecurityPrivilege	2628	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2628	7zFM.exe
2628	7zFM.exe
2628	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2628	1896	cmd.exe	29
PID 1896 wrote to memory of 2628	1896	cmd.exe	29
PID 1896 wrote to memory of 2628	1896	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Raptor_MultiTool.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Raptor_MultiTool.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2628

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2596

C:\Users\Raptor MultiTool\chromedriver.exe
"C:\Users\Raptor MultiTool\chromedriver.exe"
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Raptor MultiTool\PackageInstaller.bat" "
1⤵
PID:1908

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Raptor MultiTool\PackageInstaller.bat
1⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Raptor MultiTool\PackageInstaller.bat" "
1⤵
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Raptor MultiTool\nuking\roles.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Raptor MultiTool\PackageInstaller.bat

Filesize
285B

MD5
9c2ee579f359da27ded92dbec3e1f5a3

SHA1
e9f8baa1cd011d0088629f5ad7cc6f54da46d302

SHA256
869b059ff9549619c56cdca0d54bf7ba59e2ed04830effb23e047025d20a3ad8

SHA512
38faebab083ef29436bca8c4194e544c5bef7a5b7e9a5b207dd4c05b494a28b6539d9c7659ae9238cab3c9e816163eb29ce84798a8c40e31d4567ea79acffc76

Download Submit
C:\Users\Raptor MultiTool\chromedriver.exe

Filesize
10.8MB

MD5
87991caad7287d0ea7726e3e2611ae5b

SHA1
ea37551af895f41151566a66ca43949068f96978

SHA256
b4b1ab81c69ea98d5892a45c31aec4be028e697de488aad9a9ccd1786f426afb

SHA512
37bb459378e3a7046239fb9e860cdad981da6db48b5da762996493bf48e3c00eda6e76401b8c6d7e525d013297a0f02381a89d2ec269d45198af9a8d09d20841

Download Submit