Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 09:17
Static task
static1
Behavioral task
behavioral1
Sample
a17e68df0571d9c5eb1d50128f988fd2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a17e68df0571d9c5eb1d50128f988fd2.exe
Resource
win10v2004-20240221-en
General
-
Target
a17e68df0571d9c5eb1d50128f988fd2.exe
-
Size
3.6MB
-
MD5
a17e68df0571d9c5eb1d50128f988fd2
-
SHA1
140b2ff127d66780354d26e14979aeec7d31b6f0
-
SHA256
50abd0bacda330273a8fbdeef6b0d1dccf84dfa87f8a403e551f4666ab0a6d55
-
SHA512
3937d5fdb35cc3a7c5d740d879f997356ff38b28f59e41ba59c3b43fe58f103d365827fccaedd730502b6ac1a4413af40f2fb9383e6b19d0dbb6765b42e7b29f
-
SSDEEP
49152:ZoaXc7qLlg3Q9st37y7CZz/Yx0xmwhYmK0/t9YbAaenmuevXo:Z7I
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2380 rarebot-installer.exe -
Loads dropped DLL 4 IoCs
pid Process 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 2380 rarebot-installer.exe 2380 rarebot-installer.exe 2380 rarebot-installer.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe" a17e68df0571d9c5eb1d50128f988fd2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0008000000012247-25.dat nsis_installer_1 behavioral1/files/0x0008000000012247-25.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2380 rarebot-installer.exe 2380 rarebot-installer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2380 rarebot-installer.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2120 vbc.exe Token: SeSecurityPrivilege 2120 vbc.exe Token: SeTakeOwnershipPrivilege 2120 vbc.exe Token: SeLoadDriverPrivilege 2120 vbc.exe Token: SeSystemProfilePrivilege 2120 vbc.exe Token: SeSystemtimePrivilege 2120 vbc.exe Token: SeProfSingleProcessPrivilege 2120 vbc.exe Token: SeIncBasePriorityPrivilege 2120 vbc.exe Token: SeCreatePagefilePrivilege 2120 vbc.exe Token: SeBackupPrivilege 2120 vbc.exe Token: SeRestorePrivilege 2120 vbc.exe Token: SeShutdownPrivilege 2120 vbc.exe Token: SeDebugPrivilege 2120 vbc.exe Token: SeSystemEnvironmentPrivilege 2120 vbc.exe Token: SeChangeNotifyPrivilege 2120 vbc.exe Token: SeRemoteShutdownPrivilege 2120 vbc.exe Token: SeUndockPrivilege 2120 vbc.exe Token: SeManageVolumePrivilege 2120 vbc.exe Token: SeImpersonatePrivilege 2120 vbc.exe Token: SeCreateGlobalPrivilege 2120 vbc.exe Token: 33 2120 vbc.exe Token: 34 2120 vbc.exe Token: 35 2120 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2120 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2120 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 28 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29 PID 2068 wrote to memory of 2380 2068 a17e68df0571d9c5eb1d50128f988fd2.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a17e68df0571d9c5eb1d50128f988fd2.exe"C:\Users\Admin\AppData\Local\Temp\a17e68df0571d9c5eb1d50128f988fd2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\rarebot-installer.exe"C:\Users\Admin\AppData\Local\Temp\rarebot-installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
1.1MB
MD5b6838889d5af2a20c4786f93aa007ee0
SHA1655c6869c824676aa3c44c783daced735798f9da
SHA25699f686c9c12c8ad5367998e4d3d850171c31b43901f1ac22d7744aa7cfadb231
SHA5121222a035f9c38b6bfb487e262e7e6b23486a3090096e75fc03640cc1a1af8c02df9c1f380d8de5a6e3f0839d091468e27193df0a7e29282c3e5286aad84511a1