magicrat | f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

Analysis

max time kernel
160s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
Size

18.5MB
MD5

b4c9b903dfd18bd67a3824b0109f955b
SHA1

a3555a77826df6c8b2886cc0f40e7d7a2bd99610
SHA256

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
SHA512

73ec5620b9c607c96e883d95ac6ea4033444cb74def871d16875bb90cdf6560e592c1dcb9d6e9b406cd7d238464f46f61ca5f95bf07b0367ee826971ff151aed
SSDEEP

196608:99rTfn5Mp6Z9j2ujTh4e9q77AJsv6tWKFdu9CqK:9F+p6Z3Ph4e9qoJsv6tWKFdu9C

Score

10^/10

magicrat rat trojan

Malware Config

Signatures

Detected MagicRAT payload 13 IoCs

resource	yara_rule
behavioral1/memory/2112-5-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-22-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-23-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-24-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-25-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-26-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-27-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-28-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-29-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-30-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-31-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-32-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral1/memory/2112-33-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat

magicrat
MagicRAT is a remote access trojan developed and operated by the Lazarus APT group.
trojan rat magicrat

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2392	schtasks.exe
2700	schtasks.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2396	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	29
PID 2112 wrote to memory of 2396	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	29
PID 2112 wrote to memory of 2396	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	29
PID 2396 wrote to memory of 2488	2396	cmd.exe	31
PID 2396 wrote to memory of 2488	2396	cmd.exe	31
PID 2396 wrote to memory of 2488	2396	cmd.exe	31
PID 2112 wrote to memory of 2600	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	32
PID 2112 wrote to memory of 2600	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	32
PID 2112 wrote to memory of 2600	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	32
PID 2600 wrote to memory of 2392	2600	cmd.exe	34
PID 2600 wrote to memory of 2392	2600	cmd.exe	34
PID 2600 wrote to memory of 2392	2600	cmd.exe	34
PID 2112 wrote to memory of 2452	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	35
PID 2112 wrote to memory of 2452	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	35
PID 2112 wrote to memory of 2452	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	35
PID 2452 wrote to memory of 2820	2452	cmd.exe	37
PID 2452 wrote to memory of 2820	2452	cmd.exe	37
PID 2452 wrote to memory of 2820	2452	cmd.exe	37
PID 2112 wrote to memory of 1340	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	38
PID 2112 wrote to memory of 1340	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	38
PID 2112 wrote to memory of 1340	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	38
PID 1340 wrote to memory of 1908	1340	cmd.exe	40
PID 1340 wrote to memory of 1908	1340	cmd.exe	40
PID 1340 wrote to memory of 1908	1340	cmd.exe	40
PID 2112 wrote to memory of 1616	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	41
PID 2112 wrote to memory of 1616	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	41
PID 2112 wrote to memory of 1616	2112	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	41
PID 1616 wrote to memory of 2700	1616	cmd.exe	43
PID 1616 wrote to memory of 2700	1616	cmd.exe	43
PID 1616 wrote to memory of 2700	1616	cmd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
"C:\Users\Admin\AppData\Local\Temp\f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:2488
- C:\Windows\system32\cmd.exe
  cmd.exe /c schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe" /sc daily /st 10:30:30 /ru SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe" /sc daily /st 10:30:30 /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe /c schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
    3⤵
    PID:2820
- C:\Windows\system32\cmd.exe
  cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd.exe /c schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe /sc onstart /ru SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe /sc onstart /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-5-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-22-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-23-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-24-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-25-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-26-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-27-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-28-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-29-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-30-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-31-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-32-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/2112-33-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads