magicrat | f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

General

Target

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
Size

18.5MB
MD5

b4c9b903dfd18bd67a3824b0109f955b
SHA1

a3555a77826df6c8b2886cc0f40e7d7a2bd99610
SHA256

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
SHA512

73ec5620b9c607c96e883d95ac6ea4033444cb74def871d16875bb90cdf6560e592c1dcb9d6e9b406cd7d238464f46f61ca5f95bf07b0367ee826971ff151aed
SSDEEP

196608:99rTfn5Mp6Z9j2ujTh4e9q77AJsv6tWKFdu9CqK:9F+p6Z3Ph4e9qoJsv6tWKFdu9C

Score

10^/10

Malware Config

Signatures

Detected MagicRAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/3652-5-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3652-9-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3652-12-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3652-13-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3652-14-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat
behavioral2/memory/3652-15-0x0000000000400000-0x000000000167E000-memory.dmp	family_magicrat

magicrat
MagicRAT is a remote access trojan developed and operated by the Lazarus APT group.
trojan rat magicrat

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2288	schtasks.exe
1740	schtasks.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1920	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	97
PID 3652 wrote to memory of 1920	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	97
PID 1920 wrote to memory of 4592	1920	cmd.exe	99
PID 1920 wrote to memory of 4592	1920	cmd.exe	99
PID 3652 wrote to memory of 748	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	100
PID 3652 wrote to memory of 748	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	100
PID 748 wrote to memory of 2288	748	cmd.exe	102
PID 748 wrote to memory of 2288	748	cmd.exe	102
PID 3652 wrote to memory of 3316	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	103
PID 3652 wrote to memory of 3316	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	103
PID 3316 wrote to memory of 4552	3316	cmd.exe	105
PID 3316 wrote to memory of 4552	3316	cmd.exe	105
PID 3652 wrote to memory of 3020	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	106
PID 3652 wrote to memory of 3020	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	106
PID 3020 wrote to memory of 4292	3020	cmd.exe	108
PID 3020 wrote to memory of 4292	3020	cmd.exe	108
PID 3652 wrote to memory of 1888	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	109
PID 3652 wrote to memory of 1888	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	109
PID 1888 wrote to memory of 1740	1888	cmd.exe	111
PID 1888 wrote to memory of 1740	1888	cmd.exe	111
PID 3652 wrote to memory of 2756	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	113
PID 3652 wrote to memory of 2756	3652	f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe
"C:\Users\Admin\AppData\Local\Temp\f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:4592
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe" /sc daily /st 10:30:30 /ru SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe" /sc daily /st 10:30:30 /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:2288
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn "Microsoft\Windows\light Service Manager"
    3⤵
    PID:4552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe /sc onstart /ru SYSTEM
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/Users/Admin/AppData/Local/Temp/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332.exe /sc onstart /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:1740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3652 -s 1016
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3652-5-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3652-9-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3652-12-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3652-13-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3652-14-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download
memory/3652-15-0x0000000000400000-0x000000000167E000-memory.dmp

Filesize
18.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads