Analysis
-
max time kernel
18s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 16:23
Behavioral task
behavioral1
Sample
S-400 RAT v3.0.7z
Resource
win10v2004-20240412-en
windows10-2004-x64
4 signatures
600 seconds
General
-
Target
S-400 RAT v3.0.7z
-
Size
9.2MB
-
MD5
3ac05d552a3f0d1285e5933139369ecd
-
SHA1
d7cb0d6cff8085684ca235b40c8d74b565545bb0
-
SHA256
137713b97b5c79056269e461c454cfff281fe2e1b6a1ab69e1c8302cb35aa9b8
-
SHA512
419fde2888b221f776e8cf24cb1c9b02bdf30c05ee91390586eccb2fdf2082f4f039726bc7ed7b58dbfd8e4ce3b8186988e5a497bee1dd070c16a13221e92b2d
-
SSDEEP
196608:wfoIu+BskkZd8HlE+n3m5mdvanVQo33hhent41nzW6k1Mi0V0Q8JY6byT:wfoIzBlhlEQmUdviQobDW23gYUi
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2592 OpenWith.exe -
Suspicious use of SetWindowsHookEx 45 IoCs
Processes:
OpenWith.exepid process 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe 2592 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\S-400 RAT v3.0.7z"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx