919b8906dc891e3dec2883b47a3cacbdc304482e2efa1edb44c4a2d641e8e302

General

Target

888-RAT [Lifetime Activated]/data/user-interface.exe
Size

5.6MB
MD5

b8703418e6c3d1ccd83b8d178ab9f4c9
SHA1

6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6
SHA256

d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e
SHA512

75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f
SSDEEP

98304:sbl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6Ucf:s6OuK6mn9NzgMoYkSIvUcwti7TQlvciA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid process

3164 Update.exe
Loads dropped DLL 2 IoCs

Processes:

user-interface.exeUpdate.exe

pid process

1804 user-interface.exe
3164 Update.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
11 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
9 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3320 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4884 tasklist.exe

pid	process
3164	Update.exe

flow	ioc
4	raw.githubusercontent.com
11	raw.githubusercontent.com

flow	ioc
1	ip-api.com
9	ip-api.com

pid	process
3320	timeout.exe

pid	process
4884	tasklist.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

user-interface.exeUpdate.exe

pid	process
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
1804	user-interface.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe
3164	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

user-interface.exetasklist.exeUpdate.exe

description pid process

Token: SeDebugPrivilege 1804 user-interface.exe
Token: SeDebugPrivilege 4884 tasklist.exe
Token: SeDebugPrivilege 3164 Update.exe

description	pid	process
Token: SeDebugPrivilege	1804	user-interface.exe
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	3164	Update.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

user-interface.execmd.exe

description	pid	process	target process
PID 1804 wrote to memory of 4712	1804	user-interface.exe	cmd.exe
PID 1804 wrote to memory of 4712	1804	user-interface.exe	cmd.exe
PID 4712 wrote to memory of 4884	4712	cmd.exe	tasklist.exe
PID 4712 wrote to memory of 4884	4712	cmd.exe	tasklist.exe
PID 4712 wrote to memory of 4960	4712	cmd.exe	find.exe
PID 4712 wrote to memory of 4960	4712	cmd.exe	find.exe
PID 4712 wrote to memory of 3320	4712	cmd.exe	timeout.exe
PID 4712 wrote to memory of 3320	4712	cmd.exe	timeout.exe
PID 4712 wrote to memory of 3164	4712	cmd.exe	Update.exe
PID 4712 wrote to memory of 3164	4712	cmd.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\888-RAT [Lifetime Activated]\data\user-interface.exe
"C:\Users\Admin\AppData\Local\Temp\888-RAT [Lifetime Activated]\data\user-interface.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1804"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\find.exe
find ":"
3⤵
PID:4960

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:3320

C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe
"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD522.tmp.bat
Filesize
288B

MD5
156a97124f7051ca70d47bd592f16d8b

SHA1
57dfaea732b86fe7b1efe461b5bc310635856b6c

SHA256
e4020b5d8b65d6e9c89cda7107f3b26a6ebcf7a0d53a76ee9a1e46921dc7eb04

SHA512
ed9a43d5e0cee3b209a2e43b90caf5e247aa8582122a90fdb3221684f350c31d52abba437e8e43bf6992032b0ad6a0bf2e4a6fc354279077b56c590d9c706cfd

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLogger\Update.exe
Filesize
5.6MB

MD5
b8703418e6c3d1ccd83b8d178ab9f4c9

SHA1
6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

SHA256
d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

SHA512
75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

Download Submit
memory/1804-0-0x0000021664240000-0x00000216647E0000-memory.dmp

Filesize
5.6MB

Download
memory/1804-1-0x00007FFC7BAD0000-0x00007FFC7C592000-memory.dmp

Filesize
10.8MB

Download
memory/1804-6-0x000002167ECD0000-0x000002167ED46000-memory.dmp

Filesize
472KB

Download
memory/1804-7-0x000002167EDB0000-0x000002167EDC0000-memory.dmp

Filesize
64KB

Download
memory/1804-8-0x00007FFC7BAD0000-0x00007FFC7C592000-memory.dmp

Filesize
10.8MB

Download
memory/1804-9-0x000002167EDB0000-0x000002167EDC0000-memory.dmp

Filesize
64KB

Download
memory/1804-13-0x00007FFC7BAD0000-0x00007FFC7C592000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing