c4c71cb5335e9f2c16b722e90774205a23c23045033d3509f3c4b2cb09b3c965

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ratleaks.exe
Size

232KB
MD5

e6a1139ecd894280ed5b834ff480bb9f
SHA1

c3f8ec9c0f15a65548e8578e5e305fc804d84ebc
SHA256

c4c71cb5335e9f2c16b722e90774205a23c23045033d3509f3c4b2cb09b3c965
SHA512

e52023bfde310dc33ea9a83eb6626f0a16854f2fb2d00fd5cd0c359b44a4e0ca3fb0a7d7e9eee4b81a39e5e733aa834db129e8d24cfe803880e81e25e1c53b1c
SSDEEP

6144:D5oaqJhJMHW69B9VjMdxPedN9ug0/9TBcXxJzQL6o:D5oaqjp/9TihJzQL6o

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2608	tasklist.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe
Token: SeDebugPrivilege	2608	tasklist.exe
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2964	1900	ratleaks.exe	29
PID 1900 wrote to memory of 2964	1900	ratleaks.exe	29
PID 1900 wrote to memory of 2964	1900	ratleaks.exe	29
PID 2964 wrote to memory of 2828	2964	cmd.exe	30
PID 2964 wrote to memory of 2828	2964	cmd.exe	30
PID 2964 wrote to memory of 2828	2964	cmd.exe	30
PID 2964 wrote to memory of 2028	2964	cmd.exe	31
PID 2964 wrote to memory of 2028	2964	cmd.exe	31
PID 2964 wrote to memory of 2028	2964	cmd.exe	31
PID 2964 wrote to memory of 2644	2964	cmd.exe	32
PID 2964 wrote to memory of 2644	2964	cmd.exe	32
PID 2964 wrote to memory of 2644	2964	cmd.exe	32
PID 2964 wrote to memory of 2976	2964	cmd.exe	33
PID 2964 wrote to memory of 2976	2964	cmd.exe	33
PID 2964 wrote to memory of 2976	2964	cmd.exe	33
PID 2964 wrote to memory of 2544	2964	cmd.exe	34
PID 2964 wrote to memory of 2544	2964	cmd.exe	34
PID 2964 wrote to memory of 2544	2964	cmd.exe	34
PID 2964 wrote to memory of 2852	2964	cmd.exe	36
PID 2964 wrote to memory of 2852	2964	cmd.exe	36
PID 2964 wrote to memory of 2852	2964	cmd.exe	36
PID 2964 wrote to memory of 2608	2964	cmd.exe	37
PID 2964 wrote to memory of 2608	2964	cmd.exe	37
PID 2964 wrote to memory of 2608	2964	cmd.exe	37
PID 2964 wrote to memory of 2576	2964	cmd.exe	38
PID 2964 wrote to memory of 2576	2964	cmd.exe	38
PID 2964 wrote to memory of 2576	2964	cmd.exe	38
PID 2964 wrote to memory of 2648	2964	cmd.exe	39
PID 2964 wrote to memory of 2648	2964	cmd.exe	39
PID 2964 wrote to memory of 2648	2964	cmd.exe	39
PID 2964 wrote to memory of 2836	2964	cmd.exe	40
PID 2964 wrote to memory of 2836	2964	cmd.exe	40
PID 2964 wrote to memory of 2836	2964	cmd.exe	40
PID 2964 wrote to memory of 2448	2964	cmd.exe	41
PID 2964 wrote to memory of 2448	2964	cmd.exe	41
PID 2964 wrote to memory of 2448	2964	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\ratleaks.exe
"C:\Users\Admin\AppData\Local\Temp\ratleaks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\26B3.tmp\26B4.tmp\26B5.bat C:\Users\Admin\AppData\Local\Temp\ratleaks.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\mode.com
    mode con:cols=45 lines=6
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    reg query HKEY_CURRENT_USER\SOFTWARE\CitizenFX
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query HKEY_CLASSES_ROOT\FiveM.ProtocolHandler
    3⤵
    PID:2644
- - C:\Windows\system32\reg.exe
    reg query HKEY_CLASSES_ROOT\fivem
    3⤵
    PID:2976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\system32\more.com
    more +1 "hwid.txt"
    3⤵
    PID:2852
- - C:\Windows\system32\tasklist.exe
    tasklist /fi "ImageName eq x64dbg.exe" /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\system32\find.exe
    find /I "x64dbg.exe"
    3⤵
    PID:2576
- - C:\Windows\system32\mode.com
    mode con:cols=45 lines=6
    3⤵
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Start-Sleep -Seconds 3"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\system32\mode.com
    mode con:cols=45 lines=7
    3⤵
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26B3.tmp\26B4.tmp\26B5.bat

Filesize
4KB

MD5
93ac0ea1f7e16826fcc9ec261492ee99

SHA1
dd354fe149b2139325c8548712041f67587dfaad

SHA256
9a9c12779b0a15f611d1fb7eb62bfa287de0d4bf572bad75c3d16c149697b7fe

SHA512
a31189c4791aeaa33da5ff51b0cf2f986cbefed64f87bc1344449bd365fc6fe08de516f13961dbfb402a6a6dee83c7205c2d82626fdf09a971fff3c00f872499

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwid.txt

Filesize
6B

MD5
bea07e6d2b8dce396fe21baa61b34956

SHA1
665332b36fc8fa1ed11210cdee83b639b451e592

SHA256
2e08d1f6000aef541797d008c05ac36f4dbebfb36cbac5615788e6fcc5b300a7

SHA512
4ad82fbef6d8d3f4d0b90a9399c8b405674bad0c750e385fb034e57895838fd26d7926f6ed0ccab2e2afcaf4a23613ed8f16d909bff870b40187e22e0a6362c1

Download Submit
memory/2836-8-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2836-9-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download