Malware Analysis Report

2024-10-23 19:27

Sample ID 240629-w3crrsshkd
Target Borat.rar
SHA256 53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1
Tags
asyncrat evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1

Threat Level: Known bad

The file Borat.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat evasion rat trojan

UAC bypass

Asyncrat family

AsyncRat

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 18:26

Signatures

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Regedit.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Regedit.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\ReverseProxy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\ReverseProxy.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\FileManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\FileManager.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240611-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Information.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Information.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe"

Network

N/A

Files

memory/2088-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

memory/2088-1-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

memory/2088-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

memory/2088-3-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

memory/2088-4-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Logger.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Logger.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240611-en

Max time kernel

123s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\RemoteCamera.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\RemoteCamera.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Netstat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Netstat.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240419-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Audio.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Audio.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Extra.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Extra.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

117s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\FileSearcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\FileSearcher.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\RemoteDesktop.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\RemoteDesktop.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe"

Network

N/A

Files

memory/2180-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

memory/2180-1-0x0000000000D00000-0x0000000000D14000-memory.dmp

memory/2180-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

memory/2180-3-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240419-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Miscellaneous.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Miscellaneous.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Ransomware.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Ransomware.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240419-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\SendMemory.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\SendMemory.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Discord.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Discord.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"

Signatures

AsyncRat

rat asyncrat

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\Desktop\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\Desktop\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\Desktop\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\Desktop\Client.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua C:\Users\Admin\Desktop\Client.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 4c00310000000000dd58649310204c6f63616c00380008000400efbea8587a81dd5864932a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7400310000000000a8587a811100557365727300600008000400efbeee3a851aa8587a812a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 5200310000000000a8587a81122041707044617461003c0008000400efbea8587a81a8587a812a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000016000000 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A
N/A N/A C:\Users\Admin\Desktop\Client.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\Desktop\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\Desktop\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\Desktop\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe

"C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\Client.exe

"C:\Users\Admin\Desktop\Client.exe"

C:\Users\Admin\Desktop\Client.exe

"C:\Users\Admin\Desktop\Client.exe"

C:\Users\Admin\Desktop\Client.exe

"C:\Users\Admin\Desktop\Client.exe"

C:\Windows\system32\UserAccountControlSettings.exe

"C:\Windows\system32\UserAccountControlSettings.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp

Files

memory/2416-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

memory/2416-1-0x0000000001160000-0x000000000256A000-memory.dmp

memory/2416-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2416-3-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2416-8-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2416-9-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2416-10-0x0000000020A70000-0x0000000020A80000-memory.dmp

memory/2416-11-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

memory/2416-12-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2416-13-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_gd1rwjpue5ky1rwo1qwl5mnr5ta35yo4\1.0.7.0\user.config

MD5 0c6e4f57ebaba0cc4acfc8bb65c589f8
SHA1 8c021c2371b87f2570d226b419c64c3102b8d434
SHA256 a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c
SHA512 c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_gd1rwjpue5ky1rwo1qwl5mnr5ta35yo4\1.0.7.0\user.config

MD5 acb6df8bd0fe9236ea87ea6e3c28173f
SHA1 8b1d88bd749b58905c6db258e7224a67d1179938
SHA256 ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b
SHA512 a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832

memory/2416-40-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2416-41-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Users\Admin\Desktop\Client.exe

MD5 4642ccb961eeef7581730e1012ef5883
SHA1 dc621c86dbae4be306394731f9da54b46e31d7e3
SHA256 88205c76799f0522ce69b1e4d64a27ad3fe945ec441d3a54d2b9ffefbc5a8c8f
SHA512 7a9c476f8fea06a747124903b8e974680be22a045ac8685f736e323566e178e79db40aee1ee30a5e09e0e547cb6011b8362359026252d74702cfaee729c4775b

memory/292-44-0x00000000001F0000-0x0000000000204000-memory.dmp

memory/292-58-0x0000000000300000-0x000000000031C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab82C9.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/292-67-0x00000000002E0000-0x00000000002EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC892.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/292-75-0x00000000005C0000-0x00000000005CC000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240611-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Options.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Options.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\ProcessManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\ProcessManager.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240220-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Recovery.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240611-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Fun.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Fun.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240508-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\SendFile.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\SendFile.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-29 18:26

Reported

2024-06-29 18:29

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\MessagePackLib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\MessagePackLib.dll,#1

Network

N/A

Files

N/A