Overview
overview
10Static
static
10Borat/BoratRat.exe
windows10-2004-x64
10Borat/bin/Audio.dll
windows10-2004-x64
1Borat/bin/Discord.dll
windows10-2004-x64
1Borat/bin/Extra.dll
windows10-2004-x64
1Borat/bin/...er.dll
windows10-2004-x64
1Borat/bin/...er.dll
windows10-2004-x64
1Borat/bin/Fun.dll
windows10-2004-x64
1Borat/bin/...on.dll
windows10-2004-x64
1Borat/bin/...er.exe
windows10-2004-x64
1Borat/bin/Logger.dll
windows10-2004-x64
1Borat/bin/...ib.dll
windows10-2004-x64
1Borat/bin/...us.dll
windows10-2004-x64
1Borat/bin/Netstat.dll
windows10-2004-x64
1Borat/bin/Options.dll
windows10-2004-x64
1Borat/bin/...er.dll
windows10-2004-x64
1Borat/bin/...re.dll
windows10-2004-x64
1Borat/bin/...ry.dll
windows10-2004-x64
1Borat/bin/Regedit.dll
windows10-2004-x64
1Borat/bin/...ra.dll
windows10-2004-x64
1Borat/bin/...op.dll
windows10-2004-x64
1Borat/bin/...xy.dll
windows10-2004-x64
1Borat/bin/...le.dll
windows10-2004-x64
1Borat/bin/...ry.dll
windows10-2004-x64
1Borat/raw/Client.exe
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 18:18
Behavioral task
behavioral1
Sample
Borat/BoratRat.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Borat/bin/Audio.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Borat/bin/Discord.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
Borat/bin/Extra.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Borat/bin/FileManager.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Borat/bin/FileSearcher.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Borat/bin/Fun.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral8
Sample
Borat/bin/Information.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Borat/bin/Keylogger.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Borat/bin/Logger.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Borat/bin/MessagePackLib.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
Borat/bin/Miscellaneous.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Borat/bin/Netstat.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Borat/bin/Options.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Borat/bin/ProcessManager.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
Borat/bin/Ransomware.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Borat/bin/Recovery.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Borat/bin/Regedit.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Borat/bin/RemoteCamera.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral20
Sample
Borat/bin/RemoteDesktop.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Borat/bin/ReverseProxy.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Borat/bin/SendFile.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
Borat/bin/SendMemory.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
Borat/raw/Client.exe
Resource
win10v2004-20240508-en
General
-
Target
Borat/BoratRat.exe
-
Size
20.0MB
-
MD5
65b694d69d327efe28fcbce125401e96
-
SHA1
049d4d71742b99a598c074458f1f2d5b0119e912
-
SHA256
de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab
-
SHA512
7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b
-
SSDEEP
393216:V+G+oTCP+Zw6NLIsFfskh1BmXGnfBd+Uw:IGpTCP+Zlnk0rmkBYUw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Ccleaner.exeCcleaner.exepid process 1092 Ccleaner.exe 2012 Ccleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 64 IoCs
Processes:
BoratRat.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000a858c65312004170704461746100400009000400efbea858c653dd5860922e0000007ae10100000001000000000000000000000000000000d329c9004100700070004400610074006100000016000000 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000009afc49b432a1da01615eb7b732a1da01f0dbb8b832a1da0114000000 BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 5000310000000000dd5860921000426f726174003c0009000400efbedd586092dd5860922e000000113402000000070000000000000000000000000000007cad640042006f00720061007400000014000000 BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000dd586a9210004c6f63616c003c0009000400efbea858c653dd586a922e0000008de1010000000100000000000000000000000000000067c368004c006f00630061006c00000014000000 BoratRat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 BoratRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" BoratRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000dd586092100054656d7000003a0009000400efbea858c653dd5860922e0000008ee101000000010000000000000000000000000000004f4d8f00540065006d007000000014000000 BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff BoratRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000a858c6531100557365727300640009000400efbe874f7748dd5860922e000000c70500000000010000000000000000003a0000000000b177d70055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 BoratRat.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 BoratRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" BoratRat.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff BoratRat.exe Set value (data) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000a8586e5f100041646d696e003c0009000400efbea858c653dd5860922e0000006fe10100000001000000000000000000000000000000cfb27c00410064006d0069006e00000014000000 BoratRat.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
BoratRat.exechrome.exepid process 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4656 BoratRat.exe 4572 chrome.exe 4572 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
BoratRat.exepid process 4656 BoratRat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
BoratRat.exechrome.exedescription pid process Token: SeDebugPrivilege 4656 BoratRat.exe Token: SeShutdownPrivilege 4572 chrome.exe Token: SeCreatePagefilePrivilege 4572 chrome.exe Token: SeShutdownPrivilege 4572 chrome.exe Token: SeCreatePagefilePrivilege 4572 chrome.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
BoratRat.exechrome.exepid process 4656 BoratRat.exe 4656 BoratRat.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
BoratRat.exechrome.exepid process 4656 BoratRat.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe 4572 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
BoratRat.exepid process 4656 BoratRat.exe 4656 BoratRat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4572 wrote to memory of 2932 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2932 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 312 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2656 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2656 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe PID 4572 wrote to memory of 2004 4572 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4656
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4372
-
C:\Users\Admin\Desktop\Ccleaner.exe"C:\Users\Admin\Desktop\Ccleaner.exe"1⤵
- Executes dropped EXE
PID:1092
-
C:\Users\Admin\Desktop\Ccleaner.exe"C:\Users\Admin\Desktop\Ccleaner.exe"1⤵
- Executes dropped EXE
PID:2012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe69adab58,0x7ffe69adab68,0x7ffe69adab782⤵PID:2932
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:22⤵PID:312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:82⤵PID:2656
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:82⤵PID:2004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:12⤵PID:3052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:12⤵PID:3508
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:12⤵PID:940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4268 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:82⤵PID:1144
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=2020,i,17661265542379745974,12255491780048584031,131072 /prefetch:82⤵PID:4412
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4561d51c-2906-47d7-944f-8f216245f7dc.tmp
Filesize6KB
MD58d0d465c2e7e94c0caaa0fc3171f8d7b
SHA1e57bb2e71194b1ad6f1794a812df4e13d289ef72
SHA2568d9f604a33d617d3f87e80e816b24327cf6a0a437781069e36aa13c927c47c32
SHA512ab5ce923530e72052596115fd8d8de7c685d02653d19b6f1b8d0c87c95e4fc81db7351e107a4efaa95f7f16949b6feeff92ad6a2dbf71f7b4aa4a68391cccf12
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD550c0005b07a0a2ef433dcb51d7256701
SHA121f8c9e562231416eb2b836a3a8bbf47326a3f45
SHA256a93072eb1c4a2c18b9b15750043db98a3b8df0fe8861f1bea38a5d4de7a430ae
SHA5123502093365ce47784b0946c5e623df184a94c5453b7b2e1756d4e53dc45556ad63d55b64d42516c0618e1ee53fba47f3c41b2bc6f8bdb00cf9118b7c991b48a8
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5fada4ce43fe037c532cf0a28908a663b
SHA1672013912b3c4fd38082a6541c0de65c3af924b3
SHA2562bf1ba9731295f8ba12c46bf26c41ce2dd1990810e568a6e8f6399e4d7d17d70
SHA51277771f905c59128f8b0ada257f738be0151ddd413912d307b6b58cf211d73c9917b3c15a562994ef2076d1ef4f607913b3d406f6d5d15c03e12b5dbedeb1f1c7
-
Filesize
129KB
MD5f2bcfc7377dafae543bfaaeb810722c5
SHA110228ac0573343fab6f990730cb05097455cc6b9
SHA2566c914226304adb788e96d1b6725655bbe08014d99213c772413894243b1aaa08
SHA51269de05421d1207c167e2248ee4ea5e0b19b01191e9370d6d230b76514eec3ae0ab7ff32c0e20aed2922f97afcc19855dcbd9221fa6e84b3a53cdbc5ff0637850
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
56KB
MD547a549213035dfa857c813a4758a2359
SHA1f1054ae0bd8ac88f5fd7bfd8d415a79a60ea16d9
SHA2569f541fab9df17f2e088be6bc2f9c65d92538c22d1df270501e87f3a7fc819fa7
SHA512833cba5113224cfba9caec905f9791a99289065ce0091d37ec8fec1f4b2256793cdeae2181f51ea1934a667dfaef650f984e5c2527ed76dad4d11616de32bf9e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e