Overview
overview
10Static
static
10Borat.rar
windows11-21h2-x64
10Borat/BoratRat.exe
windows11-21h2-x64
10Borat/bin/Audio.dll
windows11-21h2-x64
1Borat/bin/Discord.dll
windows11-21h2-x64
1Borat/bin/Extra.dll
windows11-21h2-x64
1Borat/bin/...er.dll
windows11-21h2-x64
1Borat/bin/...er.dll
windows11-21h2-x64
1Borat/bin/Fun.dll
windows11-21h2-x64
1Borat/bin/...on.dll
windows11-21h2-x64
1Borat/bin/...er.exe
windows11-21h2-x64
1Borat/bin/Logger.dll
windows11-21h2-x64
1Borat/bin/...ib.dll
windows11-21h2-x64
1Borat/bin/...us.dll
windows11-21h2-x64
1Borat/bin/Netstat.dll
windows11-21h2-x64
1Borat/bin/Options.dll
windows11-21h2-x64
1Borat/bin/...er.dll
windows11-21h2-x64
1Borat/bin/...re.dll
windows11-21h2-x64
1Borat/bin/...ry.dll
windows11-21h2-x64
1Borat/bin/Regedit.dll
windows11-21h2-x64
1Borat/bin/...ra.dll
windows11-21h2-x64
1Borat/bin/...op.dll
windows11-21h2-x64
1Borat/bin/...xy.dll
windows11-21h2-x64
1Borat/bin/...le.dll
windows11-21h2-x64
1Borat/bin/...ry.dll
windows11-21h2-x64
1Borat/bin/...ion.db
windows11-21h2-x64
3Borat/raw/Client.exe
windows11-21h2-x64
1Analysis
-
max time kernel
1765s -
max time network
1775s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 18:40
Behavioral task
behavioral1
Sample
Borat.rar
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
Borat/BoratRat.exe
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
Borat/bin/Audio.dll
Resource
win11-20240611-en
Behavioral task
behavioral4
Sample
Borat/bin/Discord.dll
Resource
win11-20240611-en
Behavioral task
behavioral5
Sample
Borat/bin/Extra.dll
Resource
win11-20240508-en
Behavioral task
behavioral6
Sample
Borat/bin/FileManager.dll
Resource
win11-20240419-en
Behavioral task
behavioral7
Sample
Borat/bin/FileSearcher.dll
Resource
win11-20240508-en
Behavioral task
behavioral8
Sample
Borat/bin/Fun.dll
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
Borat/bin/Information.dll
Resource
win11-20240611-en
Behavioral task
behavioral10
Sample
Borat/bin/Keylogger.exe
Resource
win11-20240611-en
Behavioral task
behavioral11
Sample
Borat/bin/Logger.dll
Resource
win11-20240611-en
Behavioral task
behavioral12
Sample
Borat/bin/MessagePackLib.dll
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
Borat/bin/Miscellaneous.dll
Resource
win11-20240508-en
Behavioral task
behavioral14
Sample
Borat/bin/Netstat.dll
Resource
win11-20240611-en
Behavioral task
behavioral15
Sample
Borat/bin/Options.dll
Resource
win11-20240508-en
Behavioral task
behavioral16
Sample
Borat/bin/ProcessManager.dll
Resource
win11-20240611-en
Behavioral task
behavioral17
Sample
Borat/bin/Ransomware.dll
Resource
win11-20240508-en
Behavioral task
behavioral18
Sample
Borat/bin/Recovery.dll
Resource
win11-20240611-en
Behavioral task
behavioral19
Sample
Borat/bin/Regedit.dll
Resource
win11-20240611-en
Behavioral task
behavioral20
Sample
Borat/bin/RemoteCamera.dll
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
Borat/bin/RemoteDesktop.dll
Resource
win11-20240508-en
Behavioral task
behavioral22
Sample
Borat/bin/ReverseProxy.dll
Resource
win11-20240611-en
Behavioral task
behavioral23
Sample
Borat/bin/SendFile.dll
Resource
win11-20240611-en
Behavioral task
behavioral24
Sample
Borat/bin/SendMemory.dll
Resource
win11-20240508-en
Behavioral task
behavioral25
Sample
Borat/bin/ip2region.db
Resource
win11-20240508-en
Behavioral task
behavioral26
Sample
Borat/raw/Client.exe
Resource
win11-20240508-en
General
-
Target
Borat/bin/Ransomware.dll
-
Size
97KB
-
MD5
ef998529d037fcdb2bde6d046f99db45
-
SHA1
1a38a1182155429ecc64c20ece46ec0836c32ec7
-
SHA256
54f554b9e330476b3903756f62b577bab35cdef941d3d0f6a3d607862762bf91
-
SHA512
4e4376c182dcdf993c6e8f55388829b9e7057e8d80be268a8469721e8ac7fc29eab65681f0f7f2c0dbad1c5bc30fdcc123774ae543770090bf01a62a0d161ece
-
SSDEEP
1536:hQaxD6uxxNV41T56kDgJp+isYOmvZfi3OqL4FrQ1vbVa:Kax2uxxNV41T5lkjvv83OqLKU1Za
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe -
Modifies registry class 2 IoCs
Processes:
OpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Winword.exepid process 2624 Winword.exe 2624 Winword.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
OpenWith.exeOpenWith.exeWinword.exepid process 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2044 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2400 OpenWith.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe 2624 Winword.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 2400 wrote to memory of 2624 2400 OpenWith.exe Winword.exe PID 2400 wrote to memory of 2624 2400 OpenWith.exe Winword.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Ransomware.dll,#11⤵PID:3692
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2008
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2044
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Borat\bin\Ransomware.dll"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2624
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" Ransomware.dll1⤵PID:2040