a0870503b673085716382adb59f7cfcd71bfc1b67c5561142150bdee6751167f

Analysis

max time kernel
1800s
max time network
1157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888 rat 1.2.1.exe
Size

79.2MB
MD5

e9aa901042053b06723f6e14f95fe3c6
SHA1

f7653cb6fc7c6dd17900abdc7a4307570aca50d6
SHA256

f4023630eddd4ee944149279d641604764e442592d98b9720874c69e02d84fb5
SHA512

272410435e51a59856cd9dcf7bfba852a9d7055a71fff00491ad45eab9025799a97bebfcdcaab787b17c35263edb9e0b36df63cbcf190969092c2f355406a313
SSDEEP

1572864:9+geRT13w3TbMlFaT9re/8v1qrqxXlUcFY3rT4FDfhPMETIuCNBrO:9+r13wmgJr0YlUcFYglfhPYS

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\autD8E1.tmp	acprotect

Loads dropped DLL 4 IoCs

Processes:

888 rat 1.2.1.exe

pid process

4324 888 rat 1.2.1.exe
4324 888 rat 1.2.1.exe
4324 888 rat 1.2.1.exe
4324 888 rat 1.2.1.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\autD8E1.tmp	upx
behavioral15/memory/4324-46-0x000000001A0B0000-0x000000001A16B000-memory.dmp	upx
behavioral15/memory/4324-44-0x000000001A0B0000-0x000000001A16B000-memory.dmp	upx
behavioral15/memory/4324-135-0x000000001A0B0000-0x000000001A16B000-memory.dmp	upx

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral15/memory/4324-53-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-64-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-115-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-103-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-95-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-89-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-78-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-70-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-61-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-55-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/4324-58-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

888 rat 1.2.1.exe

pid process

4324 888 rat 1.2.1.exe
4324 888 rat 1.2.1.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

888 rat 1.2.1.exe

pid process

4324 888 rat 1.2.1.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

888 rat 1.2.1.exe

pid	process
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

888 rat 1.2.1.exe

pid	process
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe
4324	888 rat 1.2.1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

888 rat 1.2.1.exe

pid process

4324 888 rat 1.2.1.exe

C:\Users\Admin\AppData\Local\Temp\888 rat 1.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\888 rat 1.2.1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autD8E1.tmp

Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles

Filesize
3.3MB

MD5
ea5d5266b8a7bcc8788c83ebb7c8c7d5

SHA1
3e9ac1ab7d5d54db9b3d141e82916513e572b415

SHA256
91ac4d215b8d90aef9a000900c9088d4c33d58c5f35a720a385a3f2d2299e5d1

SHA512
404b35fca478a1f489ec1af7be1df897190d7deb0cd8139c2c89d68c24fa377d904cf0c5e30c09ab448d74d87a47aaa3a872bf66a9bc9c124f52798320d34e60

Download Submit
memory/4324-46-0x000000001A0B0000-0x000000001A16B000-memory.dmp

Filesize
748KB

Download
memory/4324-44-0x000000001A0B0000-0x000000001A16B000-memory.dmp

Filesize
748KB

Download
memory/4324-53-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-59-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/4324-65-0x0000000075060000-0x0000000075085000-memory.dmp

Filesize
148KB

Download
memory/4324-64-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-63-0x0000000075060000-0x0000000075085000-memory.dmp

Filesize
148KB

Download
memory/4324-62-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/4324-67-0x0000000076740000-0x00000000767EF000-memory.dmp

Filesize
700KB

Download
memory/4324-92-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-98-0x0000000076740000-0x00000000767EF000-memory.dmp

Filesize
700KB

Download
memory/4324-113-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-116-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-115-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-114-0x0000000074830000-0x00000000748A4000-memory.dmp

Filesize
464KB

Download
memory/4324-112-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-110-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-109-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-108-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-107-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-106-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-111-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-105-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-104-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-103-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-102-0x0000000077060000-0x0000000077133000-memory.dmp

Filesize
844KB

Download
memory/4324-101-0x0000000074830000-0x00000000748A4000-memory.dmp

Filesize
464KB

Download
memory/4324-100-0x0000000075ED0000-0x0000000075FB3000-memory.dmp

Filesize
908KB

Download
memory/4324-97-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-96-0x00000000756C0000-0x000000007579C000-memory.dmp

Filesize
880KB

Download
memory/4324-95-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-94-0x0000000077060000-0x0000000077133000-memory.dmp

Filesize
844KB

Download
memory/4324-93-0x0000000074830000-0x00000000748A4000-memory.dmp

Filesize
464KB

Download
memory/4324-91-0x0000000076740000-0x00000000767EF000-memory.dmp

Filesize
700KB

Download
memory/4324-90-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-89-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-88-0x0000000077060000-0x0000000077133000-memory.dmp

Filesize
844KB

Download
memory/4324-87-0x0000000074830000-0x00000000748A4000-memory.dmp

Filesize
464KB

Download
memory/4324-86-0x0000000075060000-0x0000000075085000-memory.dmp

Filesize
148KB

Download
memory/4324-84-0x0000000076740000-0x00000000767EF000-memory.dmp

Filesize
700KB

Download
memory/4324-83-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-82-0x0000000074830000-0x00000000748A4000-memory.dmp

Filesize
464KB

Download
memory/4324-81-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-79-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-78-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-77-0x0000000077060000-0x0000000077133000-memory.dmp

Filesize
844KB

Download
memory/4324-76-0x0000000074830000-0x00000000748A4000-memory.dmp

Filesize
464KB

Download
memory/4324-75-0x0000000075ED0000-0x0000000075FB3000-memory.dmp

Filesize
908KB

Download
memory/4324-74-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-73-0x0000000076740000-0x00000000767EF000-memory.dmp

Filesize
700KB

Download
memory/4324-68-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-71-0x00000000756C0000-0x000000007579C000-memory.dmp

Filesize
880KB

Download
memory/4324-70-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-69-0x0000000075ED0000-0x0000000075FB3000-memory.dmp

Filesize
908KB

Download
memory/4324-99-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-85-0x0000000075FD0000-0x0000000076583000-memory.dmp

Filesize
5.7MB

Download
memory/4324-80-0x0000000076740000-0x00000000767EF000-memory.dmp

Filesize
700KB

Download
memory/4324-72-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-66-0x0000000074D50000-0x0000000074F60000-memory.dmp

Filesize
2.1MB

Download
memory/4324-61-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-60-0x0000000075060000-0x0000000075085000-memory.dmp

Filesize
148KB

Download
memory/4324-57-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/4324-56-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/4324-55-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-54-0x00000000754A0000-0x000000007551A000-memory.dmp

Filesize
488KB

Download
memory/4324-58-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4324-135-0x000000001A0B0000-0x000000001A16B000-memory.dmp

Filesize
748KB

Download