883f9c335c6af1d39a40c9d1c06798b692fc23bfe8d967fb504487ec3d4792bc

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 19:36

Target

888 RAT Private - CyberIncognito.rar
Size

10.7MB
MD5

77d5300f87f99ca7b343e6b6189b6646
SHA1

4d30d399949fbae1c03d776af9dc1beea3d4f885
SHA256

883f9c335c6af1d39a40c9d1c06798b692fc23bfe8d967fb504487ec3d4792bc
SHA512

a45d3d6a635f4ba1dae7169319e63ad0cafe5682a05d307f19d136d361be733b4fe7979127e296d68502fbc3eefd74c1c8b8d0115cb0c6ad859a384d12722e6b
SSDEEP

196608:DnRQLDrjpk9NJMQX63kYZkUln5yAmhLGg4ZmZskrzFPA8gWc7VBR+WExB:VQLDrjpUytGnAaLGlWNNA26HR+fxB

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2800	2948	cmd.exe	31
PID 2948 wrote to memory of 2800	2948	cmd.exe	31
PID 2948 wrote to memory of 2800	2948	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\888 RAT Private - CyberIncognito.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\888 RAT Private - CyberIncognito.rar
  2⤵
  - Modifies registry class
  PID:2800

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact