Resubmissions
25-08-2024 14:19
240825-rm6yfszfrr 7Analysis
-
max time kernel
71s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-08-2024 14:19
General
-
Target
BORATrat2024.exe
-
Size
9.9MB
-
MD5
6681923b59c01f862b7fb20182a3901b
-
SHA1
4242f33bd96d9a6ade283aeb6af6b49c80cfccc3
-
SHA256
87f65b253fd3379d9dde4524e0ebf4baceb282ec8f025d1765a69ae5c5695b7a
-
SHA512
8df3d0dd600e3e228ac60dfb7af1c7d161ae0268a2d1793a55f666a965cd39eaa6f355d60c50968771a45c1b4e2ce6960ffaee13b427d0986f77bd264807bd65
-
SSDEEP
196608:tAvmQOfJf/priQPhVBICX82UmZ1U/f5vboG++EVDjjglfkp8d7REM4NI:SO5JXhiQPn5Xj1OfVbboifkp8xU+
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 37 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BORATrat2024.exe"C:\Users\Admin\AppData\Local\Temp\BORATrat2024.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5946.tmp\5947.tmp\5948.bat C:\Users\Admin\AppData\Local\Temp\BORATrat2024.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5946.tmp\Bor@[email protected]
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3668,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:81⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\5946.tmp\Borat.rar2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\5946.tmp\Borat.rar3⤵
- Modifies Internet Explorer settings
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:82948 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Borat.rar3⤵
- Modifies Internet Explorer settings
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:17422 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Borat\" -spe -an -ai#7zMap1580:72:7zEvent45471⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Borat\BoratRat.exe"C:\Users\Admin\Downloads\Borat\BoratRat.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
72B
MD58bfb34978fbae359cc7efbc8521eda2e
SHA1e2d11f7061801e3a80a818277a60c2daad31680f
SHA256fb8bc8c28c26af4df91f683e9a3a62e766e47940fd9eec6298ed9f621fbb7b65
SHA5124fb11adc90cd7cd21453e62b26ac9468c5ccf0560e0804fb369c6e7c4834542902445e4b821ad2b1d96e0bbf0a72d5e4bcf3c384c5408b8de83a550a66e63ad4
-
Filesize
132KB
MD51004fd7892bd0410876232cc1d530d1a
SHA1a2a14d41cdce5f4c447b6396f0fbd0fcec1859d3
SHA256c5b49ca223899cf3e9b0360eb321afdc14b2806258d945893ed10f9a3843f32c
SHA512bfaea4fe653b4becfb87131d1895c957f2d15da91c0291b5036a2b594528a1dfeac1ac4e6e31d4314b7ea262d63eaaf41265002a559ef08bd5469237f3fdce4e
-
Filesize
9.6MB
MD5e3b10d235c365ac49d6855df0432bb76
SHA14ce182c19796cf8d4c017fdd8fd4b390de1eac7e
SHA25653cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1
SHA512bb91a4bf979516c2a19733772b4c34b09b45efbcec491f2fb62adde9222e6306ce32a17de3e6f9b3d7338a93f3d72e4747a23157675663f00e9f153bc4ec4704
-
Filesize
20.0MB
MD565b694d69d327efe28fcbce125401e96
SHA1049d4d71742b99a598c074458f1f2d5b0119e912
SHA256de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab
SHA5127ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b
-
Filesize
5KB
MD53e645ccca1c44a00210924a3b0780955
SHA15d8e8115489ac505c1d10fdd64e494e512dba793
SHA256f29e697efd7c5ecb928c0310ea832325bf6518786c8e1585e1b85cdc8701602f
SHA512ea7e3a6e476345870f05124a56dde266e1ad04b557b2dde83c5674cfdf3be00f26d3db6a14a8d88ecf75e2c9e3a12e6955f6c85654ba967c17664e9acc3d4f1f
-
Filesize
1KB
MD5478ee44a47895e687296b9ab34df04c4
SHA14b81e94f3d3a99cc01d5c57bd5bec8317f0aca4f
SHA2564b0612b2cd5e7ecc456d5c29c89917b8ec881c5f4fd94afe157098ca96308781
SHA51228c0635f1e5062fcdef783aceaa8aa53531f18ce66d4aed62a99ec5b31a364e0d0d36fa237d978d75f51a859a7140d31e62aed340eae4aa769e02d1640e30c7b
-
Filesize
20.0MB
-
Filesize
152KB
-
Filesize
8KB