f7ed3b2a9ceffa0001302bafd62a728b3462e251371be232df66a6881bae872a

Analysis

max time kernel
130s
max time network
153s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RenameThisThisIsTheRAT.exe
Size

77.5MB
MD5

f327e91dd3f1507f075d435231c84f5e
SHA1

4b4726e2819170b08915de3beabf6704a7a04d96
SHA256

f7ed3b2a9ceffa0001302bafd62a728b3462e251371be232df66a6881bae872a
SHA512

4f177cc19a2055277324a85446125343ff0f20790b5448001dc762c20c09629006c0a41e6c3b3407d12b55db7feba547aab3c1e6fe07c9968e91ee02d3ae99b7
SSDEEP

1572864:H1lVW950hSk8IpG7V+VPhqFxE7LlhpBB8iYweyJulZUdgP7Xip5+vMTzqvCZH1O3:H1bWySkB05awFeLpnNpur71vMXRrO3

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1696	RenameThisThisIsTheRAT.exe
1696	RenameThisThisIsTheRAT.exe
1696	RenameThisThisIsTheRAT.exe
1696	RenameThisThisIsTheRAT.exe
1696	RenameThisThisIsTheRAT.exe
1696	RenameThisThisIsTheRAT.exe
1696	RenameThisThisIsTheRAT.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020b60-1320.dat	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	chrome.exe
2316	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe
Token: SeShutdownPrivilege	2316	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1696	1260	RenameThisThisIsTheRAT.exe	31
PID 1260 wrote to memory of 1696	1260	RenameThisThisIsTheRAT.exe	31
PID 1260 wrote to memory of 1696	1260	RenameThisThisIsTheRAT.exe	31
PID 2316 wrote to memory of 1876	2316	chrome.exe	35
PID 2316 wrote to memory of 1876	2316	chrome.exe	35
PID 2316 wrote to memory of 1876	2316	chrome.exe	35
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 1004	2316	chrome.exe	37
PID 2316 wrote to memory of 2260	2316	chrome.exe	38
PID 2316 wrote to memory of 2260	2316	chrome.exe	38
PID 2316 wrote to memory of 2260	2316	chrome.exe	38
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39
PID 2316 wrote to memory of 2544	2316	chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\RenameThisThisIsTheRAT.exe
"C:\Users\Admin\AppData\Local\Temp\RenameThisThisIsTheRAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\RenameThisThisIsTheRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\RenameThisThisIsTheRAT.exe"
  2⤵
  - Loads dropped DLL
  PID:1696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d89758,0x7fef6d89768,0x7fef6d89778
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:2
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1440 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3456 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:8
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1368,i,6845365900113495224,291645988776194121,131072 /prefetch:8
  2⤵
  PID:1856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
179KB

MD5
dac05235109b6abf39dbcbc48cd5fc98

SHA1
5a6b9562f79b88e99e4a9c77d89417f34ef645bb

SHA256
e703c4f1b56e7c6b26e16177b1310f7e4142c0f94f733ee8a427f1b08933f3fb

SHA512
69bac19ade97972e7d2d6ff9f57b1507db64fcac5c2fa949c4b9bcb41b885d5cd9998744a246bf3ead27c02d19a0d95b2393b33fd26dd9b808b055004fa95554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
6db0f54fcd05a16297d8c0e9dc41e857

SHA1
eeff0f5aec46fa161a5303840886e53a04cd9f50

SHA256
08c4431d2e029d91db307a53943d381e4823bb53e4014c388c3d88ded9d2e233

SHA512
ff5ce9aea8da0ae286ae1a93f5023cedacd90f7a66d1d8ed89adc8dd4ca376b67eb3498f9a5608e048a76be01aedc1b77f3206f200665db6728e1bb61f9672f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
1399d7007bdb835f28cf2c155145a227

SHA1
847c72cb49da382fe0061c623ce64a333a38b88f

SHA256
f889a4e805b2b052755f188d8942a79f3eb1867ebe077064ff8707d873c33347

SHA512
25b17a4239267321865e79003f4e5ad5003f13384cdd0fabe2b70dc8b270d46e8162d0d727d27a213346026aa9442f07fbe05c414c137385c6b843792198e63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\api-ms-win-core-localization-l1-2-0.dll

Filesize
19KB

MD5
b4db20a9c352fd3d926717ed6c63ba88

SHA1
d470d0c8cc3b270fd99068e27aa892e42137f91b

SHA256
761d51cf2f2aac43421eecc637dc43ba092516f2b342f6d017007dc607576365

SHA512
2df3099d1f4fce06b096c70aa4c8c115f0a12a8d624b9575f292fc3597b30fd635fd8c0a44c21c3c4556bf6cc78e7b904edd42ec7bc5863ea62fa2f2cf75bd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
a2603e5dadb91017b83954470bc64694

SHA1
a91ea3aec86f79ebbc465dffb2115d360103e174

SHA256
b1195855a4b9125ed3482ebd45316d6105325d1ec9e3b1ce9fa084b52a00bdd4

SHA512
f7fc366e03f7208c3b0af7f19d824c8b945bf8d451389ef349ef5bcc5e0d735ecf96fd76cc23a329d7ba6d0eca7d84b909999e8774f8ea0f96a0dbd1deac3e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
c26c5bdc48584116f822d9be4cfd4fc7

SHA1
e64d49d0d77167b4c42e16c8eba59b96b7ea1236

SHA256
a9e03df5efce9b78f958f89613b8f55e59597f6430e1f40ceb9c4130d68d183c

SHA512
7b66ad09370144fe2be39920bf7f4b3ab57be28ab50ef0bc8020ac58616b98a0a9cfb0f70e2b5b79c5d7cf4a04c0b758f9026fdf6752d0ac64b54fb5cff73d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\python312.dll

Filesize
1.7MB

MD5
71070618402c15a2fad5ca70c9ef7297

SHA1
34fedbf17a57010c5cd20ef4e690616859cc8e68

SHA256
7d35a191edb95ccd85ef05d645deeca3ed1febd9acd659569fab56ae06c1ebdf

SHA512
81ef8749f5c3dbd586ddbbcf26cd6c80607a5cc9c26e31c912f454ca56013082174e2012a507739ec1e9c5a2f019bf0ca6bd3ce18880abdbff0ba5f8f3cbbf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12602\ucrtbase.dll

Filesize
1.1MB

MD5
79fe69af4009290dcd5298612e5551f7

SHA1
c7d770a434381ed593b32be5705202271590bc39

SHA256
dff01a7bfad83d7f8456fef597e845b2d099291c8bf22b27584486d948d971f5

SHA512
6a9a582b32076c7e7fdef3ea78775067133ff1f68a1eed5ec89fb66582c1fb51f077124bab915bde6f2afe245ab2fb127fd0ea231bd020ca8ca2d614f525cf8f

Download Submit
memory/1696-1322-0x000007FEF6190000-0x000007FEF6855000-memory.dmp

Filesize
6.8MB

Download