Analysis Overview
SHA256
5436bad558c5bf3cb413020100e8426c0e07a45ecf34d679a753e168fd46d9fc
Threat Level: Known bad
The file test.exe was found to be: Known bad.
Malicious Activity Summary
EagleRat
Eaglerat family
Drops startup file
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 22:30
Signatures
Eaglerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 22:30
Reported
2024-11-20 22:31
Platform
win11-20241007-en
Max time kernel
51s
Max time network
47s
Command Line
Signatures
EagleRat
Eaglerat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exe.lnk | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| GB | 88.221.134.3:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| GB | 95.101.143.210:443 | r.bing.com | tcp |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| GB | 88.221.135.25:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:9875 | tcp | |
| US | 13.107.246.64:443 | afdxtest.z01.azurefd.net | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| ZA | 102.133.96.237:443 | c6c233f39eb88b1855e9e5fc3aedf096.azr.footprintdns.com | tcp |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp |
Files
memory/5532-0-0x00007FF912A73000-0x00007FF912A75000-memory.dmp
memory/5532-1-0x00000000007B0000-0x00000000007C4000-memory.dmp
memory/5532-2-0x00000000015E0000-0x00000000015F2000-memory.dmp
memory/5532-3-0x0000000001620000-0x000000000163A000-memory.dmp
memory/5532-6-0x000000001C300000-0x000000001C376000-memory.dmp
memory/5532-7-0x00007FF912A70000-0x00007FF913532000-memory.dmp
memory/5532-8-0x000000001D5D0000-0x000000001D5EE000-memory.dmp
memory/5532-12-0x00007FF912A73000-0x00007FF912A75000-memory.dmp
memory/5532-13-0x00007FF912A70000-0x00007FF913532000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 71a6b59e08e25451e52675c842fae23c |
| SHA1 | 565a97673954a9209c7a05fba20b89d10b88025f |
| SHA256 | 5b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6 |
| SHA512 | 5cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\25b0891a-af20-40cb-a4b7-2cc8d72bc3e0.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |