Analysis Overview
SHA256
c4b5f177fbc6811112cea23ecc3d848f0b96cce7e702ac244291005d32e8528d
Threat Level: Known bad
The file Client.exe was found to be: Known bad.
Malicious Activity Summary
EagleRat
Eaglerat family
Drops startup file
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 22:36
Signatures
Eaglerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 22:36
Reported
2024-11-20 22:38
Platform
win10ltsc2021-20241023-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
EagleRat
Eaglerat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe.lnk | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 127.0.0.1:9875 | tcp | |
| N/A | 127.0.0.1:7788 | tcp | |
| N/A | 127.0.0.1:9875 | tcp |
Files
memory/2156-0-0x00007FF973043000-0x00007FF973045000-memory.dmp
memory/2156-3-0x0000000001980000-0x000000000199A000-memory.dmp
memory/2156-2-0x0000000001960000-0x0000000001972000-memory.dmp
memory/2156-1-0x0000000000F90000-0x0000000000FA4000-memory.dmp
memory/2156-6-0x000000001CB30000-0x000000001CBA6000-memory.dmp
memory/2156-7-0x00007FF973040000-0x00007FF973B02000-memory.dmp
memory/2156-8-0x000000001CD10000-0x000000001CD2E000-memory.dmp
memory/2156-12-0x00007FF973043000-0x00007FF973045000-memory.dmp
memory/2156-13-0x00007FF973040000-0x00007FF973B02000-memory.dmp
memory/2056-20-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-19-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-18-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-24-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-30-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-29-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-28-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-27-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-26-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
memory/2056-25-0x000001DB584E0000-0x000001DB584E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe.lnk
| MD5 | 72811ec304b2575507d8d989aa2690d7 |
| SHA1 | daffe67ffdd89861c3544f2b5aaaf3b7ad6a6731 |
| SHA256 | 121e20de7feaeac2daf96b997478516b945982fb9c22ce6b9d32add25b5fda1c |
| SHA512 | f58cc2f325d8b33cfda2e90ead73c01590ab221f10ab8d89ada0e4c1ca4ba336520c6827be1cd5d48cb4214b86ae337fbde31f90773e24c93983e4a8d7c5561f |
C:\Users\Admin\AppData\Local\Client.exe
| MD5 | 69fc315595400476fe64abf5320ae358 |
| SHA1 | 387e470ea168a5d1d3fe750965ae7f55f6410986 |
| SHA256 | c4b5f177fbc6811112cea23ecc3d848f0b96cce7e702ac244291005d32e8528d |
| SHA512 | 32032081292268a4a1b43e9d4abc91fa6b7c60efeff48f7cc9551ccafd94cdc2555685caa557a1891d4e2eeae339b00e9636acc49fd6a37e5ed641d08af9c1e0 |
memory/2884-33-0x0000000002B30000-0x0000000002B42000-memory.dmp
memory/2156-34-0x00007FF973040000-0x00007FF973B02000-memory.dmp