8fedd0ca0e90c113950ca9fe3685c46bc51515ff68791ef26eb87dd4da965890

Resubmissions

19/04/2025, 22:20

250419-19hzksyjy2 10

19/04/2025, 22:16

250419-16282sv1fv 10

19/04/2025, 22:11

250419-1395gsv1ew 10

Analysis

max time kernel
55s
max time network
56s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ColdRAT.zip
Size

20.0MB
MD5

c761941a49b0689482c063e66ec2ba84
SHA1

53c0795b52c9ecc669b6d05aca45933838df85d7
SHA256

8fedd0ca0e90c113950ca9fe3685c46bc51515ff68791ef26eb87dd4da965890
SHA512

b43b95b0fb0486e4be713fee1e7aacf9ab9702ad170f429ff6120d75d741be109bf92a29dae0fbcebe984ba05198feb763de1cadfffd7ff6ebd105b92904ee70
SSDEEP

393216:9lSeO+M2Eyea3KvSNRV7ab5Eed7Bco/8PVKa1T65MNH69+iRBds73:9lScoa3KvO6bxdVc4G565M493sz

Score

5^/10

execution

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3788	ColdRAT.exe
3788	ColdRAT.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4372	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	ColdRAT.exe
Token: SeDebugPrivilege	4372	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4372	3788	ColdRAT.exe	85
PID 3788 wrote to memory of 4372	3788	ColdRAT.exe	85

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ColdRAT.zip
1⤵
PID:5196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4584

C:\Users\Admin\Desktop\ColdRAT\ColdRAT.exe
"C:\Users\Admin\Desktop\ColdRAT\ColdRAT.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " $motherboard = (Get-WmiObject -Class Win32_BaseBoard).SerialNumber $cpu = (Get-WmiObject -Class Win32_Processor).ProcessorId Write-Output $motherboard Write-Output $cpu "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikzj5mgw.0ht.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3788-8-0x000002A2A85D0000-0x000002A2A8628000-memory.dmp

Filesize
352KB

Download
memory/3788-11-0x000002A2A86F0000-0x000002A2A87A2000-memory.dmp

Filesize
712KB

Download
memory/3788-3-0x00007FFED16C0000-0x00007FFED2182000-memory.dmp

Filesize
10.8MB

Download
memory/3788-4-0x000002A2A8830000-0x000002A2A8B12000-memory.dmp

Filesize
2.9MB

Download
memory/3788-5-0x000002A2A8B20000-0x000002A2A8D14000-memory.dmp

Filesize
2.0MB

Download
memory/3788-6-0x000002A28E350000-0x000002A28E37C000-memory.dmp

Filesize
176KB

Download
memory/3788-7-0x000002A2A8540000-0x000002A2A85C2000-memory.dmp

Filesize
520KB

Download
memory/3788-0-0x00007FFED16C3000-0x00007FFED16C5000-memory.dmp

Filesize
8KB

Download
memory/3788-2-0x000002A28E2D0000-0x000002A28E2D1000-memory.dmp

Filesize
4KB

Download
memory/3788-9-0x000002A2A8D20000-0x000002A2A8E88000-memory.dmp

Filesize
1.4MB

Download
memory/3788-10-0x000002A28E320000-0x000002A28E328000-memory.dmp

Filesize
32KB

Download
memory/3788-12-0x000002A2A9DC0000-0x000002A2AA804000-memory.dmp

Filesize
10.3MB

Download
memory/3788-28-0x00007FFED16C0000-0x00007FFED2182000-memory.dmp

Filesize
10.8MB

Download
memory/3788-1-0x000002A28BF40000-0x000002A28DEC2000-memory.dmp

Filesize
31.5MB

Download
memory/3788-26-0x00007FFED16C0000-0x00007FFED2182000-memory.dmp

Filesize
10.8MB

Download
memory/3788-25-0x00007FFED16C3000-0x00007FFED16C5000-memory.dmp

Filesize
8KB

Download
memory/4372-24-0x000001C665B10000-0x000001C665C5F000-memory.dmp

Filesize
1.3MB

Download
memory/4372-13-0x000001C64D800000-0x000001C64D822000-memory.dmp

Filesize
136KB

Download