Overview

overview

10

Static

static

10

ColdRAT.zip

windows10-2004-x64

1

ColdRAT.zip

windows11-21h2-x64

1

ColdRAT/ColdRAT.exe

windows10-2004-x64

7

ColdRAT/ColdRAT.exe

windows11-21h2-x64

5

ColdRAT/Fixer.bat

windows10-2004-x64

5

ColdRAT/Fixer.bat

windows11-21h2-x64

5

Resubmissions

19/04/2025, 22:20

250419-19hzksyjy2 10

19/04/2025, 22:16

250419-16282sv1fv 10

19/04/2025, 22:11

250419-1395gsv1ew 10

Analysis

  • max time kernel
    299s
  • max time network
    284s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2025, 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ColdRAT/Fixer.bat

  • Size

    122B

  • MD5

    2dabc46ce85aaff29f22cd74ec074f86

  • SHA1

    208ae3e48d67b94cc8be7bbfd9341d373fa8a730

  • SHA256

    a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

  • SHA512

    6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 12 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ColdRAT\Fixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\system32\lodctr.exe
      lodctr /r
      2⤵
      • Drops file in System32 directory
      PID:5920
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2976
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:3736

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f4509013-09cf-4231-b934-2a2097d89650.down_data
    Filesize

    555KB

    MD5

    5683c0028832cae4ef93ca39c8ac5029

    SHA1

    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

    SHA256

    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

    SHA512

    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

    Download Submit

  • C:\Windows\System32\perfc007.dat
    Filesize

    44KB

    MD5

    4310cecf3a73920ecaa4d6414ab07f68

    SHA1

    1694d9ac571d38a1e3e590ecfa85ca7428770be2

    SHA256

    869bb41741bd8d256c97ddd08833ec24f6b3a2f5c45c99fae161b46377d3b99c

    SHA512

    a120f7ef2118118e0255e6867204829766676e255631b69035f63fc640d48a8482b3e4f338ff9d4211dc25858d0f319bf28eb37f3c4d46788f35858b35a72371

    Download Submit

  • C:\Windows\System32\perfc00A.dat
    Filesize

    47KB

    MD5

    69c02ba10f3f430568e00bcb54ddf5a9

    SHA1

    8b95d298633e37c42ea5f96ac08d950973d6ee9d

    SHA256

    62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

    SHA512

    16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

    Download Submit

  • C:\Windows\System32\perfc00C.dat
    Filesize

    43KB

    MD5

    8b4b53cf469919a32481ce37bcce203a

    SHA1

    58ee96630adf29e79771bfc39a400a486b4efbb0

    SHA256

    a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

    SHA512

    62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

    Download Submit

  • C:\Windows\System32\perfc010.dat
    Filesize

    42KB

    MD5

    bea0a3b9b4dc8d06303d3d2f65f78b82

    SHA1

    361df606ee1c66a0b394716ba7253d9785a87024

    SHA256

    e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

    SHA512

    341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

    Download Submit

  • C:\Windows\System32\perfc011.dat
    Filesize

    32KB

    MD5

    50681b748a019d0096b5df4ebe1eab74

    SHA1

    0fa741b445f16f05a1984813c7b07cc66097e180

    SHA256

    33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

    SHA512

    568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

    Download Submit

  • C:\Windows\System32\perfh007.dat
    Filesize

    307KB

    MD5

    312d855b1d95ae830e067657cffdd28c

    SHA1

    8133c02adeae24916fa9c53e52b3bfe66ac3d5a3

    SHA256

    ca3f8056e3e2378509ab24f8b8471e5fccac403a5413be518ac35bbb42a2e2cf

    SHA512

    f25c1a81a582a2a5e3142bd97f425c6ee5c26f878b1155232002fff1e4a3528bc371fb962da256c281e05c6c537160a4f48e00ea1fcf3e9887097f8ca6ec2b14

    Download Submit

  • C:\Windows\System32\perfh009.dat
    Filesize

    297KB

    MD5

    50362589add3f92e63c918a06d664416

    SHA1

    e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

    SHA256

    9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

    SHA512

    e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

    Download Submit

  • C:\Windows\System32\perfh00A.dat
    Filesize

    347KB

    MD5

    49032045f6bcb9f676c7437df76c7ffa

    SHA1

    f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

    SHA256

    089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

    SHA512

    55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

    Download Submit

  • C:\Windows\System32\perfh00C.dat
    Filesize

    350KB

    MD5

    518020fbecea70e8fecaa0afe298a79e

    SHA1

    c16d691c479a05958958bd19d1cb449769602976

    SHA256

    9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125

    SHA512

    ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

    Download Submit

  • C:\Windows\System32\perfh010.dat
    Filesize

    340KB

    MD5

    f9fcefdf318c60de1e79166043b85ec4

    SHA1

    a99d480b322c9789c161ee3a46684f030ec9ad33

    SHA256

    9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7

    SHA512

    881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

    Download Submit

  • C:\Windows\System32\perfh011.dat
    Filesize

    145KB

    MD5

    f4f62aa4c479d68f2b43f81261ffd4e3

    SHA1

    6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa

    SHA256

    c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c

    SHA512

    cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3

    Download Submit

  • C:\Windows\system32\perfc009.dat
    Filesize

    132KB

    MD5

    6dc5c14932145ac8ce521d70380fc341

    SHA1

    d937ba8d03634dc67f0a2a081436e7a502b6abaa

    SHA256

    8997d7f264e18fb3cecd7774f67947f5224bda27b51d70d175fde7868a2ee47e

    SHA512

    085e3f424cc7845c590e73487dab0a1f62362cc9e7ef20ce26e2e39622e9f391266babfdd23b690149df790ba00b866ce63d94602a1d87fe92bfdd163c6e0131

    Download Submit

  • C:\Windows\system32\perfh009.dat
    Filesize

    699KB

    MD5

    76c0938fe24e2455e3e78edfdee6a210

    SHA1

    6e7c29c8c544548fdb39a2d27346cdcb2587d10e

    SHA256

    ffeb7c1fa2f3787390d651c91781967d1df2006cf999edf909e1b79855f53ccb

    SHA512

    c50d944d1010ab6866863c2f639e0514a098058516287155eca7e4abe693703d0e3eea5fec097002886a313a1b671d118f8f8336d9cf38128ffad88b40a1c5e8

    Download Submit

  • memory/2976-1756-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1755-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1754-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1760-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1766-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1765-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1764-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1763-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1762-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-1761-0x000001E01A330000-0x000001E01A331000-memory.dmp

    Filesize

    4KB

    Download