eb5e0956e26576d0c02cd7749476a564bd8671375ccca863efaa7347235fdb7d

Analysis

max time kernel
79s
max time network
83s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25-06-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S500 RAT.zip
Size

43.3MB
MD5

345a37c6bcd0ce82aa0eb4b339a99ecc
SHA1

3056b6855d0f359485c037de1673786f000c78c9
SHA256

eb5e0956e26576d0c02cd7749476a564bd8671375ccca863efaa7347235fdb7d
SHA512

1741db005d19d23cdfba33952eb4d44d460ab540ef4151b4ffd17a8c72c37a729d0d01e94985a5f295b92865d90037c03d09bb65cedb80423cfe4cc4de319239
SSDEEP

786432:StSrIAPWJhZ1SYMZgUxXxPfB4X0U7hQ0bbJLl8VNevlP3y5sxC4f:SwrVWhfYxP54h7hQILl8VuY5sYo

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2220 chrome.exe
2220 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2220 chrome.exe
2220 chrome.exe
2220 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

chrome.exe

description pid process

Token: SeShutdownPrivilege 2220 chrome.exe
Token: SeCreatePagefilePrivilege 2220 chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2220	chrome.exe
Token: SeCreatePagefilePrivilege	2220	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe
2220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2220 wrote to memory of 2124	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 2124	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 216	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 1540	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 1540	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe
PID 2220 wrote to memory of 5016	2220	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 RAT.zip"
1⤵
PID:4988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff98b159758,0x7ff98b159768,0x7ff98b159778
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:2
2⤵
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:8
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:8
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2904 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:1
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3576 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:1
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:8
2⤵
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1848,i,2829105236966348599,8831506090834681123,131072 /prefetch:8
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
793B

MD5
6f090b85a6c127f11fddca37338fce33

SHA1
2773c5afc61fd83703b0077c05fa093110949d47

SHA256
727cda5a4b5e9b16b55b805ef25d72b395f396ddebe5a7eb4a08434b40f69eda

SHA512
32e7f8d192ed7aeaef494382f976ca08b1050d4a0ce1642c1d8490062ea6fda9d024c9902b2c367cb519ba3d635d361509c609337d41f1b00ad7e96daea36940

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
7c170bf63982db429af52f7992fb59a9

SHA1
c162ff47cf42bab03dbb81a65100eefe93d8400f

SHA256
bd977b9db47b8ccf3497fd0129781d04c65f8a8e02c7d579624418eeec46415c

SHA512
07f33933ba6c5ec933e7169764adc03ab66bd954157eeb346fc6a1c07ff4862457098f23aa58e2f965e4c4f054831c0edb7b744c0aa5acc98dde792683801466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
9e369895a836be52e092b38e7fc943dd

SHA1
803b7ef117659d63abd0ceb63473e787b4c84063

SHA256
10c9c80ed6742c6c2c5b2934e5e930968ca65c5f7c679eada6a096fa4296faf7

SHA512
069e5572f9b431fe6455ad7407a7dd90de092eed3e8d030c9deb2461e5dcc3f83d1bb65c6d157d868cbafde23a2639ab0049695bfd966c0d6fa8dec2006c2cdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
289KB

MD5
8da8922829fb1cc2cb49a2d64f5d7475

SHA1
5dfc098b42eba4727e253b6aece5f1f018ba20c6

SHA256
ac96a214b5c5a39f227d9268a16a6e30f008c7dc90e5b6ce5742a10e49b0481b

SHA512
f92cbba129dc3b97fd540a8611363448c3ad373a34bb88fef103d922abe8085df6a0c87b49d5a5f576163910952c86be8319c64253d84e80f9a7d6e623097c7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\crashpad_2220_WQOFTJSITWZEUIPX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit