gh0strat | 185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
Size

217KB
MD5

3ae2cf56a22bdd23e42fa1bf66b4addf
SHA1

816afdd594f61dd96712ed2972cf5189f30fab09
SHA256

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca
SHA512

94f9e6d05713011053ee30be1b83528072c46def6792c23d6af3ec8146a5b2885e946f00d2f5fd205ee5d760d5cff99696900e7eecba7f378f4f5c26e2ebf543

Score

10^/10

gh0strat neshta persistence rat spyware stealer upx

Malware Config

Signatures

Detect Neshta Payload 15 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta

Gh0st RAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/976-63-0x0000000000400000-0x0000000000460000-memory.dmp	family_gh0strat
behavioral1/memory/976-64-0x0000000010000000-0x000000001004A000-memory.dmp	family_gh0strat
behavioral1/memory/1280-70-0x0000000000400000-0x0000000000460000-memory.dmp	family_gh0strat
behavioral1/memory/1280-95-0x0000000000400000-0x0000000000460000-memory.dmp	family_gh0strat
behavioral1/memory/1948-96-0x0000000000400000-0x0000000000460000-memory.dmp	family_gh0strat
behavioral1/memory/1612-101-0x0000000000420000-0x0000000000480000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 4 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exeWindows°²È«×é¼þ.exeWindows°²È«×é¼þ.exesvchost.com

pid	process
976	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
1280	Windows°²È«×é¼þ.exe
1948	Windows°²È«×é¼þ.exe
1612	svchost.com

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	upx
\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	upx
behavioral1/memory/976-63-0x0000000000400000-0x0000000000460000-memory.dmp	upx
C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx
behavioral1/memory/1280-70-0x0000000000400000-0x0000000000460000-memory.dmp	upx
C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx
C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx
behavioral1/memory/1280-95-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1948-96-0x0000000000400000-0x0000000000460000-memory.dmp	upx
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	upx

Loads dropped DLL 8 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exeWerFault.exesvchost.com

pid	process
1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
1400	WerFault.exe
1400	WerFault.exe
1612	svchost.com
1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
1612	svchost.com
1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exesvchost.com185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File created	C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\AppPatch\WINDOW~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com

Drops file in Windows directory 3 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1400 1280 WerFault.exe Windows°²È«×é¼þ.exe

pid	pid_target	process	target process
1400	1280	WerFault.exe	Windows°²È«×é¼þ.exe

Modifies registry class 1 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

description pid process

Token: SeIncBasePriorityPrivilege 976 185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	976	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exeWindows°²È«×é¼þ.exe185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exesvchost.com

description	pid	process	target process
PID 1160 wrote to memory of 976	1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
PID 1160 wrote to memory of 976	1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
PID 1160 wrote to memory of 976	1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
PID 1160 wrote to memory of 976	1160	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
PID 1280 wrote to memory of 1948	1280	Windows°²È«×é¼þ.exe	Windows°²È«×é¼þ.exe
PID 1280 wrote to memory of 1948	1280	Windows°²È«×é¼þ.exe	Windows°²È«×é¼þ.exe
PID 1280 wrote to memory of 1948	1280	Windows°²È«×é¼þ.exe	Windows°²È«×é¼þ.exe
PID 1280 wrote to memory of 1948	1280	Windows°²È«×é¼þ.exe	Windows°²È«×é¼þ.exe
PID 976 wrote to memory of 1612	976	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	svchost.com
PID 976 wrote to memory of 1612	976	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	svchost.com
PID 976 wrote to memory of 1612	976	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	svchost.com
PID 976 wrote to memory of 1612	976	185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe	svchost.com
PID 1280 wrote to memory of 1400	1280	Windows°²È«×é¼þ.exe	WerFault.exe
PID 1280 wrote to memory of 1400	1280	Windows°²È«×é¼þ.exe	WerFault.exe
PID 1280 wrote to memory of 1400	1280	Windows°²È«×é¼þ.exe	WerFault.exe
PID 1280 wrote to memory of 1400	1280	Windows°²È«×é¼þ.exe	WerFault.exe
PID 1612 wrote to memory of 888	1612	svchost.com	cmd.exe
PID 1612 wrote to memory of 888	1612	svchost.com	cmd.exe
PID 1612 wrote to memory of 888	1612	svchost.com	cmd.exe
PID 1612 wrote to memory of 888	1612	svchost.com	cmd.exe

C:\Users\Admin\AppData\Local\Temp\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
"C:\Users\Admin\AppData\Local\Temp\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3582-490\185651~1.EXE > nul
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3582-490\185651~1.EXE > nul
4⤵
PID:888

C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
"C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
"C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe" Win7
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 308
2⤵
- Loads dropped DLL
- Program crash
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
Filesize
899KB

MD5
80a2fab233077e3ef91d1b207a7f725f

SHA1
8d496e3fe85c347372eabd50a616327c78349d33

SHA256
a061bfaa92dd039806911a09d30b6f24553395b6af21ae4fa54d5e5ba85f3e3d

SHA512
d4b96b04d2a00f714d60d62f1d66592cb68249914047118e8a405930a1c2a489c0e8fc71f80ff6f0cafbae60bea6960d8b216a7b0c94316f3076640eb71217a6

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE
Filesize
1.5MB

MD5
92724a039ff89fb4dbf81af8de334fef

SHA1
076c6a350376748aa51d27ca82ee2b9b530d08f9

SHA256
e76511f06efd7f21aebafbbe8bd7deb024b76f10714e06f95b45992df8a847f5

SHA512
c8d8ada1492c2881896662bd1e387c3b6408034f49e078f58d1d5a7476af01433c9e35cf123a91b785d5f0284803631c153e9d26895bb61a1ccd19be267b2631

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe
Filesize
129KB

MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
C:\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
526KB

MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
420cfbdb408e93599f1a6040b66b9ba8

SHA1
e8ebcdcdc10939ca0f4542ed97e2e4a4bd730ea3

SHA256
b38e555b368c33594a1e4b4c2012f1c4eaccf0fd43c5e623e6e3b1bd32cbb66c

SHA512
ce67fc360b2a4baf50e662acd2f1c40d3a9068c86a8705bd0476d3910a471157cc69bf20ca7b0d82a8fdddaecc8bdb1b4d31394e5a82ab6ca7724e0f7c0c599c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
2acb54dd83be1957482f0df591ade3f5

SHA1
c6e9ebe71564c55a7260d1e8f45b11bd125d95cc

SHA256
af7961a615915aa0c59b735254e537004eab00e57466585390bbb0e29a5948a6

SHA512
011a2ca1d42e4bc26db7353ca79a9800cb9c9be271c531ce2afbb230b8487729da02c307f65a52f828459ca1b3aa4326c576bb4364f70b149e8b4f479b06cc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
\Program Files (x86)\AppPatch\Windows°²È«×é¼þ.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\185651505b12be27cdcbaee3d10176690b476ce6ff9a67662aa7ecbe7f7325ca.exe
Filesize
176KB

MD5
1281edcf7ec3ec89403b372aa09ab442

SHA1
0817d74ac7ffc7f740bc105d95b690f9b32f590e

SHA256
4249bcd176411a5e56faa50bc0a83c1f311e23cc1dccd20a61a00e4157538b4c

SHA512
eaf6a4d9ed54093acef5bdd4f5ba216b71621ba29c6b29b421951b383f7dd5f1a71292fad98690cf7643e847ec013973302e96ef38e6180c6b0a9119886dfefb

Download Submit
memory/888-90-0x0000000000000000-mapping.dmp

Download
memory/976-64-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/976-63-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/976-57-0x0000000000000000-mapping.dmp

Download
memory/1160-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1160-62-0x0000000002770000-0x00000000027D0000-memory.dmp

Filesize
384KB

Download
memory/1160-61-0x0000000002770000-0x00000000027D0000-memory.dmp

Filesize
384KB

Download
memory/1280-95-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1280-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1400-80-0x0000000000000000-mapping.dmp

Download
memory/1612-101-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1612-87-0x0000000000000000-mapping.dmp

Download
memory/1948-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1948-76-0x0000000000000000-mapping.dmp

Download