gh0strat | c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe
Size

1.6MB
MD5

47265030482ff347272cdf09aef25e8d
SHA1

2ae7ac78dc11f0374389f1f15031a1a1a4d30b70
SHA256

c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9
SHA512

35c09678bde4841c3bc0432229c6b84bd4ca39c963290cfcc7d25bb6b10002346e0dc798c684bf9d3ab95b4e286f5366430758733ee2f33eb8610e9773e78b0e
SSDEEP

24576:U61I7CpxnYP1uyFQ3OfzYSu2+PVAJeA4Qsi84XVKCuVSs1DKNbGvFic2Y+O:D+7vdNwERuDrZQsN4YpSKWG9ic2Yl

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5088-146-0x0000000000400000-0x0000000000432800-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 3 IoCs

pid	Process
4764	¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe
2112	server.exe
5088	evqiimkjmt

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221207112058.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\559455d2-066b-481d-817d-b1e816085ad1.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2016	5088	WerFault.exe	80

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5088	evqiimkjmt
5088	evqiimkjmt
3800	msedge.exe
3800	msedge.exe
3948	msedge.exe
3948	msedge.exe
4084	identity_helper.exe
4084	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5088	evqiimkjmt
Token: SeBackupPrivilege	5088	evqiimkjmt
Token: SeBackupPrivilege	5088	evqiimkjmt
Token: SeRestorePrivilege	5088	evqiimkjmt

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4764	¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe
4764	¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4764	4352	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe	78
PID 4352 wrote to memory of 4764	4352	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe	78
PID 4352 wrote to memory of 4764	4352	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe	78
PID 4352 wrote to memory of 2112	4352	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe	79
PID 4352 wrote to memory of 2112	4352	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe	79
PID 4352 wrote to memory of 2112	4352	c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe	79
PID 2112 wrote to memory of 5088	2112	server.exe	80
PID 2112 wrote to memory of 5088	2112	server.exe	80
PID 2112 wrote to memory of 5088	2112	server.exe	80
PID 4764 wrote to memory of 3948	4764	¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe	81
PID 4764 wrote to memory of 3948	4764	¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe	81
PID 3948 wrote to memory of 2260	3948	msedge.exe	83
PID 3948 wrote to memory of 2260	3948	msedge.exe	83
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3180	3948	msedge.exe	93
PID 3948 wrote to memory of 3800	3948	msedge.exe	95
PID 3948 wrote to memory of 3800	3948	msedge.exe	95
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97
PID 3948 wrote to memory of 2628	3948	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe
"C:\Users\Admin\AppData\Local\Temp\c660ace33bc9a82ff6b0f600b7cede4b533c72721ab31758b1775eb6757662e9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe
  "C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.5203y.com/
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc1ed046f8,0x7ffc1ed04708,0x7ffc1ed04718
      4⤵
      PID:2260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:3180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
      4⤵
      PID:2628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
      4⤵
      PID:3192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      PID:880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
      4⤵
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5348 /prefetch:8
      4⤵
      PID:2112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
      4⤵
      PID:2096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
      4⤵
      PID:4772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
      4⤵
      PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:2504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff769e25460,0x7ff769e25470,0x7ff769e25480
        5⤵
        
        PID:2000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
      4⤵
      PID:2972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
      4⤵
      PID:2096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6396 /prefetch:8
      4⤵
      PID:3740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17592422354239164921,11583289416542855826,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=208 /prefetch:1
      4⤵
      PID:3796
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - \??\c:\users\admin\appdata\local\evqiimkjmt
    "C:\Users\Admin\AppData\Local\Temp\server.exe" a -sc:\users\admin\appdata\local\temp\server.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 320
      4⤵
      Program crash
      PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5088 -ip 5088
1⤵
PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
196KB

MD5
54b5926b964e7280448dff92eff7fd38

SHA1
d9fa67ffe3e33a530a929368bcec80212d57477e

SHA256
375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95

SHA512
b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
196KB

MD5
54b5926b964e7280448dff92eff7fd38

SHA1
d9fa67ffe3e33a530a929368bcec80212d57477e

SHA256
375d6fc7db4185183b562b63352d89a5865d3d3f7d9b7988ed48f4e2af600c95

SHA512
b0ab73c30503aa14b207b17e10b492c4cfe39896e247d4de245068756671298cc6498538f20947245ff182d6df3945487644b3e1d8c41eef27e60610f7aedae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe

Filesize
904KB

MD5
99ea9f16c4f432f12d23ac1f50f05fbc

SHA1
660bda601a4f6c078d47ffdc91bba3a6875dda0f

SHA256
b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4

SHA512
783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985

Download Submit
C:\Users\Admin\AppData\Local\Temp\¾¢Îè6.9Í¨ÓÃ°æ£¨Ö§³ÖË½·þ£©.exe

Filesize
904KB

MD5
99ea9f16c4f432f12d23ac1f50f05fbc

SHA1
660bda601a4f6c078d47ffdc91bba3a6875dda0f

SHA256
b8c05c9f4bdd4fb29b7d1c50771c630cfeed85b3fb26146e171cd75cba2542d4

SHA512
783a892754092ccbfb462487751f690a3df72aa9e5c6c88d6a229e04b8f24ee11da3de0b282d8e1707edc11ae07c96e49ca27ddc0b7df71ec10f88b17930d985

Download Submit
C:\Users\Admin\AppData\Local\evqiimkjmt

Filesize
20.7MB

MD5
394ea848447be5fa860534271122e596

SHA1
0c05acbad1646c794a061504cd85fd86efe5fb7c

SHA256
45ae8f3f08a48658f6cd0df14baf3f623ed7e3c464566c66c842aaddeef1977c

SHA512
597a33c4a49516678d9af3808f71b928d0f418f3910dc5fadb50f2ac934be878fea6b5f17a4189a6bc633a927ee33bc5d1fbf6143360a90d5175788bb484d915

Download Submit
\??\c:\users\admin\appdata\local\evqiimkjmt

Filesize
20.7MB

MD5
394ea848447be5fa860534271122e596

SHA1
0c05acbad1646c794a061504cd85fd86efe5fb7c

SHA256
45ae8f3f08a48658f6cd0df14baf3f623ed7e3c464566c66c842aaddeef1977c

SHA512
597a33c4a49516678d9af3808f71b928d0f418f3910dc5fadb50f2ac934be878fea6b5f17a4189a6bc633a927ee33bc5d1fbf6143360a90d5175788bb484d915

Download Submit
memory/2112-141-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/2112-138-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5088-143-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download
memory/5088-146-0x0000000000400000-0x0000000000432800-memory.dmp

Filesize
202KB

Download