gh0strat | eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba

Analysis

max time kernel
148s
max time network
128s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe
Size

898KB
MD5

40fa9a44c3d4a3894bcfaeb6e68ad812
SHA1

ccec185a58245811bf7c7a2def94b5f37bc71ef9
SHA256

eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba
SHA512

02a9b5ca6175ad6c0c97274e185bde8f9cf1be257baf8dab5fbc4e81c9d5f8b48522d4b38177fc25be22d0bb7df1f136e0108b50f31eef65685b76e9d2a2dd02
SSDEEP

12288:28plQhHVWj7aBX+TLBhAuwf48ZujbT1lq8ENSKrPi81gPYwrkt+YrxWmRpfkyq:Rq2XXTLBuuKUT1VKra81Mrrkt+0x1pW

Score

10^/10

gh0strat persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000000b2d2-56.dat	family_gh0strat
behavioral1/files/0x000600000000b2d2-58.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
1272	·þÎñ¶Ë.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Zeng = "C:\\Zeng.exe"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	×Ô¶¯ÊÕ»õV4.2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\qmacro\\qdisp.dll"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B167D60-8605-11D0-ABCB-00A0C90FFFC0}\ = "DScriptControlSource"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl\CLSID	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Control	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\TypeLib\Version = "1.0"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C71-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C78-067D-11D0-95D8-00A02463AB28}\TypeLib	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\ProxyStubClsid32	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\InprocHandler32	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl\CurVer\ = "MSScriptControl.ScriptControl.1"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\V42~1.EXE"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\TypeLib\Version = "1.0"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\V42~1.EXE"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl.1\ = "ScriptControl Object"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\qmacro\\qdisp.dll"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\InprocHandler32\ = "ole32.dll"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C78-067D-11D0-95D8-00A02463AB28}\ = "IScriptError"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl\CurVer\ = "MSScriptControl.ScriptControl.1"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\LocalServer32	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\ = "IScriptProcedure"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl.1\CLSID	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl\ = "ScriptControl Object"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID\ = "{EBEB87A4-E151-4054-AB45-A6E094C5334B}"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner\CLSID\ = "{EBEB87A5-E151-4054-AB45-A6E094C5334B}"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A5-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary.Inner"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C78-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary.Inner\CLSID	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C70-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C71-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C70-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C78-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ScriptControl	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSScriptControl.ScriptControl	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\ = "IScriptControl"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C73-067D-11D0-95D8-00A02463AB28}\TypeLib\ = "{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}"	×Ô¶¯ÊÕ»õV4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B167D60-8605-11D0-ABCB-00A0C90FFFC0}\TypeLib\Version = "1.0"	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}\VersionIndependentProgID	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C6F-067D-11D0-95D8-00A02463AB28}\ProxyStubClsid32	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70841C78-067D-11D0-95D8-00A02463AB28}	×Ô¶¯ÊÕ»õV4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0E59F1D3-1FBE-11D0-8FF2-00A0D10038BC}\TypeLib	×Ô¶¯ÊÕ»õV4.2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	×Ô¶¯ÊÕ»õV4.2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1732	×Ô¶¯ÊÕ»õV4.2.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe
1732	×Ô¶¯ÊÕ»õV4.2.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1272	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	28
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1632 wrote to memory of 1732	1632	eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe	29
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30
PID 1272 wrote to memory of 2024	1272	·þÎñ¶Ë.exe	30

C:\Users\Admin\AppData\Local\Temp\eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe
"C:\Users\Admin\AppData\Local\Temp\eda27b862bf988a2336e85d90b80b9e5f6550341b8eca61e0b971bf7cbaf20ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\·þÎñ¶Ë.exe
  "C:\·þÎñ¶Ë.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\REG.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Zeng /d "C:\Zeng.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2024
- C:\×Ô¶¯ÊÕ»õV4.2.exe
  "C:\×Ô¶¯ÊÕ»õV4.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\·þÎñ¶Ë.exe

Filesize
4.2MB

MD5
e268162762e76498c6b5bf61ccd354d7

SHA1
4f5965f81ff49ab8eb3e68ab50a18c118d43a185

SHA256
5c0b24fd9dada4064792411dbb2a9086e9c0a699ee087113bc2284b6cb03df07

SHA512
7908ba543cb1b5332dd199c29cd64252559a26706955d3d561bb2f0c834d7eef8b2998ab4cc85c489039a6a4646acd0c5524e028eca8ae31aacc29604149e391

Download Submit
C:\·þÎñ¶Ë.exe

Filesize
4.2MB

MD5
e268162762e76498c6b5bf61ccd354d7

SHA1
4f5965f81ff49ab8eb3e68ab50a18c118d43a185

SHA256
5c0b24fd9dada4064792411dbb2a9086e9c0a699ee087113bc2284b6cb03df07

SHA512
7908ba543cb1b5332dd199c29cd64252559a26706955d3d561bb2f0c834d7eef8b2998ab4cc85c489039a6a4646acd0c5524e028eca8ae31aacc29604149e391

Download Submit
C:\×Ô¶¯ÊÕ»õV4.2.exe

Filesize
2.6MB

MD5
ea876590fdca0140fcc0ce41ed1a0e85

SHA1
89ba3d800ac5f1e0b3249e04c16431b50b6b4c31

SHA256
77b435c34300d4d387bc0b02b108fa70d421a22e9fa37ae6e705c1edb9430e38

SHA512
bcda1b9c0c56fa5e4768061b8200a481cbbd5682d92e45f74d5ffd25693060cf6c7bd0de1f7baf1db05b988078eba7ffaf27fadb3d045a2c878f3faa7fc9d975

Download Submit
C:\×Ô¶¯ÊÕ»õV4.2.exe

Filesize
2.6MB

MD5
ea876590fdca0140fcc0ce41ed1a0e85

SHA1
89ba3d800ac5f1e0b3249e04c16431b50b6b4c31

SHA256
77b435c34300d4d387bc0b02b108fa70d421a22e9fa37ae6e705c1edb9430e38

SHA512
bcda1b9c0c56fa5e4768061b8200a481cbbd5682d92e45f74d5ffd25693060cf6c7bd0de1f7baf1db05b988078eba7ffaf27fadb3d045a2c878f3faa7fc9d975

Download Submit
\Users\Admin\AppData\Roaming\qmacro\qdisp.dll

Filesize
41KB

MD5
a20de3836893f50f73c61ec0a2e45ad7

SHA1
eee63ff2190d6e2ed3eb4041c51075b4ed961c88

SHA256
2bcdf199d79f40191ba92513021f99390a8e07abdb151975e5df739b46d97473

SHA512
cab618b4b07bbdc36e5b679da9afa2d9e3f5ebdfef11c10e461dc9a588db2cabf1589ce10898dae8a9a12a0b5f571a6dffeb4faff504ea31eed9eba0c6b76f40

Download Submit
\Users\Admin\AppData\Roaming\qmacro\qdisp.dll

Filesize
41KB

MD5
a20de3836893f50f73c61ec0a2e45ad7

SHA1
eee63ff2190d6e2ed3eb4041c51075b4ed961c88

SHA256
2bcdf199d79f40191ba92513021f99390a8e07abdb151975e5df739b46d97473

SHA512
cab618b4b07bbdc36e5b679da9afa2d9e3f5ebdfef11c10e461dc9a588db2cabf1589ce10898dae8a9a12a0b5f571a6dffeb4faff504ea31eed9eba0c6b76f40

Download Submit
memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1732-67-0x00000000007F1000-0x00000000007F6000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads