mercurialgrabber | hxxps://www[.]upload[.]ee/files/14882274/888RAT_1[.]1[.]1[.]rar[.]html

Virtualization/Sandbox Evasion

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	888RAT_1.1.1.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	888RAT_1.1.1.exe

Executes dropped EXE 2 IoCs

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

pid process

4500 888RAT_1.1.1.exe
4636 888RAT_1.1.1.exe

pid	process
4500	888RAT_1.1.1.exe
4636	888RAT_1.1.1.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	888RAT_1.1.1.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	888RAT_1.1.1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	888RAT_1.1.1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

100 ip4.seeip.org
101 ip4.seeip.org
102 ip-api.com
126 ip4.seeip.org

flow	ioc
100	ip4.seeip.org
101	ip4.seeip.org
102	ip-api.com
126	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	888RAT_1.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	888RAT_1.1.1.exe

Drops file in Program Files directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\888RAT_1.1.1\888RAT_1.1.1.exe	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\888RAT_1.1.1\READ.ME.txt	chrome.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	888RAT_1.1.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	888RAT_1.1.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	888RAT_1.1.1.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	888RAT_1.1.1.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe888RAT_1.1.1.exe888RAT_1.1.1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	888RAT_1.1.1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	888RAT_1.1.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	888RAT_1.1.1.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4836	chrome.exe
4836	chrome.exe
4796	chrome.exe
4796	chrome.exe
3740	chrome.exe
3740	chrome.exe
4700	chrome.exe
4700	chrome.exe
900	chrome.exe
900	chrome.exe
856	chrome.exe
856	chrome.exe
300	chrome.exe
300	chrome.exe
580	chrome.exe
580	chrome.exe
2372	chrome.exe
2372	chrome.exe
4104	chrome.exe
4104	chrome.exe
4796	chrome.exe
4796	chrome.exe
2248	chrome.exe
2248	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exe

pid	process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exe888RAT_1.1.1.exe888RAT_1.1.1.exe

description	pid	process
Token: SeRestorePrivilege	4892	7zG.exe
Token: 35	4892	7zG.exe
Token: SeSecurityPrivilege	4892	7zG.exe
Token: SeSecurityPrivilege	4892	7zG.exe
Token: SeDebugPrivilege	4500	888RAT_1.1.1.exe
Token: SeDebugPrivilege	4636	888RAT_1.1.1.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4892	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe
4796	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4796 wrote to memory of 2852	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 2852	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 1864	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4836	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4836	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe
PID 4796 wrote to memory of 4056	4796	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.upload.ee/files/14882274/888RAT_1.1.1.rar.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xa8,0xd4,0xac,0xd8,0x7ffdd8cd4f50,0x7ffdd8cd4f60,0x7ffdd8cd4f70
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:2
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1
2⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
2⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
2⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
2⤵
PID:1724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:3332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
2⤵
PID:472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
- Drops file in Program Files directory
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
2⤵
PID:472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,8109459142476359111,3055321902041193697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6352 /prefetch:8
2⤵
PID:1092

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328
1⤵
PID:4652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\888RAT_1.1.1\" -spe -an -ai#7zMap2092:86:7zEvent8740
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4892

C:\Users\Admin\Downloads\888RAT_1.1.1\888RAT_1.1.1.exe
"C:\Users\Admin\Downloads\888RAT_1.1.1\888RAT_1.1.1.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Users\Admin\Downloads\888RAT_1.1.1\888RAT_1.1.1.exe
"C:\Users\Admin\Downloads\888RAT_1.1.1\888RAT_1.1.1.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

7

Virtualization/Sandbox Evasion

2

System Information Discovery

5