Malware Analysis Report

2025-03-15 03:54

Sample ID 230630-jxpg6age93
Target 新建文件夹 (2).7z
SHA256 75fe871f78a0eea5ce5489c0815c230603aa45e2fc5f7bf67414a90888c63407
Tags
vmprotect upx fatalrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75fe871f78a0eea5ce5489c0815c230603aa45e2fc5f7bf67414a90888c63407

Threat Level: Known bad

The file 新建文件夹 (2).7z was found to be: Known bad.

Malicious Activity Summary

vmprotect upx fatalrat infostealer persistence rat

FatalRat

Fatal Rat payload

VMProtect packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Enumerates connected drives

Adds Run key to start application

Checks computer location settings

Drops file in System32 directory

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 08:03

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 08:03

Reported

2023-06-30 08:06

Platform

win7-20230621-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 tcp

Files

memory/2028-54-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2028-57-0x0000000000400000-0x0000000000873000-memory.dmp

\Users\Public\Pictures\pe.dll

MD5 d0a62532cecac152bc553474d5899a94
SHA1 fbb691817dfbae7518648c82304e42288b8354e3
SHA256 242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49
SHA512 9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

memory/2028-62-0x0000000010000000-0x0000000010021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7DZDVCQ4\N1NXXFAM.htm

MD5 8c3a72a6d9535401c6a501924ff5f830
SHA1 8e05f6f45154a333bfff2645b3200921ed4a9cf5
SHA256 c6be6906668708d1589c76b01ad3bb0bc04047c3d64ee84a559697cfc1ca0b1b
SHA512 c97a835b890e2860cf667b0ecb92d4aff4b937f536bf1cd56a3459de918334d53577b0ad6c64a2bcf83470540c4ec0439cf0c54e09e56d392c61415b1cf074ed

memory/2028-72-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2028-75-0x0000000010000000-0x0000000010021000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 08:03

Reported

2023-06-30 08:06

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{23F03270-37F2-49D4-B73B-9E2A7FE4CB38}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FAA5A47B-913E-4D48-A451-0825C617DD57}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83872F96-E858-4643-9EF3-DFD2AF651CD8}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2556AC7D-4B6A-4943-9EB0-A8C6807AB63E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C3DD29AC-F316-43C3-90D0-965C573E2050}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8401E070-F66A-4BA3-A8E3-7CA4B7A06A1A}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9578D02F-4206-4D21-A5E1-9D486A35595E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FFCE30FD-5EE2-40CE-B284-DD89FEF4E1E3}.catalogItem C:\Windows\System32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\_D0DE469BB8424834A796EDFE1D0176CA.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 8.8.8.8:53 77.88.193.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 104.193.88.77:443 www.baidu.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
GB 51.132.193.105:443 tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
NL 8.238.20.254:80 tcp
NL 8.238.20.254:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 www.baidu.com tcp
US 104.193.88.77:443 tcp

Files

memory/2776-133-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2776-134-0x0000000000400000-0x0000000000873000-memory.dmp

C:\Users\Public\Pictures\gj.dll

MD5 d0a62532cecac152bc553474d5899a94
SHA1 fbb691817dfbae7518648c82304e42288b8354e3
SHA256 242911c8ec9f435569637d5490219a181eb0438c98f8357227d6424e97485f49
SHA512 9e2150873aa2ce7fa360a5dda0e490f497b716282e827d89e85d50e166a73bd54bbedfa54b5fdb22b31dcfa297b564f922d2cbb152fe490ac336dd2e0fc3ea51

memory/2776-142-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2776-146-0x0000000000400000-0x0000000000873000-memory.dmp

memory/2776-148-0x0000000010000000-0x0000000010021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7RMPX3MN\OHLL01H6.htm

MD5 d51acb034a9a5d7baa2907d8808e229f
SHA1 18452d07dc3a510b51478a77a9610f3fba65aabd
SHA256 6465a3bcbec0a8698e340bf1664e28aabd7bbb5d1705034c1280d49ee7de67da
SHA512 213d551f990d79d997ad2d02867804acd4404e7c281607a0280b9509abe33c38de038ea0961f0a2433a756c5eb88e3aaac2178c2027bcbdc8e0579b72c56cdb8

Analysis: behavioral3

Detonation Overview

Submitted

2023-06-30 08:03

Reported

2023-06-30 08:06

Platform

win7-20230621-en

Max time kernel

133s

Max time network

30s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-06-30 08:03

Reported

2023-06-30 08:06

Platform

win10v2004-20230621-en

Max time kernel

86s

Max time network

135s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\f49acfb27630f8962eb2fe80da75b3e09f4b3d69c8d3c316687200a1c8aa1f4f.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 254.143.241.8.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 23.39.157.169:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-06-30 08:03

Reported

2023-06-30 08:06

Platform

win7-20230621-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\????? (2)\\?????\\Agghosts.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Agghosts.exe" C:\Users\Admin\AppData\Local\Agghosts.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Agghosts.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe"

C:\Users\Admin\AppData\Local\Agghosts.exe

"C:\Users\Admin\AppData\Local\Agghosts.exe"

Network

N/A

Files

memory/1320-54-0x0000000010000000-0x000000001001D000-memory.dmp

\Users\Admin\AppData\Local\Agghosts.exe

MD5 614ceaa6ab7f39714e24e9e6b7b0c7b4
SHA1 83b63819fe9a9b8c1624e9969fe125088a873cdc
SHA256 e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f
SHA512 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483

C:\Users\Admin\AppData\Local\Agghosts.exe

MD5 614ceaa6ab7f39714e24e9e6b7b0c7b4
SHA1 83b63819fe9a9b8c1624e9969fe125088a873cdc
SHA256 e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f
SHA512 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483

C:\Users\Admin\AppData\Local\Agghosts.exe

MD5 614ceaa6ab7f39714e24e9e6b7b0c7b4
SHA1 83b63819fe9a9b8c1624e9969fe125088a873cdc
SHA256 e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f
SHA512 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483

Analysis: behavioral6

Detonation Overview

Submitted

2023-06-30 08:03

Reported

2023-06-30 08:06

Platform

win10v2004-20230621-en

Max time kernel

75s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\????? (2)\\?????\\Agghosts.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Çý¶¯ = "C:\\Users\\Admin\\AppData\\Local\\Agghosts.exe" C:\Users\Admin\AppData\Local\Agghosts.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Agghosts.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹 (2)\新建文件夹\Agghosts.exe"

C:\Users\Admin\AppData\Local\Agghosts.exe

"C:\Users\Admin\AppData\Local\Agghosts.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
NL 95.101.74.134:443 www.bing.com tcp
US 8.8.8.8:53 134.74.101.95.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp

Files

memory/4732-133-0x0000000000D70000-0x0000000000D95000-memory.dmp

memory/4732-134-0x0000000010000000-0x000000001001D000-memory.dmp

C:\Users\Admin\AppData\Local\Agghosts.exe

MD5 614ceaa6ab7f39714e24e9e6b7b0c7b4
SHA1 83b63819fe9a9b8c1624e9969fe125088a873cdc
SHA256 e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f
SHA512 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483

C:\Users\Admin\AppData\Local\Agghosts.exe

MD5 614ceaa6ab7f39714e24e9e6b7b0c7b4
SHA1 83b63819fe9a9b8c1624e9969fe125088a873cdc
SHA256 e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f
SHA512 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483

C:\Users\Admin\AppData\Local\Agghosts.exe

MD5 614ceaa6ab7f39714e24e9e6b7b0c7b4
SHA1 83b63819fe9a9b8c1624e9969fe125088a873cdc
SHA256 e46b0297c7cf534ce46bc673062ed903d11b574fb0602c3bb1a30eb4bbf6f05f
SHA512 406bc2d2602d0b18e41148c211ceeb65580402046b205ae5e2a65421d02e2fb1ffc4fee76fb803b9e3f7b00081375a36b6b9162729ea447a7f10997716529483