fatalrat | e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8

Analysis

max time kernel
124s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
Size

451KB
MD5

3f912633a9016be09ed0ad9198b04858
SHA1

088c7e6811ba2423d1d70d781425c6d458881138
SHA256

e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8
SHA512

aef19da24f15c72002de4cb7643d3f58d553e4fe46758c93b8a06dd40736c8e08d37c1f622af6880c340ced1fd7a4b44901b80e2942e8329348aa6339edf713d
SSDEEP

6144:qgpp0YsbYHF5TFmQCvUadFljva69ZCQEE5aFKM9tZMllMQcBBsqR6DQ9L78H:qgp6yF5id3dfwrZ4lM/BBsqR00H8H

Score

10^/10

fatalrat gh0strat evasion infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1780-187-0x0000000002A60000-0x0000000002A74000-memory.dmp	family_gh0strat
behavioral2/memory/1780-189-0x0000000002A60000-0x0000000002A74000-memory.dmp	family_gh0strat
behavioral2/memory/1780-196-0x0000000002A60000-0x0000000002A74000-memory.dmp	family_gh0strat
behavioral2/memory/1780-197-0x0000000002A60000-0x0000000002A74000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 3 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4256-32-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/4516-51-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat
behavioral2/memory/2908-125-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PTvrst.exe

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
4712	spolsvt.exe
4256	spolsvt.exe
4776	spolsvt.exe
4516	spolsvt.exe
1004	PTvrst.exe
4604	spolsvt.exe
4956	spolsvt.exe
1224	spolsvt.exe
2908	spolsvt.exe
676	spolsvt.exe
1780	spolsvt.exe
3564	spolsvt.exe
4988	spolsvt.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Wine	PTvrst.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4392-0-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/4392-3-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/4392-4-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/4392-57-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/4392-59-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/4392-60-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/4392-61-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/1780-187-0x0000000002A60000-0x0000000002A74000-memory.dmp	upx
behavioral2/memory/1780-189-0x0000000002A60000-0x0000000002A74000-memory.dmp	upx
behavioral2/memory/4392-195-0x0000000000400000-0x0000000000552000-memory.dmp	upx
behavioral2/memory/1780-196-0x0000000002A60000-0x0000000002A74000-memory.dmp	upx
behavioral2/memory/1780-197-0x0000000002A60000-0x0000000002A74000-memory.dmp	upx

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1004	PTvrst.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4712 set thread context of 4256	4712	spolsvt.exe	84
PID 4392 set thread context of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4776 set thread context of 4516	4776	spolsvt.exe	86
PID 4392 set thread context of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4604 set thread context of 4956	4604	spolsvt.exe	99
PID 1004 set thread context of 1224	1004	PTvrst.exe	100
PID 1224 set thread context of 2908	1224	spolsvt.exe	101
PID 4392 set thread context of 676	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	102
PID 676 set thread context of 1780	676	spolsvt.exe	103
PID 4392 set thread context of 3564	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	104
PID 3564 set thread context of 4988	3564	spolsvt.exe	105

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\spolsvt.exe	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
File created	C:\Windows\DNomb\PTvrst.exe	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
File created	C:\Windows\DNomb\Mpec.mbt	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
File opened for modification	C:\Windows\DNomb\Mpec.mbt	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4712	spolsvt.exe
4712	spolsvt.exe
4712	spolsvt.exe
4712	spolsvt.exe
4776	spolsvt.exe
4776	spolsvt.exe
4776	spolsvt.exe
4776	spolsvt.exe
4516	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe
4516	spolsvt.exe
4256	spolsvt.exe
4256	spolsvt.exe
4516	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4256	spolsvt.exe
Token: SeDebugPrivilege	4516	spolsvt.exe
Token: SeDebugPrivilege	4956	spolsvt.exe
Token: SeDebugPrivilege	2908	spolsvt.exe
Token: SeDebugPrivilege	1780	spolsvt.exe
Token: SeDebugPrivilege	4988	spolsvt.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
4712	spolsvt.exe
4712	spolsvt.exe
4776	spolsvt.exe
4776	spolsvt.exe
4604	spolsvt.exe
4604	spolsvt.exe
1004	PTvrst.exe
1004	PTvrst.exe
1224	spolsvt.exe
1224	spolsvt.exe
676	spolsvt.exe
676	spolsvt.exe
3564	spolsvt.exe
3564	spolsvt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4392 wrote to memory of 4712	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	83
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4712 wrote to memory of 4256	4712	spolsvt.exe	84
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4392 wrote to memory of 4776	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	85
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4776 wrote to memory of 4516	4776	spolsvt.exe	86
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4392 wrote to memory of 4604	4392	e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe	98
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 4604 wrote to memory of 4956	4604	spolsvt.exe	99
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1004 wrote to memory of 1224	1004	PTvrst.exe	100
PID 1224 wrote to memory of 2908	1224	spolsvt.exe	101
PID 1224 wrote to memory of 2908	1224	spolsvt.exe	101
PID 1224 wrote to memory of 2908	1224	spolsvt.exe	101
PID 1224 wrote to memory of 2908	1224	spolsvt.exe	101

C:\Users\Admin\AppData\Local\Temp\e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe
"C:\Users\Admin\AppData\Local\Temp\e6adc111ea41c5970c4b551ade5ddd39e096c76660fa56c359d614b6c599a8b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:676
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\DNomb\spolsvt.exe
  C:\Windows\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3564
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2312

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004
- C:\WINDOWS\DNomb\spolsvt.exe
  C:\WINDOWS\DNomb\spolsvt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Public\Documents\t\spolsvt.exe
    C:\Users\Public\Documents\t\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\yh.png

Filesize
93KB

MD5
ead548883ee8720b59c3a115e05fa278

SHA1
9133f5f58a2701523f42b05a16640ceb29067980

SHA256
5fa6898d935607c8683e641c4cce757ff87675f7762af035698d64a26a9c3169

SHA512
dbedc9572a8f998bd7ce8d7f39aa0326998d7a56df293deaff3ce3eea60d11cef421c7e75d208bec55299735e57e32465a921a895b209a4dcc234e014765ffcc

Download Submit
C:\WINDOWS\DNomb\Mpec.mbt

Filesize
488KB

MD5
d71cc496efbd74e35590f2a1c251d4fd

SHA1
ee178c642200be79b00784e5dda88512c5e48bc7

SHA256
9073d9d6f4788cdd63792aa8fe374519d5fddd59a750829c65981f2f59f08892

SHA512
18665449f6e3db4f4cdcd8e77501a74b0dee32f36318b86aeeff8916d7170cd116bf1b5c2266e1f78dc3194f3407dd6e457a8d9a364b286163af991842a79c01

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/1004-103-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1004-89-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1004-116-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1004-105-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1004-104-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1004-95-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/1004-96-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1004-97-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1004-101-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1004-102-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1004-98-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1004-99-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1004-64-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/1004-65-0x0000000077A24000-0x0000000077A26000-memory.dmp

Filesize
8KB

Download
memory/1004-100-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1004-94-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1004-93-0x00000000047E0000-0x00000000047E2000-memory.dmp

Filesize
8KB

Download
memory/1004-92-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1004-91-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/1004-88-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1004-90-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1224-114-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1780-197-0x0000000002A60000-0x0000000002A74000-memory.dmp

Filesize
80KB

Download
memory/1780-196-0x0000000002A60000-0x0000000002A74000-memory.dmp

Filesize
80KB

Download
memory/1780-189-0x0000000002A60000-0x0000000002A74000-memory.dmp

Filesize
80KB

Download
memory/1780-187-0x0000000002A60000-0x0000000002A74000-memory.dmp

Filesize
80KB

Download
memory/2908-125-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4256-32-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4256-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4256-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4256-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4256-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4392-60-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-4-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-0-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-57-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-195-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-59-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-61-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4392-3-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4516-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4516-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4516-51-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4604-73-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-15-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-14-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-9-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-8-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-7-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4712-6-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4776-30-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4776-28-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4776-29-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4776-37-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4776-27-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download