gh0strat | 5a3aab7a2dc5d4d424a31e5e0024658a536c41ed3aafa4c943af4f8b25c92e6c

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe
Size

11.3MB
MD5

b39067e43bcc1dbb847e1dc235531530
SHA1

8cecd850929e7ad733507a360e67ba2535065e56
SHA256

5a3aab7a2dc5d4d424a31e5e0024658a536c41ed3aafa4c943af4f8b25c92e6c
SHA512

4b0327f3aba424912d114580080fd43852ca2af9d6a152dac3bcf8490db53df3238e22d32743f17c91baafd79ab0e772e5b6c084ac2b4ec6133dd7cc855d5d8e
SSDEEP

24576:GHnmlJblvSdFP8THlhqe1khlqT6vpAj0qzswz5Be:YmHz0TqevpGawzW

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 13 IoCs

resource	yara_rule
behavioral1/memory/2500-18-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2500-19-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2500-17-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2500-20-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2732-53-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2732-52-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2732-54-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2732-51-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2652-80-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2652-81-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2652-78-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2652-82-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2652-83-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

resource	yara_rule
behavioral1/memory/2500-18-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2500-19-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2500-17-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2500-20-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2732-53-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2732-52-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2732-54-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2652-80-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2652-81-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2652-78-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2652-82-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2652-83-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables built or packed with MPress PE compressor 13 IoCs

resource	yara_rule
behavioral1/memory/2500-5-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2500-8-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2500-12-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2500-11-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2500-10-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2500-13-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2500-28-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2732-46-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2732-47-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2732-45-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2732-44-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2732-66-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2652-76-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral1/memory/2500-14-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2500-18-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2500-19-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2500-17-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2500-20-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2732-48-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2732-53-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2732-52-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2732-54-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2732-51-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2652-80-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2652-81-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2652-78-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2652-82-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2652-83-0x0000000010000000-0x0000000010362000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2652	SQLservras.exe

Executes dropped EXE 4 IoCs

pid	Process
2884	SQLservras.exe
2732	SQLservras.exe
2772	SQLservras.exe
2652	SQLservras.exe

Loads dropped DLL 7 IoCs

pid	Process
2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe
2884	SQLservras.exe
2884	SQLservras.exe
2732	SQLservras.exe
2772	SQLservras.exe
2772	SQLservras.exe
2652	SQLservras.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-14-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2500-18-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2500-19-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2500-17-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2500-20-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2732-48-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2732-53-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2732-52-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2732-54-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2732-51-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-74-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-79-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-80-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-81-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-78-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-82-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2652-83-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SQLservras.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 2884 set thread context of 2732	2884	SQLservras.exe	31
PID 2772 set thread context of 2652	2772	SQLservras.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLservras.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BFE3C53-C227-473A-B63F-F43AC410E231}\WpadDecisionReason = "1"	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-74-22-09-65-7b\WpadDecisionTime = 90b5c5ba8456da01	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-74-22-09-65-7b	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BFE3C53-C227-473A-B63F-F43AC410E231}\d2-74-22-09-65-7b	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-74-22-09-65-7b\WpadDecision = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BFE3C53-C227-473A-B63F-F43AC410E231}\WpadNetworkName = "Network 3"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BFE3C53-C227-473A-B63F-F43AC410E231}	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BFE3C53-C227-473A-B63F-F43AC410E231}\WpadDecisionTime = 90b5c5ba8456da01	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BFE3C53-C227-473A-B63F-F43AC410E231}\WpadDecision = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-74-22-09-65-7b\WpadDecisionReason = "1"	SQLservras.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe
Token: SeDebugPrivilege	2732	SQLservras.exe
Token: SeDebugPrivilege	2652	SQLservras.exe
Token: SeDebugPrivilege	2652	SQLservras.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 1320 wrote to memory of 2500	1320	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	28
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2500 wrote to memory of 2884	2500	2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe	29
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2884 wrote to memory of 2732	2884	SQLservras.exe	31
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32
PID 2772 wrote to memory of 2652	2772	SQLservras.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\2024-02-03_b39067e43bcc1dbb847e1dc235531530_icedid.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2732

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
635KB

MD5
5d03995cc4e4d942079297804dea1a6f

SHA1
f6835e03a3c81738b3cd3639305f0d3db41a5679

SHA256
ae5e022cdf5d9507d3f9a8e4946b351598e36ce0374cb4db1e106ed2fef21241

SHA512
a3513ccf773f52339f9b19db7ff8a57ee0e8f692c1a94fc08d9d876e23f97f42ca8103df000c0022736ec019fcfd15ecd89bdf26be427c33a7f781cc1080fa43

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
674KB

MD5
29e246430f82f0eec0e3bd0aae6ae65c

SHA1
a030672942d02bbe67d665a521485251cee31145

SHA256
d1f3dd614611f5fef29ce4e3ebd59c44c00c9d694c800705256dd6c306ae1e1a

SHA512
41ea098873721e2b3cfab00752135433ea71c928f4f19ff79f0f6764d053b3858db6cfb5d860a9d2ce205629c94a63cfe8aae491f25b4287e3506fdb78b64c55

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
454KB

MD5
9b778a9846fa3ad417755c33f3561335

SHA1
21c990b2d4a2c8897df07272a17da5ad15683100

SHA256
1510f8ce421c1aa2b2dc21585b5f3929e655d77979f2f03a55472f4baf86179f

SHA512
63a4ce9bae0320395cf936f8805024a048886aadd4d09a8191e3913242416cdca55f50a1b5ba86d271ffc399c089e5cd66293d1d104441b9479d14e6441a1a88

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
219KB

MD5
6e343c25fcc539bc0e1b46d902b91442

SHA1
c20c5ad5bd808573596dffdb9a1e7a02b7431db8

SHA256
9f96bfee14362924287a27c0ae7ffdf2afe0d55ec73936ff719c709ed4f0b96a

SHA512
0bc473b29d8306b90ed8e364d278b707569dc8044adb584d231f9b3940b51b5c0f97e5e6c89ab90c47dc471b5c8817bceea35c573e559e44adf42a84201db208

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
164KB

MD5
e464b06d62437e30f68880c430d66bb0

SHA1
150239385571ce6da00d678f2f515d470482e682

SHA256
23e9ca61ecfe3db834ae49e0b08fa2d984318620df1aa42115745c34c646a9fa

SHA512
48a0fbce3b623b9f3a407219a85e038285e5b8df7699f1e2595d6fac85062ce820ba4476adbff4815dbc753cd944fc40dcf77a36272aab7c6c4ebbfdef6384e3

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
70KB

MD5
c3ea1638f3382797007fe23c3956551b

SHA1
bac555e74c008b45562c158a0571aaa75d026fc7

SHA256
734eae54e33d5b50a181c8983101adb7794ba46862c8be4a98557b60a656e54f

SHA512
b37204eb2a8219af67faa6a4915d73c1d1e1b730b4239bd9a918394c0090cdc8bd972021cece0318f1bc4cd92c46e86d550b60c97cf189123bd53a69c3d420aa

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
374KB

MD5
5d52fc46dea50c7665dd5eb4635714c8

SHA1
ce60e9aa82f5b42cdc84ae021d7f426fda7135a7

SHA256
07fea8b9d9b62489996fe1833ba22d1ec8fa69af7925729a0f13b909c75d31fc

SHA512
efcc9b8aa848d8b41d7830205ca314a5d0af1e5999dc2aaa58fa780408fa160fbdff1bd6a35875e5e8297dbf197f6d5b9223cef27962a22b6d358956be636d19

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
445KB

MD5
6fa29ccb145e9a9b45173ae21222e48e

SHA1
90c5e4a9c57c85fb7a8373fe069443ce198bc418

SHA256
b236a1b3238f85c3d7f90c2013f1a6ba3dff18358f6e01b53a0a5b622373c786

SHA512
2405d1b44c78feee0792aeb09f1ab498323f95205d073d61b5ffd823fa674ee7ed688ae606a208d6b2ba5e5af92bda47f310c0972c00ff60189c8bbccdd5f9b4

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
256KB

MD5
4dd29d6f8a7994be64b1c1e4f0788a43

SHA1
0266c3d81f493aee17e0dd6e09ea1d772d663522

SHA256
3c98b7712df8f417221e3e69e6acec57aa4f0dd713ed681815dda23bc199d0b3

SHA512
2ff9a40315dd39ded7c6019fa48d616982b5c41830a368ebbf645595256703c6b147f9a8a662f7ea41a958af547f88f899a1b975b630f49d221fd3fca8b5bf45

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
270KB

MD5
85166d54faaeb595368fc76d8d5ccd42

SHA1
6c61cda2a9453057b03313736dc0756d70e11b0d

SHA256
f7a5c29a2a6a9efb0c3b6d5f46b855c5138aaf49dbefa6405f5d1e7e58685e05

SHA512
b950a1c2d98f6dffbf036abeef9c374524580bb65e9422fc9173fed738816ab838a5d4dcfb4bf2a3e25b49fedc0d0162ce921f604b2f9be0989cd7a302e5fe90

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
170KB

MD5
f0661f659358aa53a0b6f980943f2e9b

SHA1
435a0560c79de6c1c87115fb1ce371798a89c7d4

SHA256
5242c8dfddf96ab6e03534bd9a66ad119e34666c473ab462c2a6f3d48f9ca292

SHA512
719c4415a53178b2485fb18bf078bbc0de1b57da5792b570596030b77fd35d19e3d109a3def67b2cc84bb90ccd9fa220ac158a926d2dcd40977c714f357f75b2

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
273KB

MD5
4a1821d2d3fa269f5de2ddf9ede2f2ae

SHA1
45172ec1d5b4d5c0e66338d19857d58c92a8b494

SHA256
9f660a60b4868812b4e54cd851607ba6df8a968637a9837c4960e3adf8581f0c

SHA512
cd713b229a2e635ded07a208dc2d8a9ce49d7e1daf7d3558ae79714546922f6b8d361a776811ba6f720f0b07a06eae561c0cb8af9f4af16b42f8e0e827058e74

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
21KB

MD5
63b194c4d49094d52152b11bc86b5e38

SHA1
31acd40059d63454505e6c9cd8587814e5a138c7

SHA256
2353640b12d9be5754759b2276da030da6c27bdb231d5f2ece79361b8df7658f

SHA512
ae66ad92898f0aca0a36d9e01ece4c927672a9bb06b4ec767f8626b09372873a78051362d8fcd003299b4d03c41355874d939e7ce4f5d27da21c496a7e1999eb

Download Submit
memory/1320-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2500-17-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2500-13-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-20-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2500-19-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2500-28-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-18-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2500-14-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2500-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-8-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-11-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2500-10-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2652-74-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-83-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-78-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-81-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-82-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-80-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-79-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2652-76-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2732-44-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2732-47-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2732-66-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2732-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2732-48-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2732-51-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2732-53-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2732-52-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2732-54-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2732-46-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2772-56-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2884-29-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download