gh0strat | 68a5375b61bf9a4fd4ff8d4f1ae13073391f60289f2efe8d83b297924b643ecd

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
Size

9.5MB
MD5

2e6c2043d52211dde035bcde1a74a4d6
SHA1

e71ea4d436c789af01c5416c2e1815bcdf717998
SHA256

68a5375b61bf9a4fd4ff8d4f1ae13073391f60289f2efe8d83b297924b643ecd
SHA512

686ac6211a439a8a4dde3424a48dde1c0b5ee728cd478c9dc64d935ccbc614e336c1ec8d9709e900e407f6da6d3fa7265859cdf94b7e50c91e3d40c760daefa3
SSDEEP

24576:sHnmlJblvSdFP8THlhqe1khlqT6vpAj0qzswz5BJ:2mHz0TqevpGawzx

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 14 IoCs

resource	yara_rule
behavioral1/memory/3024-18-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3024-19-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3024-17-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/3024-20-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2624-53-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2624-54-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2624-52-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2624-55-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-79-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-80-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-78-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-81-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-82-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2300-83-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

resource	yara_rule
behavioral1/memory/3024-19-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3024-17-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3024-20-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2624-53-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2624-54-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2624-52-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2624-55-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2300-80-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2300-78-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2300-81-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2300-82-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2300-83-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables built or packed with MPress PE compressor 12 IoCs

resource	yara_rule
behavioral1/memory/3024-5-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-8-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-10-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-11-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-12-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-13-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-28-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2624-45-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2624-48-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2624-47-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2624-67-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2300-84-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 17 IoCs

resource	yara_rule
behavioral1/memory/3024-14-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/3024-18-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/3024-19-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/3024-17-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/3024-20-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2624-49-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2624-53-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2624-54-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2624-52-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2624-55-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-75-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-79-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-80-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-78-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-81-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-82-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2300-83-0x0000000010000000-0x0000000010362000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2300	SQLservras.exe

Executes dropped EXE 4 IoCs

pid	Process
2512	SQLservras.exe
2624	SQLservras.exe
2720	SQLservras.exe
2300	SQLservras.exe

Loads dropped DLL 7 IoCs

pid	Process
3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
2512	SQLservras.exe
2512	SQLservras.exe
2624	SQLservras.exe
2720	SQLservras.exe
2720	SQLservras.exe
2300	SQLservras.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-14-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3024-18-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3024-19-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3024-17-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/3024-20-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2624-49-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2624-53-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2624-54-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2624-52-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2624-55-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-75-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-79-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-80-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-78-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-81-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-82-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2300-83-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SQLservras.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2512 set thread context of 2624	2512	SQLservras.exe	30
PID 2720 set thread context of 2300	2720	SQLservras.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLservras.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA4EF7B8-1228-48B4-9DA6-645F3EB4EF33}\WpadDecisionTime = b0b488551157da01	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a5-0e-d4-8c-0d	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a5-0e-d4-8c-0d\WpadDecisionTime = b0b488551157da01	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a5-0e-d4-8c-0d\WpadDecision = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA4EF7B8-1228-48B4-9DA6-645F3EB4EF33}	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA4EF7B8-1228-48B4-9DA6-645F3EB4EF33}\WpadDecisionReason = "1"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA4EF7B8-1228-48B4-9DA6-645F3EB4EF33}\0a-a5-0e-d4-8c-0d	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a5-0e-d4-8c-0d\WpadDecisionReason = "1"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA4EF7B8-1228-48B4-9DA6-645F3EB4EF33}\WpadDecision = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CA4EF7B8-1228-48B4-9DA6-645F3EB4EF33}\WpadNetworkName = "Network 3"	SQLservras.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
Token: SeDebugPrivilege	2624	SQLservras.exe
Token: SeDebugPrivilege	2300	SQLservras.exe
Token: SeDebugPrivilege	2300	SQLservras.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 2972 wrote to memory of 3024	2972	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	28
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 3024 wrote to memory of 2512	3024	2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe	29
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2512 wrote to memory of 2624	2512	SQLservras.exe	30
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32
PID 2720 wrote to memory of 2300	2720	SQLservras.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\2024-02-04_2e6c2043d52211dde035bcde1a74a4d6_icedid.exe
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
    "C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2624

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
1.7MB

MD5
9403d4aebbdd38edf2af41454b10e5aa

SHA1
1c1879038437dbfff885d828094f28c2284fa0e4

SHA256
164c2d4549956a6ab9c28fda688d814b18b7f996b5c87bb9b0f097df48860d2d

SHA512
7add73099f02a51a71015723f96ff72107c47391499506890b628167cac491a0057b8bea24197a1adc82848b1993a5d7d97238710e80adf5c5d12624ddcbd42a

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
1.2MB

MD5
4025fe9b91687f2be19b490dbdc2257a

SHA1
9da9476cad72bfd681aa2972d18a6f8096b800dd

SHA256
7eed66fbbe862967e04dec211505072293ef6e6050a712daa22f06660b705f96

SHA512
b5a9daee1a71da161523acb5c97f0593e7b4e12bdb4c0112b046c2cf0a97c6a7e4db1249e7a5d7232aff02b6b6d406c13ba4f2476a38866cf0c8b27c6eb00b3b

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
912KB

MD5
8e3200b12d16e4f648a92f4effb22836

SHA1
bba54d1067d94e7f7e8cb6f50d49d98b524edab3

SHA256
6628cf2fe2e2d0dc291193181f449a8d655e9a86656b0afd06d70597837b12c3

SHA512
15935944b859e8f900ac354047018cbd892e0219fe0ee73a9296472edc818098a3880f367067fbc142a00b438fbefb9864cde9d93276a4c827b829572654cd6e

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
788KB

MD5
0123521b23e2407322448e7a78f063f2

SHA1
4c4cf149c0ac32d3160c9fba14f95fd7f6622168

SHA256
195a1b82c68760a48df23c991d363332be6dc028045f073dfb3e801de51bfde6

SHA512
883fe6c35cbd103f733d5db2955e8403fbd8fb78f4fba92ae2143c6b38f30091cbaa69e7256c0eb646b769c75547457c05cc7fbaed8919bb21462ab76974c5a0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
1.8MB

MD5
d991c486a01f19617e1b5367c06f432b

SHA1
0f0e31aa14eb740f0522d929e39e5a50b9f8915c

SHA256
eeb4ca5c3089520f13847cbb7d39568fe788ed5d57a7cf9bcf4c29be957e0adc

SHA512
49a9c788b0b00938d6b985ed266f1f7d5df5319f3be84f50e85590fbe7c008be54ee5194cc03976a0e15151fa38864bf26210e55fae29c306299d20440d885ad

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
244KB

MD5
5c40ffe3ab08d78dcf5e774e93aa8eba

SHA1
0daca094b696c3d767ba7beab453ad26d2a6269a

SHA256
0db9e54c43a95c3edf724bfbe66cd66e0ea17170e15a610b43c06bd2a54e3c54

SHA512
ec00f3456cd4bf47c7f058c2cf24246717b25298f8313bd27d5ed7633ee8658c27c66399bc74bf103a53df9ce81825f3deda48e491c02136de1726bcc88ffa97

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
1.8MB

MD5
efb18a0f62806792e69cf7a2d0278134

SHA1
a375b27e3dc6b6da122b8f198f0b135899037805

SHA256
33405f8cd5811d708b8a08ba1e3a1bd1728ac1b0a7004be23512648bc027e5df

SHA512
9bf2a913a369a1b7aa5268124b32f3ba8f8a385c9a457e8a7acbffb0632572a8b73832c37dda6fef83f3cc5715fde32ca7c4e2f8fb1b8d429b7ee46899cbf805

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
872KB

MD5
e93366dafa83d7f64e385456a3caacee

SHA1
39ec036bf1b7e9ffb2330b175082b1f8b6a5dd39

SHA256
ca7bc0a57cbad3022fb62c12caa703d2bb529ae6bcb440a1422084d268b6462a

SHA512
9f41519a1a2f9bf28adfef74a4ca565f78ac58ed5b01a799cfb504d99b3e6f9df22c222b2c4bf720aa07596ae97349c94da43d4cd7e9881b4360a520605a5223

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
592KB

MD5
4c2bc7b6187e7f7cb0c75e6217ec7c84

SHA1
454ec37fae9f074f473560cb988eb52d8c9d95d5

SHA256
6bc9e4b551348d6ab0380be75633f7380b12281eb8bead4486ec26f511b41756

SHA512
0d781dd6b1eb027b9d7724b746d45c442c66fc6368bfec5b161b9f0377a852262bf7485a81f3647c0cc7a71545875110a2a4045609ccb23c563694f9f9b9b19f

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
433KB

MD5
93a77c6829acbd5b21bb4d3df6aeafd4

SHA1
918ebf8c20c8127f8a42df607128cbe34fd08c7f

SHA256
68cf76a4068a950b7d268d8969483312a48c88e930fb0f25b68ddf23c7dcc602

SHA512
bd0d7fcac99a172ff75f1c5a8e18703644f0831c20e476510e6bcfed5ab0b55b343118823141e79adc19eb446c2cd753b586d71a30c21debcdffaf0349973629

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
1.6MB

MD5
7e07bf16a5c057ce233d5952d2aa5026

SHA1
25c59ff9353c6dfc0e13bc230216fe0c5c61da9f

SHA256
7a52ed4988041372b70dcf90373d0f97c36bee71514e0825294c168b72a38059

SHA512
679bb2b928d2b5a0bcbb7502e46cab81f47a59a63818036f07989c3343a41dac4df0e6e9eb1ba8c57609362bd012222bc2b8860015961d49babc60021096848f

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
215KB

MD5
675b103dfd8f3692ca3ede9dd04a1543

SHA1
8f0da562c955d5018cac42708222e009a32ea3eb

SHA256
cbada6d31bfc7df01c716fe4d9743b81ede03d7fd31cbe9c0c7aaf2b7ea50a50

SHA512
da10f0730b89be1812aab5a26e8f7a3761d0e17be1e784c0b83d76e4652d283b7c4a0448372beb619c496fc6c2933d6822f717bc6be1f7fef386d358dbe9dfde

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe

Filesize
131KB

MD5
93983b17fcbca88b97fe621dac65c132

SHA1
770675ec04964fc460b9c27f71bddd5e98f5f559

SHA256
577e6196d9ddc74c0e66a745cd4bc811bce6d35728c215ced7c7759453ee3d83

SHA512
9781dd7f8b8eb3340c1cae6dffebba0c51ad557b9d508d56e1652f8415cc2d3bb6eb82b52b04518c58021b837a2b4ce11377393ec25b379d50811c81407304ca

Download Submit
memory/2300-82-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-78-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-75-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-81-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-80-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-83-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-79-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2300-84-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2512-30-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2624-45-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2624-48-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2624-47-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2624-49-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2624-53-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2624-54-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2624-52-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2624-55-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2624-67-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2720-57-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2972-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3024-19-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3024-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-20-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3024-18-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3024-28-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-14-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3024-13-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-17-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3024-11-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-10-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-8-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3024-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download