gh0strat | e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
Size

2.3MB
MD5

5bd70186899c032e2f05fe9894c02698
SHA1

5a3a792a406f7a75c58e1b72fe24acffb8b088bd
SHA256

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d
SHA512

1049c54a7c2ccd36bef6cee5853da8e931889fbe045b0a189e6d13090df8b443ed228f3abe9ba4dc8338eee3a97fd6b6e2a5267e35f9a90a8b35cf109c0ea790
SSDEEP

49152:x1vKR2L2PzCOXeiBFuKqFt9yW3Dv5lju+AVJ366N5zr9pgNrZgX8IwQk0:v8TeEFuKqFtcWTRljuZj9pigX8If

Score

10^/10

gh0strat evasion rat trojan upx

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1244-26210-0x0000000010000000-0x000000001017D000-memory.dmp	family_gh0strat
behavioral2/memory/1244-26226-0x0000000000400000-0x000000000051F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7zxvcc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7zxvcc.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 4 IoCs

Processes:

7zxvcc.exe7z.exesvchost.exesvchost.exe

pid process

4268 7zxvcc.exe
3204 7z.exe
4432 svchost.exe
1244 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4432 svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4268	7zxvcc.exe
3204	7z.exe
4432	svchost.exe
1244	svchost.exe

pid	process
4432	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1244-26203-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/memory/1244-26206-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/memory/1244-26207-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/memory/1244-26208-0x0000000000400000-0x000000000051F000-memory.dmp	upx
behavioral2/memory/1244-26226-0x0000000000400000-0x000000000051F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7zxvcc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7zxvcc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7zxvcc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe7zxvcc.exe

pid	process
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
4268	7zxvcc.exe
4268	7zxvcc.exe
4268	7zxvcc.exe
4268	7zxvcc.exe
4268	7zxvcc.exe
4268	7zxvcc.exe
4268	7zxvcc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4432 set thread context of 1244 4432 svchost.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2796 4432 WerFault.exe svchost.exe

description	pid	process	target process
PID 4432 set thread context of 1244	4432	svchost.exe	svchost.exe

pid	pid_target	process	target process
2796	4432	WerFault.exe	svchost.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

7zxvcc.exee8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	7zxvcc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	7zxvcc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

7z.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\0BC5E76773D2E44FC9903D4DFEFE451553BBEC4A	7z.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\0BC5E76773D2E44FC9903D4DFEFE451553BBEC4A\Blob = 0300000001000000140000000bc5e76773d2e44fc9903d4dfefe451553bbec4a1400000001000000140000000f2acb208728b8ec6f48ae2b54a629aa17a4cd0c040000000100000010000000e88a7f88dd89c62a2bb99cc988d2d2a40f00000001000000300000000eeb0f83c55ccaaf275cec9caaed00280b6dd9bd8e37bd8a191a5cf77a0e2d1298edb019e2a1e67e3f7bd4b1c7616dc01900000001000000100000002fe9fcbfd4aabc3251c32cffb9d3456a5c0000000100000004000000000c00001800000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c20000000010000001e0600003082061a30820402a0030201020210621d6d0c52019e3b9079152089211c0a300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3336303332313233353935395a3054310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312b3029060355040313225365637469676f205075626c696320436f6465205369676e696e6720434120523336308201a2300d06092a864886f70d01010105000382018f003082018a02820181009b2b9d53fa353f8e6006436ac0cff57ff6c8535318c8ced36c7efc580795177965330b111e0046466c437840c802b092d950a8564e18ffc8fab2d22499857919e8f8360363550e016280e318cc1d8e2a176a7d6195a185b785a4f6f4f4936a1624c2632fd1bffcde76de1026e23178523ad6da9beff7e85d3d7f2d6db01f237bf455d26224f172ffb5f08ae9c3ee607136d79c33acad21d525874f13db3ee62445d90fd396709919939c03b9fdaae763cde378dce13f4e9285d9d1aad665579f7ef32bfe288844e482ccaa039960010d1cd5fd4890e6faac69e15aa9077315fe1e77ca5e35687539a6579d8bd94205b1fd25e2243452028951cd9119aae13a71b707ef8ec51e772cfcacdc9f409cbf68eb396f8b3e69cec81fad01f896bb4d533e10abf55ae4c6c1c2e6a14dc5a4e14c6e63e3f29cf8e0c3d9d5ff7e60440842dcbf35077fdb21a05beb9f7e5719fd913da3533b6b9267a9fda2dbfb8c496ca647caf6a1004c765ca1da7e478ab6388ca9c51fff6046f77e40e7dd46b2596f5b0203010001a382016430820160301f0603551d2304183016801432eb929aff3596482f284042702036915c1785e6301d0603551d0e041604140f2acb208728b8ec6f48ae2b54a629aa17a4cd0c300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c010401304b0603551d1f044430423040a03ea03c863a687474703a2f2f63726c2e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67526f6f745234362e63726c307b06082b06010505070101046f306d304606082b06010505073002863a687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f5075626c6963436f64655369676e696e67526f6f745234362e703763302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d300d06092a864886f70d01010c0500038202010006ff82e17763366e7ba115209b13ff04fe98754461c3569571d1913f85a1eb4040b1c8d6e072fd85ca64393cf98d4ba0da87ae9db600a306c50b600a2be70c7172010f465d39a593b32372041b0c2c7a9a7ef221ac2ca695a4bdf3e429a010b22a9a4fd0e731604754d21a6c6aa0412193ad05a8e3730e7ec3f29e16f3d87cb17f95d6299a51bebddd31aa5a9dd3df620a19f220cbd8e477b18ced809adb1ba559f43a135c59b583445ff7b01a7a7d65e1cfb0dc30be224c0592f8c55778d2e3d65273895284a2ba06b3d3258b38346d431b39a94e84e7c28a99f1f0268b65e5667b9c842e0d3d265a3c04c7bcd233b7ecf53c7a37e43fdfee3da93b54bc042cac4031c26cce4c9e89a7ab969870a0ac75b8747337213a6f1b9229cbad8acaa628be4e4ee9c0bed38d128b5e4a269b90f552676cfbea62a7cc07d9c4297fdddab7754370e2b837b130a08241d246a4ea94b312ee08eb853a819b3bb52fdd18d4a58dfd8e4929d1afb296cead37ce5f25ef98f2fa139db3d4d649e9cb6e305050647de9c16bea51147c02041d50b52faf18d461b1c78fde448f36badf376b11cc562c35fac5696cfc60e754db9e2a35941f77d3bf563c59d868ebdf1800347b4cdc7c5fccf605ebfa4a2bc104e1d8faeaa28ab66d834cbd4a14283f3982727eb74b26ad6adbf1d79ed82bd86570f995a1ad680c4e7f2fd528d9b0b96b8087d91c	7z.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	7z.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8	7z.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mmc.exesvchost.exe

description	pid	process
Token: 33	4064	mmc.exe
Token: SeIncBasePriorityPrivilege	4064	mmc.exe
Token: 33	4064	mmc.exe
Token: SeIncBasePriorityPrivilege	4064	mmc.exe
Token: 33	1244	svchost.exe
Token: SeIncBasePriorityPrivilege	1244	svchost.exe
Token: 33	1244	svchost.exe
Token: SeIncBasePriorityPrivilege	1244	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe7zxvcc.exemmc.exe

pid	process
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
4268	7zxvcc.exe
4268	7zxvcc.exe
4064	mmc.exe
4064	mmc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe7zxvcc.execmd.exemmc.exesvchost.exe

description	pid	process	target process
PID 5108 wrote to memory of 4268	5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 5108 wrote to memory of 4268	5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 5108 wrote to memory of 4268	5108	e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe	7zxvcc.exe
PID 4268 wrote to memory of 1660	4268	7zxvcc.exe	cmd.exe
PID 4268 wrote to memory of 1660	4268	7zxvcc.exe	cmd.exe
PID 4268 wrote to memory of 1660	4268	7zxvcc.exe	cmd.exe
PID 1660 wrote to memory of 3204	1660	cmd.exe	7z.exe
PID 1660 wrote to memory of 3204	1660	cmd.exe	7z.exe
PID 1660 wrote to memory of 3204	1660	cmd.exe	7z.exe
PID 1660 wrote to memory of 1400	1660	cmd.exe	WScript.exe
PID 1660 wrote to memory of 1400	1660	cmd.exe	WScript.exe
PID 1660 wrote to memory of 1400	1660	cmd.exe	WScript.exe
PID 4064 wrote to memory of 4432	4064	mmc.exe	svchost.exe
PID 4064 wrote to memory of 4432	4064	mmc.exe	svchost.exe
PID 4064 wrote to memory of 4432	4064	mmc.exe	svchost.exe
PID 4432 wrote to memory of 1244	4432	svchost.exe	svchost.exe
PID 4432 wrote to memory of 1244	4432	svchost.exe	svchost.exe
PID 4432 wrote to memory of 1244	4432	svchost.exe	svchost.exe
PID 4432 wrote to memory of 1244	4432	svchost.exe	svchost.exe
PID 4432 wrote to memory of 1244	4432	svchost.exe	svchost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

7zxvcc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7zxvcc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7zxvcc.exe

C:\Users\Admin\AppData\Local\Temp\e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe
"C:\Users\Admin\AppData\Local\Temp\e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Programdata\7zxvcc.exe
C:\Programdata\7zxvcc.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c unzip.bat
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660

C:\Programdata\7z.exe
7z.exe sign /f cache.dat /p aa123123 /d 58170001 /v "glib.dll"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Programdata\2.vbe"
4⤵
PID:1400

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4064

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 252
3⤵
- Program crash
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4432 -ip 4432
1⤵
PID:3576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7z.exe
Filesize
221KB

MD5
d4e274097855a46146d39e8401c13103

SHA1
c620c2f14ae43ebe358d0d7b69da4469279d236a

SHA256
34d192505952e5a11ec69ffc4a963764125996edba9eed26ec5662cf7948f8e8

SHA512
3f8b3e288a87be8024fa1beb3e5e96cff75fa6b52cfeb6d3b21b3ae32d3242bb89da7adb25602ee3130bae971b8ec25c84378c4d77b03171de699457d37fd834

Download Submit
C:\ProgramData\7zxvcc.exe
Filesize
2.3MB

MD5
5bd70186899c032e2f05fe9894c02698

SHA1
5a3a792a406f7a75c58e1b72fe24acffb8b088bd

SHA256
e8b47dc9b7ef12f900b0bd04b47af64527a12fda9e08dfa67ae6c39b55d9f02d

SHA512
1049c54a7c2ccd36bef6cee5853da8e931889fbe045b0a189e6d13090df8b443ed228f3abe9ba4dc8338eee3a97fd6b6e2a5267e35f9a90a8b35cf109c0ea790

Download Submit
C:\ProgramData\TASLoginBase.dll
Filesize
103KB

MD5
89fcdf644d461351714a1aff90f7dff6

SHA1
67edb564e48647032e9eec0896adac26da7258e5

SHA256
14a9e7038a42bb7ced0b52b7ff6cb6dbe9f0a6bf601d5ed7749332944b06d174

SHA512
6b973d8a200b5fbd848b51e099d26f3046200d22d10c5705c5ba6d4d8d1361193f105dbf9f8fe57475f24860db2da6739da4b1d51b8e589e822c341e48d08e67

Download Submit
C:\ProgramData\Tencent.lnk
Filesize
897B

MD5
7ad1be0d3c8e0cba7f7d848aa49d7b23

SHA1
c62c42b497f08f951a623bd38eb828b6b552f672

SHA256
b5896994693d527b666248cd011581e2f54ce0b174ad7979319406d9a514988c

SHA512
a2040e23ce93698479cb9bc67f793f00922d3c6748cb3e15659b667d7346d6c9943e4faddf9d540c5ef58414a5986a45e282ae83cadca50243220965f0617e64

Download Submit
C:\ProgramData\cache.dat
Filesize
7KB

MD5
2dee19fb2b899134c3532687db5f9d3f

SHA1
f78098140f7de8158fdb683c31ab9b50b1b88454

SHA256
ae25561400fed84253d688af90e27670d12e1a9454f83f084d4137789eb0cbd0

SHA512
6d0adf805d152b4e0dc38f848383457e8185fc42d0a704fdf2b8a89ec96306843169ba96355b93f697ef0e3144ef13278226e4310d25b3e5463d144abd4ed8a8

Download Submit
C:\ProgramData\svchost.exe
Filesize
411KB

MD5
66557b2bd93e70a2804e983b279ab473

SHA1
4e58505689fd9643b5011880ce94b22cbfadf917

SHA256
a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

SHA512
b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

Download Submit
C:\ProgramData\update.log
Filesize
462KB

MD5
36569f853d22511c06e013d3ea86979a

SHA1
40feb35f2ec315a269c41f55f2c3c36a4f15d674

SHA256
2f6a402c99acddf48110bce3df6a0c67277efbd0fa2bcdc71b8a7b73ba4f53e8

SHA512
94ac069f292d1a97f76e182387f1865b26831d626108e54477c5096d5d1f98b2806b38cc71deafdae779d046516e6775ad99f56608b17ba3539fd1352704a9c4

Download Submit
C:\Programdata\2.vbe
Filesize
170B

MD5
e354f56e782e7db68f958e2d8d4d1b96

SHA1
69d51ed0e772cdcb9435d2566871c9bc80d77dfd

SHA256
ec8a6021a9e01ccaa823231d593e78b13f512811fb83563bb8cdb444d2b0f55b

SHA512
95e2cc8332b0375702bdac36d09509857ab0ec8b8cd7dda537324961db1ed5b58981e2ac0f9b611612e71e0b201cb4846adcf63e1c832f888eccbd59e76287c2

Download Submit
C:\Programdata\glib.dll
Filesize
103KB

MD5
e1b24eca469ef69ff000d6e8cdcc420c

SHA1
b6ad626ecf620e6a496743215ad530837d90fd9d

SHA256
a13f7fddbcdfc95f784dadbb4a2d4c7bd95a6e67c96c0a06bc7617443cfc2c2d

SHA512
c2987f0f63d0a8c93b028ae54da6af1c99f62aba100d63ab17fb3fa9601faad01f0ca1761d605ff3f95e50d88c63fff7c22f9b39bdaad6611fa181ffc15b1145

Download Submit
C:\Programdata\unzip.bat
Filesize
229B

MD5
20fd99cc3bc7eb0ad9d421895fedc22b

SHA1
68b7782f08a29f3e7351f37122ae99220a062224

SHA256
fe6bc55e16ec1a889d344c9f09d8fce455cf26374f61df1086bdeb14d9d2a9bd

SHA512
bc8828e39a5886b91352db967eab2dcc99dc4c2610f49019710959d0dd741acc2c1e82c8b4f840be9f1037b26c0b542cb397caaeca2a855a43a79a40d348ed1e

Download Submit
memory/1244-26203-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1244-26206-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1244-26207-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1244-26208-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/1244-26210-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/1244-26226-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4268-26155-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4268-13081-0x0000000076A60000-0x0000000076C75000-memory.dmp

Filesize
2.1MB

Download
memory/4268-26152-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4268-26153-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4268-26202-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4268-26156-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4268-26157-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/4268-26150-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4268-18965-0x0000000075350000-0x00000000753CA000-memory.dmp

Filesize
488KB

Download
memory/4268-16956-0x00000000760D0000-0x0000000076270000-memory.dmp

Filesize
1.6MB

Download
memory/4268-26151-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/4432-26201-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5108-0-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13075-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13074-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13072-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13077-0x0000000050000000-0x0000000050109000-memory.dmp

Filesize
1.0MB

Download
memory/5108-15716-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13071-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13070-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-13069-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/5108-5884-0x0000000075350000-0x00000000753CA000-memory.dmp

Filesize
488KB

Download
memory/5108-3875-0x00000000760D0000-0x0000000076270000-memory.dmp

Filesize
1.6MB

Download
memory/5108-1-0x0000000076A60000-0x0000000076C75000-memory.dmp

Filesize
2.1MB

Download