gh0strat | f65275ca49e7d7e2ee1abca59bbde6229ab0a1f60e2203c33a9762eee69a43b7

Analysis

max time kernel
152s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
Size

48.5MB
MD5

825ed8f58bc6090cbfbbaeccd0d9e439
SHA1

a632f648a46a2c66552ac9a8df26edb89975f6a1
SHA256

f65275ca49e7d7e2ee1abca59bbde6229ab0a1f60e2203c33a9762eee69a43b7
SHA512

1a2a8e7d09a7b2bbb0d230c46e468e9ed936434884316223f42d0420694af1b3d083d86dffb6f68633ed8e9befb079d03d5db41172b312386501392625263bb9
SSDEEP

49152:EmHz0TqevpGawzeHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHK:EWoTbpZwzx

Score

10^/10

gh0strat rat upx

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-16-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2748-17-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1132-45-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/1132-44-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2640-66-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2640-67-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2640-68-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral1/memory/2640-69-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Detects Windows executables referencing non-Windows User-Agents 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-16-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2748-17-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1132-45-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1132-44-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2640-66-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2640-67-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2640-68-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2640-69-0x0000000010000000-0x0000000010362000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables built or packed with MPress PE compressor 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-5-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2748-7-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2748-9-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2748-10-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2748-11-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2748-12-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2748-25-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1132-58-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2640-70-0x0000000000400000-0x000000000047A000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-13-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2748-16-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2748-17-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/1132-41-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/1132-45-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/1132-44-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2640-66-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2640-63-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2640-67-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2640-68-0x0000000010000000-0x0000000010362000-memory.dmp	UPX
behavioral1/memory/2640-69-0x0000000010000000-0x0000000010362000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

SQLservras.exe

pid process

2640 SQLservras.exe
Executes dropped EXE 4 IoCs

Processes:

SQLservras.exeSQLservras.exeSQLservras.exeSQLservras.exe

pid process

2660 SQLservras.exe
1132 SQLservras.exe
2432 SQLservras.exe
2640 SQLservras.exe

pid	process
2640	SQLservras.exe

pid	process
2660	SQLservras.exe
1132	SQLservras.exe
2432	SQLservras.exe
2640	SQLservras.exe

Loads dropped DLL 7 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exeSQLservras.exeSQLservras.exe

pid	process
2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
2660	SQLservras.exe
2660	SQLservras.exe
1132	SQLservras.exe
2432	SQLservras.exe
2432	SQLservras.exe
2640	SQLservras.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2748-13-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2748-16-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2748-17-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1132-41-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1132-45-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/1132-44-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2640-66-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2640-63-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2640-67-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2640-68-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral1/memory/2640-69-0x0000000010000000-0x0000000010362000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

SQLservras.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SQLservras.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exe

description	pid	process	target process
PID 2936 set thread context of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2660 set thread context of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2432 set thread context of 2640	2432	SQLservras.exe	SQLservras.exe

Drops file in Program Files directory 2 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SQLservras.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SQLservras.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SQLservras.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SQLservras.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

SQLservras.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadNetworkName = "Network 3"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\ea-28-a8-cd-b8-72	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecision = "0"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecisionTime = 00b75758b0acda01	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecisionReason = "1"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecisionReason = "1"	SQLservras.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecisionTime = 00b75758b0acda01	SQLservras.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecision = "0"	SQLservras.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SQLservras.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SQLservras.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exe

description	pid	process
Token: SeDebugPrivilege	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
Token: SeDebugPrivilege	1132	SQLservras.exe
Token: SeDebugPrivilege	2640	SQLservras.exe
Token: SeDebugPrivilege	2640	SQLservras.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exeSQLservras.exeSQLservras.exe

description	pid	process	target process
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2936 wrote to memory of 2748	2936	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2748 wrote to memory of 2660	2748	2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2660 wrote to memory of 1132	2660	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe
PID 2432 wrote to memory of 2640	2432	SQLservras.exe	SQLservras.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Temp\2024-05-23_825ed8f58bc6090cbfbbaeccd0d9e439_icedid.exe
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
"C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
41.4MB

MD5
8721385a97c6d839290fcf7825c74c52

SHA1
f35878170d9fefc37e0923da75c2033fd624ef75

SHA256
0ee1e7982f154e5d2b8c1af22e2649ae78a48620f56de68fb630af8d5d9d8187

SHA512
eb371898ff376a55b7c0055494c3ab3f2a0c487a46c01c3cce002785188a8ee4f0ea62929cb88fe792094e00106e99d158a5cb251c053b97b3a549935e10353f

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
40.9MB

MD5
695ac18b12df60227a01d9eb2ce9d262

SHA1
11aac10ab975ca65f4c018a750854810f9ee7fbe

SHA256
ae3a7e6d39be258a69d2fae197f6607cb599e86c672401fef71b763040d59250

SHA512
db7325790b8e9b5076cc0283c787e9b4d97068d1dc22fa2dfc75ca925a163199ea7880f416c48a084385916a183aa4d17e6a3621eeccb9b94f6b9b2331b91a22

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
38.6MB

MD5
428c309627f4df095ef8f647822e2f36

SHA1
9cc105f7f94b039ca6079aff7f212c3bc944cead

SHA256
84d005335ccec7316f030415d3e3a2547b4bbbc7b9286bff9cf506a28fe3a9e3

SHA512
0ef9d63d76e697a7649b8275cb0c122e44d3f9f1616247f92cc81870d03fcef3cd05d1d2153281efbf7fa7f086eb320a07a69780629c9d138a39ac09a1b9ebfa

Download Submit
C:\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
36.2MB

MD5
e9f383c229c7fc4201ff3b00bbd31b76

SHA1
a5c27e8569a5bc80cde760704c36989a03ae7bc9

SHA256
e5a89d1abaa2e8dc15d3c59d3283a3db75a0dc6d866ed07c262fb4eb58a3a379

SHA512
18f3740e5d938a4fac8ee9b30e9d083fc400fcb813b37000fce150b75a816fe783b1b2ad9d3a1497ecc18e5010feaea90108ef7779445bdd337daa6a17790a7b

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
48.5MB

MD5
825ed8f58bc6090cbfbbaeccd0d9e439

SHA1
a632f648a46a2c66552ac9a8df26edb89975f6a1

SHA256
f65275ca49e7d7e2ee1abca59bbde6229ab0a1f60e2203c33a9762eee69a43b7

SHA512
1a2a8e7d09a7b2bbb0d230c46e468e9ed936434884316223f42d0420694af1b3d083d86dffb6f68633ed8e9befb079d03d5db41172b312386501392625263bb9

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
40.5MB

MD5
5a23eafaa8591d06a0d966989089885e

SHA1
a06a8ab406b18cae41d4b259dc6ff91b93803a23

SHA256
daba5ec267ac472b338b65661e420dc7d61d0a91e06d9b78a0c590a9829e6c6a

SHA512
d4f91db49426acc976d475d962dbd81fbb43c864f3093e389b1535f2436229ddc71242b1b94110086efdd5b46d5e0b8c69667488f733e62febf5a0a612082f18

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
40.4MB

MD5
2acacaf73446ed827fd381fe3391d43d

SHA1
e82e3440a275458121308ab0eef5241ab634ad8d

SHA256
281f9b24e9d309b993971b6625a390c110a5e7d258dbfa5fbf955392ed787059

SHA512
b8185f74a12aa527464c4af4fdedcf866bb2d422bf9aa991d71ae3ffd25cb6c338a6919cc7b4ee87ec4e7d54739dd3d0a726f30c84c4a4011d3da3dfb44a372c

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
38.4MB

MD5
9f0b6133f411495f4e6ba9083771d1e0

SHA1
5f91449f1bfc8111baacbf6dd4ef7c8a9a10f978

SHA256
d3d77b5efb5a2305a8b54d8a30fdabff48b947b61c0511149a5ae9eaf6df8614

SHA512
566eec77c8c792396860a328312444e61055b831587680c107b0a35fab33cfec159a737c65e870a018fce7a67254ef402bab922077944ec5f265a64a3d069eb0

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
39.1MB

MD5
39a21d6ee26b6578319d907cd8b0cb04

SHA1
7b2e1996610a24cbee89420c889dced09658baad

SHA256
fac3162d9ecf856bd5893702820d05c3791c7f0a7b7516beedad30397265a37a

SHA512
4492af0eec6a30367452366c4fa7782f585ffbd81ea1be61e1b6bedf1d35862517af89fd78858a0963ecc2d10d93df4691c21112131d4feb387b0881fa32737a

Download Submit
\Program Files (x86)\Microsoft SQL Server\SQLservras.exe
Filesize
38.6MB

MD5
e33a2242dc0531c7cbe287fcc595609b

SHA1
5f6df386f7d9b52a5ed0320975511c1b0a3ad502

SHA256
740e462cc30b5308bf6f8d847552e754f2ecf8cb3f47383dfd2577f4cbf8a07c

SHA512
068104b5562a2510ba78b77fcfe7b16aaaa5bceaff2655e3156ed650203a061b257a9966507fd99d460a25a9a895930103c188f494eb624b95af25a4a002dbf6

Download Submit
memory/1132-44-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1132-41-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1132-58-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1132-45-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2432-47-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2640-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-70-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2640-69-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2640-68-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2640-67-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2640-63-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2640-66-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2660-27-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2748-11-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-13-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2748-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-17-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2748-7-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-25-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-9-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-16-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/2748-10-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-3-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2748-5-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2936-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download