gh0strat | db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81

General

Target

db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
Size

10.8MB
MD5

60663790325837c5884bcfa8083e6d54
SHA1

01982fb8e6d2b2bef1d5dc106c70a78bbbf0a392
SHA256

db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81
SHA512

325d9ee8dbe0c8ca283328ec6eed67773b8b1e3d789c77f7cbda39f1c72fe5def7fce19b5249db4f2700af813ba2c864dbd944d7b46f60aedcc3c428ec7256cd
SSDEEP

196608:iMsIAx6K86C2unHG+FLBENNgDnTMmTWRSsHwk43S7tCEt7CpAd8+:nA/6X3iNWTMmyRS3i7gERNd8+

Score

10^/10

gh0strat persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240599765.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240599765.bat"	look2.exe

Executes dropped EXE 6 IoCs

Processes:

look2.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exesvchcst.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

pid	process
3964	look2.exe
1000	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
5080	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
1316	svchcst.exe
1120	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Loads dropped DLL 3 IoCs

Processes:

look2.exesvchost.exesvchcst.exe

pid process

3964 look2.exe
1804 svchost.exe
1316 svchcst.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	upx
behavioral2/memory/1000-18-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-20-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/5080-23-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/5080-22-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/1000-37-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-108-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/1120-109-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-110-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-111-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/5080-112-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-114-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-116-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-118-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/1120-119-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-120-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-122-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-124-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-126-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-128-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-132-0x00000000008E0000-0x0000000002337000-memory.dmp	upx
behavioral2/memory/2812-136-0x00000000008E0000-0x0000000002337000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

look2.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240599765.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

pid process

1120 HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

pid	process
2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

description	pid	process
Token: SeDebugPrivilege	1000	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
Token: SeDebugPrivilege	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
Token: SeDebugPrivilege	5080	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
Token: SeDebugPrivilege	1120	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

pid	process
1120	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
1120	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

pid	process
1120	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
1120	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

pid	process
2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exeHD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exesvchost.exe

C:\Users\Admin\AppData\Local\Temp\db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
"C:\Users\Admin\AppData\Local\Temp\db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3964

C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:3084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240599765.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316

C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
"C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe" --runservice
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
"C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe" --show --localPort=35600
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
"C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe" --show --localPort=35600
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ToDesk_Lite\config.ini

Filesize
294B

MD5
edc817da91fecde4c3e4940123941e83

SHA1
db1dc1b647c2b464ea6c8998c784cf46a1113a2a

SHA256
435def66bf643d259049d0b4052902543e0b828008e7b29cf1bb6ae11bbf7c28

SHA512
f460182ada2aec21257ed34e3c638aff563e8fc1e8e499f78202913b80472bf49d9d5ec4dc13d244ba2742bc659141272c2d3de0abf7857e8ed822586e21ff06

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
ae2eaaf6d17489074f56c25f2037c837

SHA1
bbd80e3407af2b8f5163c11d47caa31b6106d2e0

SHA256
0c61bf6085962be9751965abb3b5aba7a96c4555928725fd0d5d5ead7e83910c

SHA512
f9771fc38793a8a183accdd8aef7c217cbaf623599f131bf7b55f9e990b620309d8503250f027de73a3e9ebda7047b3b5eb8587431f15089a2e6d3ca7249eae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Filesize
9.7MB

MD5
5918a1d241172fa8db433e9eb0bab106

SHA1
2728a0644d8eaad68a861cc204adc365fc518509

SHA256
951cc6517f8a4ce418b94afaf10990a8c8f5f3c484a4ea8a4619b75d1d3ce328

SHA512
c7f3a258ea93ce744bfc9f3c8e5d13fc0fabc807a6410a26492e0d7dbc4b2179741072cca5959dc0a234be25a673d319838b7211dbaa1d89183902cf3b3e539c

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
2f3b6f16e33e28ad75f3fdaef2567807

SHA1
85e907340faf1edfc9210db85a04abd43d21b741

SHA256
86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

SHA512
db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

Download Submit
C:\Windows\SysWOW64\240599765.bat

Filesize
51KB

MD5
0646308bcf6c8a95cb7d178a2c8313e8

SHA1
ba831e9d35d1c2d17f883d7ae848165e441ed432

SHA256
47bd3c7d25b43417bf50b4697e5363879854733c85d87869b8e6227b2953cc3a

SHA512
be8964e4f7f41a87e10a8663e26e99674384c0f1db669778aea214f58d244240dc5a93a073a56684a61ba261614245d2e0d285d7ec7cb568cf90cb8acc8f0753

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/1000-18-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/1000-37-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/1120-119-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/1120-109-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-118-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-126-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-136-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-110-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-111-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-132-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-114-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-116-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-128-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-20-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-120-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-122-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-124-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/2812-108-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/5080-23-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/5080-112-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download
memory/5080-22-0x00000000008E0000-0x0000000002337000-memory.dmp

Filesize
26.3MB

Download

description	pid	process	target process
PID 2604 wrote to memory of 3964	2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	look2.exe
PID 2604 wrote to memory of 3964	2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	look2.exe
PID 2604 wrote to memory of 3964	2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	look2.exe
PID 2604 wrote to memory of 1000	2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2604 wrote to memory of 1000	2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2604 wrote to memory of 1000	2604	db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2812 wrote to memory of 5080	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2812 wrote to memory of 5080	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2812 wrote to memory of 5080	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 1804 wrote to memory of 1316	1804	svchost.exe	svchcst.exe
PID 1804 wrote to memory of 1316	1804	svchost.exe	svchcst.exe
PID 1804 wrote to memory of 1316	1804	svchost.exe	svchcst.exe
PID 2812 wrote to memory of 1120	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2812 wrote to memory of 1120	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe
PID 2812 wrote to memory of 1120	2812	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe	HD_db1bcac4224efda32ff92c58f26ad36e146aabc3cf92668fdaa0944c9c9f6a81.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads