gh0strat | c79ac8a613c7a25793b2a0167d48a6a5e8e7c811ccdaf01d0a47efc7dff99dbd

General

Target

0.exe
Size

71KB
MD5

2a9d0d06d292a4cbbe4a95da4650ed54
SHA1

44c32dfae9ac971c3651adbd82c821971a5400dc
SHA256

09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
SHA512

ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
SSDEEP

1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
C:\1568300.dll	family_gh0strat
\??\c:\windows\filename.jpg	family_gh0strat
behavioral1/memory/2180-15-0x0000000010000000-0x0000000010013000-memory.dmp	family_gh0strat
behavioral1/memory/1312-18-0x0000000010000000-0x0000000010013000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1312 svchost.exe

Drops file in Windows directory 7 IoCs

Processes:

taskmgr.exesvchost.exesvchost.exe0.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File opened for modification	C:\Windows\FileName.jpg	0.exe
File created	C:\Windows\FileName.jpg	0.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exetaskmgr.exe

pid	process
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
1312	svchost.exe
2600	taskmgr.exe
2600	taskmgr.exe
1312	svchost.exe
1312	svchost.exe
2600	taskmgr.exe
2600	taskmgr.exe
1312	svchost.exe
1312	svchost.exe
2600	taskmgr.exe
2600	taskmgr.exe
1312	svchost.exe
1312	svchost.exe
2600	taskmgr.exe
2600	taskmgr.exe
1312	svchost.exe
1312	svchost.exe
2600	taskmgr.exe
2600	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
636

pid
4
4
4
4
4
636

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

svchost.exe0.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	4168	svchost.exe
Token: SeCreatePagefilePrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeLoadDriverPrivilege	4168	svchost.exe
Token: SeBackupPrivilege	2180	0.exe
Token: SeRestorePrivilege	2180	0.exe
Token: SeBackupPrivilege	2180	0.exe
Token: SeRestorePrivilege	2180	0.exe
Token: SeBackupPrivilege	2180	0.exe
Token: SeRestorePrivilege	2180	0.exe
Token: SeBackupPrivilege	2180	0.exe
Token: SeRestorePrivilege	2180	0.exe
Token: SeDebugPrivilege	2600	taskmgr.exe
Token: SeSystemProfilePrivilege	2600	taskmgr.exe
Token: SeCreateGlobalPrivilege	2600	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2180

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2840

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4168

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:200

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1568300.dll
Filesize
64KB

MD5
45dc749351fd65d71da89ca2ed2766cb

SHA1
e080faf81157b7f867cb56938c5e579c206af9b9

SHA256
391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25

SHA512
7e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74

Download Submit
C:\Windows\INF\netrasa.PNF
Filesize
22KB

MD5
47f55358eb31f464d0d12f61f7941953

SHA1
12bdd78e5b1dfd4d1a94c0709d6e2e82f83d74ac

SHA256
1f8eb41181a4f8059411eda60ac35576e6b99187bf1006d763288f2a53127f17

SHA512
693221e795eac1bd70157a4d0f6dd80ad8d9064d42efc49fc4285a26acad0adbde255cee91832c90b576ac0b60887b8b20c435b5730152210337fc900f693ef7

Download Submit
C:\Windows\INF\netsstpa.PNF
Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
\??\c:\NT_Path.jpg
Filesize
54B

MD5
e1939abf5e6d08a450f65204f2c1bf30

SHA1
a55f888c691667b6ea961250689aafb0f364c5f6

SHA256
7ce5e5e60747be01e7c06b8de717df447e2492d849fa135d473d4d4d840e06c0

SHA512
3bfbb1c7b8333e0a40fbb3f1f49210c3270afd39a6e38f790370d2527ff8384441799a33645ac475e12a6d4e07fe0d48ffc93a4ba2bf1e0ac088fb39db127240

Download Submit
\??\c:\windows\filename.jpg
Filesize
2.9MB

MD5
c33bfbdae28ee5ecce25eed06ddf6bcd

SHA1
1aa472d1cb794a597b7e5adda424bd52176586f2

SHA256
2be856e4d478e4ce5092b9afefcee11854716648f847b6441728835f4e9301ab

SHA512
c1de7fedb859b265eaa90c63f172a203c6687efd432da8f2f5316dec636adb1067fb66a69514e7f7552a9d96636346818f8c8ea6a2e56ad0a8741509c657b12f

Download Submit
memory/1312-18-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2180-15-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads