a0870503b673085716382adb59f7cfcd71bfc1b67c5561142150bdee6751167f

Analysis

max time kernel
1562s
max time network
1579s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888 RAT 1.2.5.exe
Size

75.9MB
MD5

4aecd4edd0a55ec3d6384c3fb5c7e991
SHA1

1217bde817a917c4cce9ded4cf3a5265f83e17b3
SHA256

9a84421ce7399381bddb874cce102a34568737e4421026461724aac065f1d5b7
SHA512

0b16dd7e761bdca6b70998a502f5cdf74ac9481e2610470a684dbe8998cb7d455a0c12701d4a0791359c618d799f3b01ade8a5bfdbb077648442d075b849e08b
SSDEEP

1572864:SNuhTJ9xMqHFBq0HDsLYrXatfLllR3Rbo30xXlkx6B3rS1OvaF5:SNuRx7lBq0wLYrXajRSulkx83yUaF5

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\skin.dll	acprotect

Loads dropped DLL 4 IoCs

Processes:

888 RAT 1.2.5.exeWerFault.exe

pid process

1936 888 RAT 1.2.5.exe
1936 888 RAT 1.2.5.exe
2300 WerFault.exe
2300 WerFault.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1936-0-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\skin.dll	upx
behavioral2/memory/1936-40-0x0000000004AE0000-0x0000000004B9B000-memory.dmp	upx
behavioral2/memory/1936-422-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral2/memory/1936-575-0x0000000004AE0000-0x0000000004B9B000-memory.dmp	upx
behavioral2/memory/1936-1336-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral2/memory/1936-1337-0x0000000004AE0000-0x0000000004B9B000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1936-422-0x0000000000400000-0x00000000004C6000-memory.dmp	autoit_exe
behavioral2/memory/1936-1336-0x0000000000400000-0x00000000004C6000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2300 1936 WerFault.exe 888 RAT 1.2.5.exe

pid	pid_target	process	target process
2300	1936	WerFault.exe	888 RAT 1.2.5.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000802e1881c5a0d1e8f08cc6abee1aed91e89ff22bca7aa19225451bbc17d158eb000000000e800000000200002000000004fdbdf6ba0eeb0825ff687ff4f71e5192e07b98f3b554f690fe7dde9a30b38c900000003d033ec0f207729eda908a464ad30247c6560f7911e6fdd89e74bc2f495d08158d93266e3ee17f8713828af93aa2f8d03692e8edff8808b8f3b6fc87f620b6ad919cbdff795dea504bbfff2c17ca0506f3d6dc670f5afb38a09f00ea1219f5f6538a87dd14669ab1cc8dd28a7c56b94444e6e18f627623d29c9dcc80ca77425e1015dd406e4dd9e635b926d5dec9b86a400000001de4d207602696518ae2458eb6a436c6f61789b9a6f310aebd00ae7432ee43ce08dbffeed8f4199cf11c2b5e2d75c5644f1419c788aa151eae7c624fd894e06d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d7b15378d8da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427403257"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{798E7F51-446B-11EF-8995-CA26F3F7E98A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000004071a1b9b1a08555febb123395b8d29c4a1326d3ed34b308cf6454ba5186f35e000000000e8000000002000020000000b069e4de5178627d43ab1aa0b4d077bdfb9f5b8123d0a91fcd4b36a7e6d52a70200000007ad97e1e74d23030b7d9426b8d433459c0ff3f8ac553bbee81c3807d59984d7e4000000016c574ed6d57addd5d4e92eeda980bb526f0a2a3ee66e7b6bea3d850f7afc8c24c8a9982a72aef68d64b5144297dcf2c6f52db652fae15101c21070ffaa95f56	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{798E5841-446B-11EF-8995-CA26F3F7E98A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

888 RAT 1.2.5.exe

pid process

1936 888 RAT 1.2.5.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

888 RAT 1.2.5.exeiexplore.exeiexplore.exeiexplore.exe

pid	process
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1548	iexplore.exe
1612	iexplore.exe
2260	iexplore.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

888 RAT 1.2.5.exe

pid	process
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

888 RAT 1.2.5.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1936	888 RAT 1.2.5.exe
1548	iexplore.exe
1548	iexplore.exe
1612	iexplore.exe
1612	iexplore.exe
2260	iexplore.exe
2260	iexplore.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
1936	888 RAT 1.2.5.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

888 RAT 1.2.5.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1936 wrote to memory of 1548	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1548	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1548	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1548	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1612	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1612	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1612	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 1612	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 2260	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 2260	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 2260	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1936 wrote to memory of 2260	1936	888 RAT 1.2.5.exe	iexplore.exe
PID 1548 wrote to memory of 2164	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2164	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2164	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2164	1548	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1712	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1712	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1712	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1712	1612	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 2552	2260	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 2552	2260	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 2552	2260	iexplore.exe	IEXPLORE.EXE
PID 2260 wrote to memory of 2552	2260	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2300	1936	888 RAT 1.2.5.exe	WerFault.exe
PID 1936 wrote to memory of 2300	1936	888 RAT 1.2.5.exe	WerFault.exe
PID 1936 wrote to memory of 2300	1936	888 RAT 1.2.5.exe	WerFault.exe
PID 1936 wrote to memory of 2300	1936	888 RAT 1.2.5.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\888 RAT 1.2.5.exe
"C:\Users\Admin\AppData\Local\Temp\888 RAT 1.2.5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/qasimhaxor.qzk
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/qzkhacker
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/qasimhaxor
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1012
2⤵
- Loads dropped DLL
- Program crash
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2f678ee2432799eba1f62c3bd637751d

SHA1
fc6d1f79f456462847eb9d497b2ba78e75dc8b44

SHA256
87586872cc4ae18ac6a585488e539ae9a4a14d2088e5c99eef250211497523e3

SHA512
d86db63d9c0a41828433ab24750088625a917ac94d740dc5e1b64c945d05bf0f473ab9bf7e3f3f789f894ee6661f8a936774ed1e212fff9b63436341d321e23b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f769fb4b69b9e4953034ab3a70ebeab1

SHA1
b5270207d0ad9184e4fd4efcf96e12c4f302b91d

SHA256
2010338c30cca1676f296ffd5154d05a1a2bb0145929fbae6e7ec0fede2f27d5

SHA512
e80f384e6152d0c3f5cb53b8d954fa45484afa7e38b646c1af467d91202a1b7b0dbc7b09f54507b796963fb63845225b8793ae818574a68ef658d123feb8e352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6aac0675e3e7559b7325e7d0b4d48975

SHA1
c58a7968dc9be3f0728ae574e3b1f85e3cd49ced

SHA256
42238c39eb04fc453c97808e3348bd5b389df36253553d18b57079c90360bf3c

SHA512
b99100aeee2659963363ac59993f895ed8594f0374a7e1ccbea3e6be50150ed4fbc0bda125b9be39fef3a1bf46d3ac07f58847d02c6334dc1d74bb4e24dcf7d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c399a8be393cffbb681e996e8435f61c

SHA1
787b7ada280221a632ace9ae17fa73a87906ae84

SHA256
75b5dc50a7b313478db67b1d2700230f79c646778fde4da26a7b727c6ddca9d1

SHA512
bf5d0cfe6ec7de933b726f859032743c4bbdb7f4b0e4f1fea4420ff4040174bb1dabd209e1923e2ae4283e288060b85035153311b6586003b8fa2677a8e25a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
581ff79c6d3b9d09dc1a280f501cb130

SHA1
c884cd412a6fb9601506666ad1bef551ff333474

SHA256
d898188e941a28334c3b57a54d4347757ef5c9ec8b1766850c26ac505e3b5db2

SHA512
9f35a9aae6c239a1def7811bdae61a50a05cd20f046a37051787ddb8dd3592644fcf704f421b92f4c4ca082b57a4cbb4c35b609df77c92847309db7df1bfd432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a64a2c03128fa883242a2315c73ac950

SHA1
0a89c9fca23aaf42d256d517a613cda2dec2ba9a

SHA256
3eabaccac1815d49bc477f4a8c4b6647e097b8b0a467e29dbb60327e86f9e2d5

SHA512
c156567e455ebfcabbd4f6c869528c20da3e846f183b949ac0909827d326c3ce80f04608619be8f04e731103cf9b0cc73cfb436341fdcd78c109800b31c99146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1c2b298aa4e71b6f1eb9e57a7960580e

SHA1
334f4d63f3c6e5d7cfd0c92c5e969f252d399329

SHA256
24aca69d2c65a2f88fe16152b40da960ce2ce65d7e0c2415997438cb83bf6336

SHA512
df68ec2a99b01ed686eb81e8dc015632634c61727ba8456bdc838d907ba00804aa70f7ab3de1a03fea60a7f220863dcc38a96e3d2ea83f1032e86df48596719a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7690f3e063164e905af592fb684b966c

SHA1
04831e9f2be5a7161a262c8f04f8b5c20e57d277

SHA256
6200dd94634663a43b65a559c64e7b234a60e98ddaf38252cb2725f50699608b

SHA512
223da740f6fc706d0266b2ac5fc297c07303d532ee7b089f8fbecdc588e9bd028fcdab6ced02a85ba3bdb65dd4070dc18a90772ca0b2ebbc0f5e11a760e4291f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f8589c9c3794449a723590753027421e

SHA1
2b98a4295dfda4ecd7afa31ed0f68705c72c639c

SHA256
c22d61e449be5ce2eccbe218652bd9c94b2a2657203327834709b6fe999d862b

SHA512
448708bc1b85f5276382c13023a122fa20fe656c52641d340f0980f096ea9cfb515cabe3366da5f0449c0044f8fc184a9d3a523c2ce49aad2c51426d27c89126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f48d1de40d533e707167a325df47fc98

SHA1
78cf577d4afd7c831f1e1fbb21ce5889cdd9205f

SHA256
04922e532c4e3abc44ed1dd271d4a89bbbe20d897944e9ba4a8de1f71f038720

SHA512
3e6ea5278bfcb3dbe8d78b59baf16e0e2eedc30e95a8fb452c00caf135c1d53a0dd9413a2e3b43063329ebf566a106507b72c2e4479cf18a56155aab5d86d046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9bd1720d3b1328b8fd4eccb6c0e57745

SHA1
34e56b8bf01a89eb1d4a6860a3e33fef3673e280

SHA256
65f5cbb7744413ad036d782ffd03ae4a9f29ad44f7de2b487a93b8365ff66d1f

SHA512
c2adebcf8694de22a8a96d11f9a6527e2816118b119c58553b04766aa1402affd29db25857a3b3abafd3f7149edc5b483cf7e39e1ed29ba0e00722831ada8b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{796AA3A1-446B-11EF-8995-CA26F3F7E98A}.dat
Filesize
5KB

MD5
237c2d8b96b414311d580e8e8a240e65

SHA1
2ebb675310a2950960b0b8dea30e4317f6cbf0f2

SHA256
27f9c820b8367df5bf51be041e7f313e3fddc77c3b200692e938d6e5b64c7136

SHA512
0323f4a1a792554e86f0be4050ae0a68b99725cb42a9e5f61c9b8302d641983500448ce2b019cf653f1f756f54c35f5d7f54b0687f5448642e6a77b180e55fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{798E5841-446B-11EF-8995-CA26F3F7E98A}.dat
Filesize
4KB

MD5
fdc4cd09918053e2b2d30ce886d1c678

SHA1
77fceb2d288c2e32cac9b5dcb4b1fdea0540adb6

SHA256
b529d57f9a9c488012f9e1ab335fb483115791b2500c9dbd37d0653c78c19032

SHA512
a0d21bcaa4071b26f7c2368253414c9cfcff4d27aac38543b2dc44fbaca42d86e445413b05936d2ca646cf5e308a5a59b78ea64a3c7385c60fd0db154f2a76a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{798E7F51-446B-11EF-8995-CA26F3F7E98A}.dat
Filesize
5KB

MD5
84d8f5d05a5e02fcd74c88f9a0e445d0

SHA1
9342c8c64958175c4aa09ccc8a0af9a747f4f337

SHA256
2040a8bb8f6287ba3da480252c098611fe5c8a33c07f6e8a291792244ac9092e

SHA512
c6e0bc9b5f19b9d7f08b1ced9f4a578829ffa6c7cad7fbef8010841c8171c4c5c9ff46e1df8114d65b6ea8248940d8d1bfa10b76914246887857f683d0ea5423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c2sxdb0\imagestore.dat
Filesize
784B

MD5
85baf128034c7abb2ee2033dbc9b88de

SHA1
f5990cc208a063a0de69b3f0f890d857e0076a36

SHA256
e3765e0360f13ab8259c4be81b0c96a3f6b656a0710e84f23f5299aa8d2cfec7

SHA512
54ff7070074c6db3d968e7ef0ec250eb5fb06f754ae654eba1ce04643cddd5fcde1af40bdeef7a31aa00174316a989a5116f0ad605ab35a8a959077640013932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HTBGGANG\4Kv5U5b1o3f[1].png
Filesize
610B

MD5
a81a5e7f71ae4153e6f888f1c92e5e11

SHA1
39c3945c30abff65b372a7d8c691178ae9d9eee0

SHA256
2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e

SHA512
1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A94.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AC6.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll
Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
\Users\Admin\AppData\Local\Temp\skin.888ww.msstyles
Filesize
3.3MB

MD5
ea5d5266b8a7bcc8788c83ebb7c8c7d5

SHA1
3e9ac1ab7d5d54db9b3d141e82916513e572b415

SHA256
91ac4d215b8d90aef9a000900c9088d4c33d58c5f35a720a385a3f2d2299e5d1

SHA512
404b35fca478a1f489ec1af7be1df897190d7deb0cd8139c2c89d68c24fa377d904cf0c5e30c09ab448d74d87a47aaa3a872bf66a9bc9c124f52798320d34e60

Download Submit
memory/1936-87-0x0000000077290000-0x0000000077330000-memory.dmp

Filesize
640KB

Download
memory/1936-113-0x0000000074E70000-0x0000000074E83000-memory.dmp

Filesize
76KB

Download
memory/1936-60-0x0000000077380000-0x00000000773FB000-memory.dmp

Filesize
492KB

Download
memory/1936-66-0x0000000074F20000-0x0000000074F52000-memory.dmp

Filesize
200KB

Download
memory/1936-64-0x0000000074F60000-0x0000000074F69000-memory.dmp

Filesize
36KB

Download
memory/1936-65-0x0000000076F50000-0x0000000077165000-memory.dmp

Filesize
2.1MB

Download
memory/1936-63-0x00000000762A0000-0x000000007632F000-memory.dmp

Filesize
572KB

Download
memory/1936-61-0x0000000075620000-0x000000007626A000-memory.dmp

Filesize
12.3MB

Download
memory/1936-75-0x0000000076E60000-0x0000000076EB7000-memory.dmp

Filesize
348KB

Download
memory/1936-78-0x00000000762A0000-0x000000007632F000-memory.dmp

Filesize
572KB

Download
memory/1936-80-0x0000000074F20000-0x0000000074F52000-memory.dmp

Filesize
200KB

Download
memory/1936-79-0x0000000076F50000-0x0000000077165000-memory.dmp

Filesize
2.1MB

Download
memory/1936-77-0x00000000751D0000-0x00000000751E2000-memory.dmp

Filesize
72KB

Download
memory/1936-76-0x0000000077380000-0x00000000773FB000-memory.dmp

Filesize
492KB

Download
memory/1936-74-0x0000000076390000-0x000000007642D000-memory.dmp

Filesize
628KB

Download
memory/1936-73-0x0000000074F70000-0x000000007510E000-memory.dmp

Filesize
1.6MB

Download
memory/1936-72-0x0000000077290000-0x0000000077330000-memory.dmp

Filesize
640KB

Download
memory/1936-71-0x0000000074E00000-0x0000000074E51000-memory.dmp

Filesize
324KB

Download
memory/1936-70-0x0000000076570000-0x000000007670D000-memory.dmp

Filesize
1.6MB

Download
memory/1936-68-0x0000000076B30000-0x0000000076BFC000-memory.dmp

Filesize
816KB

Download
memory/1936-81-0x0000000076B30000-0x0000000076BFC000-memory.dmp

Filesize
816KB

Download
memory/1936-84-0x0000000076270000-0x0000000076297000-memory.dmp

Filesize
156KB

Download
memory/1936-89-0x0000000076E60000-0x0000000076EB7000-memory.dmp

Filesize
348KB

Download
memory/1936-88-0x0000000074F70000-0x000000007510E000-memory.dmp

Filesize
1.6MB

Download
memory/1936-58-0x0000000074F70000-0x000000007510E000-memory.dmp

Filesize
1.6MB

Download
memory/1936-86-0x0000000074E00000-0x0000000074E51000-memory.dmp

Filesize
324KB

Download
memory/1936-85-0x0000000074E70000-0x0000000074E83000-memory.dmp

Filesize
76KB

Download
memory/1936-97-0x0000000074E00000-0x0000000074E51000-memory.dmp

Filesize
324KB

Download
memory/1936-83-0x0000000076570000-0x000000007670D000-memory.dmp

Filesize
1.6MB

Download
memory/1936-107-0x0000000074F20000-0x0000000074F52000-memory.dmp

Filesize
200KB

Download
memory/1936-112-0x0000000076270000-0x0000000076297000-memory.dmp

Filesize
156KB

Download
memory/1936-90-0x00000000751D0000-0x00000000751E2000-memory.dmp

Filesize
72KB

Download
memory/1936-109-0x0000000076B30000-0x0000000076BFC000-memory.dmp

Filesize
816KB

Download
memory/1936-115-0x0000000076E60000-0x0000000076EB7000-memory.dmp

Filesize
348KB

Download
memory/1936-114-0x0000000074E00000-0x0000000074E51000-memory.dmp

Filesize
324KB

Download
memory/1936-62-0x00000000769C0000-0x0000000076B1C000-memory.dmp

Filesize
1.4MB

Download
memory/1936-111-0x0000000076570000-0x000000007670D000-memory.dmp

Filesize
1.6MB

Download
memory/1936-106-0x0000000076F50000-0x0000000077165000-memory.dmp

Filesize
2.1MB

Download
memory/1936-105-0x0000000074F60000-0x0000000074F69000-memory.dmp

Filesize
36KB

Download
memory/1936-104-0x00000000762A0000-0x000000007632F000-memory.dmp

Filesize
572KB

Download
memory/1936-103-0x00000000751D0000-0x00000000751E2000-memory.dmp

Filesize
72KB

Download
memory/1936-102-0x0000000077380000-0x00000000773FB000-memory.dmp

Filesize
492KB

Download
memory/1936-101-0x0000000076E60000-0x0000000076EB7000-memory.dmp

Filesize
348KB

Download
memory/1936-100-0x0000000076390000-0x000000007642D000-memory.dmp

Filesize
628KB

Download
memory/1936-99-0x0000000074F70000-0x000000007510E000-memory.dmp

Filesize
1.6MB

Download
memory/1936-98-0x0000000077290000-0x0000000077330000-memory.dmp

Filesize
640KB

Download
memory/1936-96-0x0000000076570000-0x000000007670D000-memory.dmp

Filesize
1.6MB

Download
memory/1936-94-0x0000000076B30000-0x0000000076BFC000-memory.dmp

Filesize
816KB

Download
memory/1936-59-0x0000000076E60000-0x0000000076EB7000-memory.dmp

Filesize
348KB

Download
memory/1936-56-0x0000000074E00000-0x0000000074E51000-memory.dmp

Filesize
324KB

Download
memory/1936-57-0x0000000077290000-0x0000000077330000-memory.dmp

Filesize
640KB

Download
memory/1936-54-0x0000000076570000-0x000000007670D000-memory.dmp

Filesize
1.6MB

Download
memory/1936-93-0x0000000074F20000-0x0000000074F52000-memory.dmp

Filesize
200KB

Download
memory/1936-92-0x0000000076F50000-0x0000000077165000-memory.dmp

Filesize
2.1MB

Download
memory/1936-91-0x0000000074F60000-0x0000000074F69000-memory.dmp

Filesize
36KB

Download
memory/1936-422-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1936-55-0x0000000077400000-0x000000007742A000-memory.dmp

Filesize
168KB

Download
memory/1936-575-0x0000000004AE0000-0x0000000004B9B000-memory.dmp

Filesize
748KB

Download
memory/1936-53-0x0000000074F20000-0x0000000074F52000-memory.dmp

Filesize
200KB

Download
memory/1936-52-0x0000000076F50000-0x0000000077165000-memory.dmp

Filesize
2.1MB

Download
memory/1936-51-0x00000000762A0000-0x000000007632F000-memory.dmp

Filesize
572KB

Download
memory/1936-49-0x0000000075620000-0x000000007626A000-memory.dmp

Filesize
12.3MB

Download
memory/1936-50-0x00000000769C0000-0x0000000076B1C000-memory.dmp

Filesize
1.4MB

Download
memory/1936-48-0x0000000076E60000-0x0000000076EB7000-memory.dmp

Filesize
348KB

Download
memory/1936-47-0x0000000076390000-0x000000007642D000-memory.dmp

Filesize
628KB

Download
memory/1936-46-0x0000000077290000-0x0000000077330000-memory.dmp

Filesize
640KB

Download
memory/1936-40-0x0000000004AE0000-0x0000000004B9B000-memory.dmp

Filesize
748KB

Download
memory/1936-0-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1936-1336-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1936-1337-0x0000000004AE0000-0x0000000004B9B000-memory.dmp

Filesize
748KB

Download