gh0strat | ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
Size

1.3MB
MD5

55645546b1914c2701df42bc676bd482
SHA1

9e53f78f1b7eb9e5fd47114e5e77738a58e5abdb
SHA256

ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff
SHA512

d643f34610417a95a9bebe0b95ee1efcc408c4974b7ddb3a3e864c6e5f39744f79b316cd5b187425b13e6d08eefa7d1900d4bf2037507652c00bee599444adb4
SSDEEP

24576:Uh4cQjmoXnx/Oz+lOTKOHsQlr7K6WVZ6GwuwTbhEkA7u9:UqEqlZlOe/1bwvTbhE5y

Score

10^/10

gh0strat ramnit banker discovery rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1740-17557-0x0000000000400000-0x0000000000548000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 3 IoCs

pid	Process
8476	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe
8528	DesktopLayer.exe
8688	Sdxhtfo.exe

Loads dropped DLL 2 IoCs

pid	Process
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
8476	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
8688	Sdxhtfo.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000016e73-7978.dat	upx
behavioral1/memory/1740-7980-0x0000000002DA0000-0x0000000002DCE000-memory.dmp	upx
behavioral1/memory/8476-7986-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/8528-7993-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/8528-7997-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Ososaa\Sdxhtfo.exe	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Ososaa\Sdxhtfo.exe	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD4A.tmp	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sdxhtfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443978482"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF72A6D1-DB2B-11EF-B954-F2DF7204BD4F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
8528	DesktopLayer.exe
8528	DesktopLayer.exe
8528	DesktopLayer.exe
8528	DesktopLayer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
8568	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
8568	iexplore.exe
8568	iexplore.exe
8648	IEXPLORE.EXE
8648	IEXPLORE.EXE
8648	IEXPLORE.EXE
8648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 8476	1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe	31
PID 1740 wrote to memory of 8476	1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe	31
PID 1740 wrote to memory of 8476	1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe	31
PID 1740 wrote to memory of 8476	1740	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe	31
PID 8476 wrote to memory of 8528	8476	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe	32
PID 8476 wrote to memory of 8528	8476	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe	32
PID 8476 wrote to memory of 8528	8476	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe	32
PID 8476 wrote to memory of 8528	8476	ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe	32
PID 8528 wrote to memory of 8568	8528	DesktopLayer.exe	33
PID 8528 wrote to memory of 8568	8528	DesktopLayer.exe	33
PID 8528 wrote to memory of 8568	8528	DesktopLayer.exe	33
PID 8528 wrote to memory of 8568	8528	DesktopLayer.exe	33
PID 8568 wrote to memory of 8648	8568	iexplore.exe	34
PID 8568 wrote to memory of 8648	8568	iexplore.exe	34
PID 8568 wrote to memory of 8648	8568	iexplore.exe	34
PID 8568 wrote to memory of 8648	8568	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe
"C:\Users\Admin\AppData\Local\Temp\ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ff.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe
  C:\Users\Admin\AppData\Local\Temp\ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:8476
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:8528
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:8568
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8568 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:8648

C:\Program Files (x86)\Microsoft Ososaa\Sdxhtfo.exe
"C:\Program Files (x86)\Microsoft Ososaa\Sdxhtfo.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:8688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Ososaa\Sdxhtfo.exe

Filesize
13.3MB

MD5
2efeafb8384019369eb6ee361905175c

SHA1
075cc857a2e3ee8315953a4a48280a0563d3b41d

SHA256
53134e1ff7052c2d0554b635a4586fdbc8c763731c9ddcbd157b55a5c8f9965f

SHA512
4038d07a7df5ecedc0a05853f7bbe5014ddb4ad47d8050fb4745e1366178bdadb0e4b6aa291a214ce6eb70850a89417da71041a66022534203b0652254afbf27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2915a1b589ca25b9e1d509badc637d9e

SHA1
587b2fe9b5d996d5f19e39672e2a76f253e6d0f0

SHA256
bfb035b0eaf89d08091cb9f4f2f1818e64dfd447f3cee5100bd5b05ab83d0390

SHA512
6d4638fabf093e416487dd2f5a72712ee8c5ce88f48e3fe6cfd623a9c3e11b725c571cc38f27f0e04be6ebfed53e7ac178f640422a78045271b690bb2504dba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f69b9014b99e6746d4ad85bc4055f0b

SHA1
9b60a63ee9b2e68ad229044ccdadb86c84dda24c

SHA256
6a5d2144976597a5d326e2a0937c08e8f31a7c61c1a4afab5a96ff566f240c29

SHA512
e911e256e6364057e245141361a83dcdecc7d9ee21cb7d53a07f690658f8de435e1669fb447ef4a757daa1706c25e088ad3b34d1ede7867e82dfa4d0728c8112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41386b41e5604ddf880960e6418bb4b4

SHA1
da76c5bafadda9c3ac3f4faed66f0511e9aa3db0

SHA256
b279c72047490e8c9f80a8c07cf005097d4046ce6f7789672bdfe2e284334100

SHA512
9e4516349e53a434017435b70440b6c133f2d35010b24b1709d5251a41eda1010883159c0be8fd6dab2ca33344bd627ee0aed88cb00a2284359ea9b579688178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deed98bb7e97e610dde81ad3c450cc8a

SHA1
d38a8fc09d1d903925d6fe922dbc724a843d4419

SHA256
e20f9efc0a60c83174438601fd0f5ece8d40c365b85f701e0f9b4a816229ca6c

SHA512
e05805e51ab450a834dc4dece8a539af3f6b103eabcc9610a0076ae1c4cc94ca6582f52622f6b25de66948447621b8f42d54e902922eea750a05dd499de9024a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01f4c5909560731752ed673aeb44a97c

SHA1
a3b08f912f1e86d63489dd745c35237e0420d84b

SHA256
0a48b91c130c187249fc22d3387ecc139ab788942868b258494c8ef7436231f7

SHA512
d0fca92d28e1041b741b0ad0f598b24def6ed4dfacfbc3c4ab9b40c1d00c24c85a65a1ee185aae87fc3b625fbdeac40ff3c602fabd5d4f4bb6529c580c76f912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e19b492bbac38a11cc85a8756a4726d

SHA1
cb7c8d797f09d73334f7de1fb743568b701d4391

SHA256
c8bef8dba06c85ce5e03dca4bdb240ceeef7a27acaf8b8a24d95b8d0b8f691ab

SHA512
17f0a531fe3b29fd67fa9218edb0f2fa955faadc0e0fdf610c84ecf0869d95e97c173ab92cb91b2f1bccbd573f5ef8123923be074e8acdfc3bdf7f7ac3a26574

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdd5db26aacbd66f61f3eacb0d40dd3e

SHA1
e1194b4800c616a3cf9d441f5fe226779a5875e3

SHA256
8c014176bb2c347bcedbedcd86cf382c4bf1616900364511cfb8f099ba05a92b

SHA512
4e9fd6f7a78ee10c29a906a1e81e72307e294f926ab9fbbf8b86e337d1b742314151a41a0304e137f0b73056936f42da321d06b541729da361392e1cb6ff0071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
710e898474d3bec74cb7535002eb8a07

SHA1
7c027ed3464008d073056c3c6fe2e9e29e879713

SHA256
d0fbcd8fdc647f422d99d8af5083f4bc981a9640f3fa31975029b127094535a8

SHA512
afe628931ca97fe941b74766f62a9cc36f76bc852ab54e3a5a98c68e1910acbe201c7fc551489600f2ee95ce53533e4f268ae46219a718317f00a893ab2ca57f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f91097145e74e07936b26d8ebb5b72d2

SHA1
452098ce9c17f9176c9edac48188d63bf565c2a5

SHA256
0eb993ef0a481e3a342de03a8f77ba34a57a6fb7be53ad19bbd84ca9a3037771

SHA512
8818020a75c25f848e81f551199ec85def59850eeeaf176343cbe8e813f3003e404b305e5b820987a14a5b80b08473edae8c1391f75fcbd67a6e1172d4af353b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2328d41a7a89a56176907ad60df5a53

SHA1
379087621000fccfa4d5e3b4480bfe76e5c4b466

SHA256
96e5f4f0d667d89ec814606599fc7b01315008ef3069ab25c89c1e666b6a8309

SHA512
4801a9342ccf809c87779ebf8abd64c97e6f7d25b3235d30096330ac5f84dde04f213ff1b145576d257e6379e22e6b20d81962532a15c9d0fe9ddf4504d4d980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5481817a8d4799371955153ee68316b

SHA1
930526ca51e1c2dda024b0d059e87f24e6fc99f5

SHA256
b3e127bcb61c17e61d2fefc43ba2d493b6c939ee1dfa7f730228ab1a9ade3954

SHA512
7bda82981fd181e538506c1b39ca55161d681cdcd0e767d2ba1bd929462ee6b367318b659400e3a2fd2376ca0ae4af1791fac2a0abe357899f22113b862d9adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a57ce6cd50fd4adb4b6a16a1c8312d1

SHA1
5a44c6734552b51a054001315597fe8093baf392

SHA256
5e1a91f3aa9bee3102d4e148dd9dcc01afef67029bbc1d62042f5e3bc418204f

SHA512
3166284a090a0ceff39c9d6b7df364fc646e8fea9d3ed41aef379cb84ca7c76f01f74dc04a4f0de666f8ca7318916cd0c69f16f0b306b37204040ad573f07910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DEC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E9C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ff4967aa2cefcb0628fdc68040621351b14ea20b28a339b42e57cd3c4f35e7ffSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1740-520-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-510-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-528-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-530-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-532-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-534-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-536-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-538-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-540-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-542-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-544-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-546-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-548-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-556-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-552-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-550-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-564-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-562-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-524-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-7980-0x0000000002DA0000-0x0000000002DCE000-memory.dmp

Filesize
184KB

Download
memory/1740-17557-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1740-1-0x0000000076BA0000-0x0000000076BE7000-memory.dmp

Filesize
284KB

Download
memory/1740-504-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-522-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-503-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-0-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/1740-518-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-516-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-554-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-514-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-512-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-526-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-508-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-560-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-558-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/1740-506-0x0000000002230000-0x0000000002341000-memory.dmp

Filesize
1.1MB

Download
memory/8476-7986-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/8528-7997-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/8528-7993-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/8688-17120-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/8688-8001-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download