Overview

overview

10

Static

static

gh.exe

windows7_x64

10

gh.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    48s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gh.exe

  • Size

    1.9MB

  • MD5

    fc2f9bb8ec49b7a862a994d7793cfbfa

  • SHA1

    2ac1aa2e6884a811b5517564efeb101bcd6acf23

  • SHA256

    ba42981857aaa86ac3ebfa7c169d3abff15ef53a857770d70fa4808a90238d67

  • SHA512

    56b2f07acf0346e04894ac1bef83515bdda00a0d27262a4abe34799dc49ca996f796fda541fd6d3edda7f05187c9500f52ef694a3c1ddac3839b3047bef66524

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gh.exe
    "C:\Users\Admin\AppData\Local\Temp\gh.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AEEAcgB0AC0AUwBsAEUAZQBQACAALQBzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXAByAHUAbgBkAGwAbAAuAGUAeABlACcA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1376
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      2⤵
        PID:1740
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        2⤵
          PID:1732
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          2⤵
            PID:1868
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
            2⤵
              PID:980
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
              2⤵
                PID:1472
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                2⤵
                  PID:1688
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                  2⤵
                    PID:1532
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                    2⤵
                      PID:300
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                      2⤵
                        PID:1636
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                        2⤵
                          PID:656

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Winlogon Helper DLL

                      1
                      T1004

                      Privilege Escalation

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        e92a33e6128cb38b5fcd8d3816e76dcc

                        SHA1

                        d492bdd91bbb5b5d59b270d7c18476ed77fe1bf6

                        SHA256

                        383529d5dd156d8b560bca6e8dbb35158e253838db2ef81f18fc724a01c09890

                        SHA512

                        9ebc9b6ce9cf632ded30ae0630c1b7bd855820fae0fbdb8ac0a7940158f6a5a88ca63368738710179da5d560345d7b2bee47ac90b636ff77cbfb97ebdc8bcde2

                        Download Submit
                      • memory/1376-65-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1376-72-0x000000000284B000-0x000000000286A000-memory.dmp
                        Filesize

                        124KB

                        Download
                      • memory/1376-71-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
                        Filesize

                        3.0MB

                        Download
                      • memory/1376-70-0x0000000002844000-0x0000000002847000-memory.dmp
                        Filesize

                        12KB

                        Download
                      • memory/1376-69-0x000007FEEC640000-0x000007FEED19D000-memory.dmp
                        Filesize

                        11.4MB

                        Download
                      • memory/1376-68-0x000007FEED1A0000-0x000007FEEDBC3000-memory.dmp
                        Filesize

                        10.1MB

                        Download
                      • memory/1896-60-0x00000000027D4000-0x00000000027D7000-memory.dmp
                        Filesize

                        12KB

                        Download
                      • memory/1896-62-0x00000000027DB000-0x00000000027FA000-memory.dmp
                        Filesize

                        124KB

                        Download
                      • memory/1896-61-0x000000001B700000-0x000000001B9FF000-memory.dmp
                        Filesize

                        3.0MB

                        Download
                      • memory/1896-59-0x000007FEECFE0000-0x000007FEEDB3D000-memory.dmp
                        Filesize

                        11.4MB

                        Download
                      • memory/1896-58-0x000007FEEDB40000-0x000007FEEE563000-memory.dmp
                        Filesize

                        10.1MB

                        Download
                      • memory/1896-56-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2036-63-0x000000001D780000-0x000000001D95E000-memory.dmp
                        Filesize

                        1.9MB

                        Download
                      • memory/2036-64-0x000000001C3C6000-0x000000001C3E5000-memory.dmp
                        Filesize

                        124KB

                        Download
                      • memory/2036-54-0x000000013F740000-0x000000013F920000-memory.dmp
                        Filesize

                        1.9MB

                        Download
                      • memory/2036-55-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/2036-73-0x000000001BE00000-0x000000001BEAA000-memory.dmp
                        Filesize

                        680KB

                        Download