Analysis
-
max time kernel
80s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 04:58
Behavioral task
behavioral1
Sample
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe
Resource
win10v2004-20220721-en
General
-
Target
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe
-
Size
32KB
-
MD5
162f53c58e2e4f9d670446a7c7c0cfff
-
SHA1
af737da1835e56105d29527022dafb83e4e13937
-
SHA256
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856
-
SHA512
7e37aab76bb83dd0f58db973add99d0c6157c80cf2a89b3b92fe951ebab7eeb7bb7ac2012a01358481c8c8d7e2b21b9d8209a700a7802751aa74d3854f19c0a5
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\7117748.dll family_gh0strat \Windows\SysWOW64\7117748.dll family_gh0strat \??\c:\windows\SysWOW64\7117748.dll family_gh0strat behavioral1/memory/1996-60-0x0000000000400000-0x0000000000420000-memory.dmp family_gh0strat \Windows\SysWOW64\7117748.dll family_gh0strat \Windows\SysWOW64\7117748.dll family_gh0strat \Windows\SysWOW64\7117748.dll family_gh0strat \Windows\SysWOW64\7117748.dll family_gh0strat -
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-55-0x0000000000400000-0x0000000000420000-memory.dmp family_runningrat -
Executes dropped EXE 1 IoCs
Processes:
serivces.exepid process 2036 serivces.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\serivces\Parameters\ServiceDll = "C:\\Windows\\system32\\7117748.dll" aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Processes:
resource yara_rule behavioral1/memory/1996-55-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/1996-60-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1724 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exesvchost.exeserivces.exepid process 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe 984 svchost.exe 984 svchost.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe -
Creates a Windows Service
-
Drops file in System32 directory 3 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\7117748.dll aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe File created C:\Windows\SysWOW64\serivces.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serivces.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
serivces.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 serivces.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz serivces.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
serivces.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft serivces.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie serivces.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum serivces.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software serivces.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exeserivces.exepid process 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe 2036 serivces.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exedescription pid process Token: SeIncBasePriorityPrivilege 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exepid process 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.execmd.exesvchost.exedescription pid process target process PID 1996 wrote to memory of 1724 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 1996 wrote to memory of 1724 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 1996 wrote to memory of 1724 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 1996 wrote to memory of 1724 1996 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 1724 wrote to memory of 1404 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 1404 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 1404 1724 cmd.exe PING.EXE PID 1724 wrote to memory of 1404 1724 cmd.exe PING.EXE PID 984 wrote to memory of 2036 984 svchost.exe serivces.exe PID 984 wrote to memory of 2036 984 svchost.exe serivces.exe PID 984 wrote to memory of 2036 984 svchost.exe serivces.exe PID 984 wrote to memory of 2036 984 svchost.exe serivces.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe"C:\Users\Admin\AppData\Local\Temp\aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
PID:1404
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵PID:1736
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\serivces.exeC:\Windows\system32\serivces.exe "c:\windows\system32\7117748.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d