Analysis
-
max time kernel
185s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 04:58
Behavioral task
behavioral1
Sample
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe
Resource
win10v2004-20220721-en
General
-
Target
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe
-
Size
32KB
-
MD5
162f53c58e2e4f9d670446a7c7c0cfff
-
SHA1
af737da1835e56105d29527022dafb83e4e13937
-
SHA256
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856
-
SHA512
7e37aab76bb83dd0f58db973add99d0c6157c80cf2a89b3b92fe951ebab7eeb7bb7ac2012a01358481c8c8d7e2b21b9d8209a700a7802751aa74d3854f19c0a5
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240587578.dll family_gh0strat C:\Windows\SysWOW64\240587578.dll family_gh0strat \??\c:\windows\SysWOW64\240587578.dll family_gh0strat behavioral2/memory/4356-135-0x0000000000400000-0x0000000000420000-memory.dmp family_gh0strat C:\Windows\SysWOW64\240587578.dll family_gh0strat -
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Executes dropped EXE 1 IoCs
Processes:
serivces.exepid process 2088 serivces.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\serivces\Parameters\ServiceDll = "C:\\Windows\\system32\\240587578.dll" aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Processes:
resource yara_rule behavioral2/memory/4356-130-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4356-135-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Loads dropped DLL 3 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exesvchost.exeserivces.exepid process 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe 2388 svchost.exe 2088 serivces.exe -
Creates a Windows Service
-
Drops file in System32 directory 3 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\240587578.dll aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe File created C:\Windows\SysWOW64\serivces.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serivces.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
serivces.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 serivces.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz serivces.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
serivces.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie serivces.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software serivces.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft serivces.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exeserivces.exepid process 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe 2088 serivces.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exedescription pid process Token: SeIncBasePriorityPrivilege 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exepid process 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.execmd.exesvchost.exedescription pid process target process PID 4356 wrote to memory of 2744 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 4356 wrote to memory of 2744 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 4356 wrote to memory of 2744 4356 aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe cmd.exe PID 2744 wrote to memory of 3444 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 3444 2744 cmd.exe PING.EXE PID 2744 wrote to memory of 3444 2744 cmd.exe PING.EXE PID 2388 wrote to memory of 2088 2388 svchost.exe serivces.exe PID 2388 wrote to memory of 2088 2388 svchost.exe serivces.exe PID 2388 wrote to memory of 2088 2388 svchost.exe serivces.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe"C:\Users\Admin\AppData\Local\Temp\aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\aab860136a482df72beb37e9f7d5f8284fe663879588203143729c4190fec856.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
PID:3444
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵PID:3572
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivces"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\serivces.exeC:\Windows\system32\serivces.exe "c:\windows\system32\240587578.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
37KB
MD501732383f30044f6f444c6ecd95ed05d
SHA1b58c949261541e7599a4e9b3f79582d877aa8fe5
SHA2566cc07d2e4f2ab6c07a555d563865b060ee2a3c82cb57c13f5f56ec5c85a90255
SHA5127f4254ce85ff7d77f8e019c98e975e184e286de590cfcd8d99d50fc95861da2824bd99b0f45c0a84b92a6cce4357878d287bb62cdbb06a1323b7305426b33f37