Analysis
-
max time kernel
192s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 16:53 UTC
Static task
static1
Behavioral task
behavioral1
Sample
a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Resource
win7-20220812-en
General
-
Target
a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
-
Size
144KB
-
MD5
19e0e8ac9b12a73462419a205f63fe21
-
SHA1
223b5e205b2794df4406a6f706408b2570f62477
-
SHA256
a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9
-
SHA512
8026e25f24eaa0f82f6e31b822ad571cb846eaaf8d885ebce45276470486b07b79eb1a7780db5ce6900525eea1c6548aad401cf65f9ca09aee3e7f509847c82d
-
SSDEEP
3072:5VK1M+IRHl+BSVIKISNq+Ha29M9U5EGzGv48YfIqRDUcEuccxB:5sC+wHlCSQSNqea29M9Udk4wqRDCxc/
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral2/memory/4736-132-0x0000000000530000-0x000000000055B000-memory.dmp family_gh0strat behavioral2/memory/4736-133-0x0000000000400000-0x0000000000427000-memory.dmp family_gh0strat behavioral2/files/0x000b000000022e50-134.dat family_gh0strat behavioral2/files/0x000a000000022e5d-135.dat family_gh0strat behavioral2/files/0x000a000000022e5d-136.dat family_gh0strat behavioral2/files/0x000b000000022e50-138.dat family_gh0strat -
Loads dropped DLL 2 IoCs
pid Process 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe 3080 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Vlal\Waojxeqoi.gif a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe File created C:\Program Files (x86)\Vlal\Waojxeqoi.gif a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeRestorePrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeBackupPrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeRestorePrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeBackupPrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeRestorePrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeBackupPrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe Token: SeRestorePrivilege 4736 a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe"C:\Users\Admin\AppData\Local\Temp\a8edb7042563ce6592ed2c5a23dcf8081f90a10d0d5ccb97c3e3bae46d1179a9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3080
Network
-
Remote address:8.8.8.8:53Request15.89.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
46 B 40 B 1 1
-
-
-
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD59a321afedb20299237990eab5f04438a
SHA1cfa0ee092174d53d23b80d4c08f1b122958c50f1
SHA256ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb
SHA512dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b
-
Filesize
101KB
MD59a321afedb20299237990eab5f04438a
SHA1cfa0ee092174d53d23b80d4c08f1b122958c50f1
SHA256ea4c6fc4b5fe10c83af82d5104d5a9b8c528fd383cce4677c0d10c708732c3bb
SHA512dd63b78f80897bd585721694f7392daa10550a66b0d3d71371f86aaebec948d09b23a5db8044b0d5c39a119b6cf5e28b77bd23af9f129da6693021673d2de23b
-
Filesize
12.1MB
MD5e0fefecf94066d11db1436322daec48d
SHA1027d6953fbe24bfa09234633a20c786be8453888
SHA2569f03e7084ac0c8c51262598f9e21fa1ba6e0d78a0103b4035ea3401e10fff003
SHA512abbf62005ceff8162173e601b70b1463558c005746961f04ad9989855637413fbde34d357464b15e9511b4ed9b17aefbc7e4f7d475dcc2416809880d2973d18a
-
Filesize
117B
MD5c7de3d6c7ac8ec70bf0f53dd3a57d56d
SHA123d7baba1ad449cdd15ab4fc5eeeff7810c5ed81
SHA256006ba4487ca0fb1e889b79870353147c793ca4fc81d80063b6f775b13ad4532c
SHA5122858ddee8c28f6104532d0101d6ec6812a459ae0a60ae961e838b489fe71582027696f767144f53076c5c27a9347f300daf186a6c1813ab88f55824e8c4371b5
-
Filesize
12.1MB
MD5e0fefecf94066d11db1436322daec48d
SHA1027d6953fbe24bfa09234633a20c786be8453888
SHA2569f03e7084ac0c8c51262598f9e21fa1ba6e0d78a0103b4035ea3401e10fff003
SHA512abbf62005ceff8162173e601b70b1463558c005746961f04ad9989855637413fbde34d357464b15e9511b4ed9b17aefbc7e4f7d475dcc2416809880d2973d18a