Analysis
-
max time kernel
43s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-09-2022 06:50
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
66KB
-
MD5
ff8f30cf7243c8a864b5dca79d9cbe22
-
SHA1
e558aba2b1e09de0e6ba8843f1dacbecc82caf69
-
SHA256
f0b0507a7776f22dea7cb17f5114113614af2abe5f47bcf504952d969ad9f102
-
SHA512
ce69cc296337abafb13c93fe07c6d29082b17b42d88165d7d3549c11954a216b21a3a9bd19fa2473d69b5b19e04347c295e8c7329b2fd255b754b421995f98dc
-
SSDEEP
1536:LiRikCRxHp0QETd5gbfRJ1wxuMVngGF6BhWYP4IWY/2:e4xHcTdaJWwMkBV4A2
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-55-0x0000000010000000-0x0000000010014000-memory.dmp family_gh0strat -
Drops file in Program Files directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files (x86)\Arrange\NULL.jpg tmp.exe File opened for modification C:\Program Files (x86)\Arrange\NULL.jpg tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
tmp.exepid process 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe 1808 tmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 1808 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exepid process 1808 tmp.exe 1808 tmp.exe