Analysis
-
max time kernel
75s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:50
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
66KB
-
MD5
ff8f30cf7243c8a864b5dca79d9cbe22
-
SHA1
e558aba2b1e09de0e6ba8843f1dacbecc82caf69
-
SHA256
f0b0507a7776f22dea7cb17f5114113614af2abe5f47bcf504952d969ad9f102
-
SHA512
ce69cc296337abafb13c93fe07c6d29082b17b42d88165d7d3549c11954a216b21a3a9bd19fa2473d69b5b19e04347c295e8c7329b2fd255b754b421995f98dc
-
SSDEEP
1536:LiRikCRxHp0QETd5gbfRJ1wxuMVngGF6BhWYP4IWY/2:e4xHcTdaJWwMkBV4A2
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3304-132-0x0000000010000000-0x0000000010014000-memory.dmp family_gh0strat -
Drops file in Program Files directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files (x86)\Arrange\NULL.jpg tmp.exe File opened for modification C:\Program Files (x86)\Arrange\NULL.jpg tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe 3304 tmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 3304 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exepid process 3304 tmp.exe 3304 tmp.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3304-132-0x0000000010000000-0x0000000010014000-memory.dmpFilesize
80KB