Analysis
-
max time kernel
122s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:24
Static task
static1
Behavioral task
behavioral1
Sample
fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
Resource
win7-20220812-en
General
-
Target
fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe
-
Size
192KB
-
MD5
6e7c22ad556f0e7c7fc423ed3b222ce8
-
SHA1
5a53aa8c4ba39a72700d0b1841c74564d3066e2e
-
SHA256
fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993
-
SHA512
5b0797c2a91828ed5d886c701d3795b8567cbdca6ad6435862ff30ff9682d6bdb6344e42616b319a83f964dc4c5208e80b84cd7aae5f9acd9a59a84cf46f591c
-
SSDEEP
3072:8SB23ZRnWUWwQ9LmtWegYpKd8W2/7ik2YvsolNI9cq97Lq74:8FPnWUWukYaNkrNxO7Lq
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule \??\c:\progra~3\applic~1\storm\update\kdsxy.dlc family_gh0strat C:\ProgramData\Storm\update\kdsxy.dlc family_gh0strat C:\ProgramData\Storm\update\kdsxy.dlc family_gh0strat C:\ProgramData\Storm\update\kdsxy.dlc family_gh0strat -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 4892 svchost.exe 2356 svchost.exe 3532 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\aqjixitciu svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\aqanvrcuvg svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\apqsubjnjr svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exedescription ioc process File opened for modification C:\PROGRA~3\APPLIC~1\Storm\update\kdsxy.dlc fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2016 4892 WerFault.exe svchost.exe 428 2356 WerFault.exe svchost.exe 4884 3532 WerFault.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeBackupPrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeRestorePrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeBackupPrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeRestorePrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeBackupPrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeRestorePrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeBackupPrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeRestorePrivilege 3316 fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeRestorePrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeSecurityPrivilege 4892 svchost.exe Token: SeSecurityPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeSecurityPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeSecurityPrivilege 4892 svchost.exe Token: SeBackupPrivilege 4892 svchost.exe Token: SeRestorePrivilege 4892 svchost.exe Token: SeBackupPrivilege 2356 svchost.exe Token: SeRestorePrivilege 2356 svchost.exe Token: SeBackupPrivilege 2356 svchost.exe Token: SeBackupPrivilege 2356 svchost.exe Token: SeSecurityPrivilege 2356 svchost.exe Token: SeSecurityPrivilege 2356 svchost.exe Token: SeBackupPrivilege 2356 svchost.exe Token: SeBackupPrivilege 2356 svchost.exe Token: SeSecurityPrivilege 2356 svchost.exe Token: SeBackupPrivilege 3532 svchost.exe Token: SeRestorePrivilege 3532 svchost.exe Token: SeBackupPrivilege 3532 svchost.exe Token: SeBackupPrivilege 3532 svchost.exe Token: SeSecurityPrivilege 3532 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe"C:\Users\Admin\AppData\Local\Temp\fb53dc4298dea72c241130592bd495d2e366a8a8d7bb2c678f16b22d16b54993.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 9362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 10762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2356 -ip 23561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 11002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3532 -ip 35321⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Storm\update\kdsxy.dlcFilesize
1.6MB
MD568f5a48cfb84bd82c4645715520ed0e5
SHA1d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c
SHA256c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a
SHA51259044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9
-
C:\ProgramData\Storm\update\kdsxy.dlcFilesize
1.6MB
MD568f5a48cfb84bd82c4645715520ed0e5
SHA1d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c
SHA256c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a
SHA51259044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9
-
C:\ProgramData\Storm\update\kdsxy.dlcFilesize
1.6MB
MD568f5a48cfb84bd82c4645715520ed0e5
SHA1d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c
SHA256c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a
SHA51259044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
202B
MD50c29ab7d16fdaac3cdb8f57b39c70c79
SHA1938923652f98adefa395320e353ff81f8fe15a5a
SHA256f5989377e0eb6edcc7c24f0ca05109e7d2d6b864adb987bf75ed7e7ab51156f1
SHA512b9bf1488323fbdc1c036e34d0f7176c600d7aba8d33e1a483eb5d7c2b7cc33da11905a13a114aab5b8c853238576c15bf7c32a6c49a054c7ca468298dcb2250c
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
261B
MD5bb6c212b6c6e3a5ad355e13fed5ec7b1
SHA1bc321c5f17842db3a06bef602efed22c97153cb9
SHA256d1cab7088ad51fea6a6be3e9a6aca420db87846cd5817466a7b6a5ba1f58875d
SHA51237d08028de54c0cc593d3fb5659a87e0547a6732820ce18af67b87d3801822d83e884cd568069db6dfe06ca8c17aa15c456796a5f684603331949f9b7cc42c9e
-
\??\c:\progra~3\applic~1\storm\update\kdsxy.dlcFilesize
1.6MB
MD568f5a48cfb84bd82c4645715520ed0e5
SHA1d704e52e1f0c1af8d3d85e3cbc031d81db02ed0c
SHA256c4f475d19a83434f929754d0f5e125cb9be2de403cec64e697a1ac45c8c4a30a
SHA51259044f30fcb8949394e9e7c661a3b8b3be0c031c5671e6d887bb9b9fcdd35dc950557979cef6d4b57985e03cb131b6f501f840b31d3862550f8d8eda93f6a2f9