Analysis
-
max time kernel
118s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 00:30
Static task
static1
Behavioral task
behavioral1
Sample
eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
Resource
win7-20220812-en
General
-
Target
eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe
-
Size
192KB
-
MD5
702395713f991c8ef6189f0c62d465f5
-
SHA1
c2a01fb4fc43fe709732bafaf334bbb98755af5a
-
SHA256
eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584
-
SHA512
a17d03afe1011f1b199c1428a69c6b7d5dc536dadbf2fbbaeda362dd2fc6993139aa6ab5242223416b3b682e7e29712b32b1098f3a5543fd708c6affb3a811bc
-
SSDEEP
3072:lSB23ZRnWUWXzg5KHbFxlAPHX7JC2J/IPe25L/IV8/dHb7nslSlq:lFPnWUWX05KH3lAP37JC2J/IPeiD/Rjt
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule \??\c:\progra~3\applic~1\storm\update\enljb.dlc family_gh0strat C:\ProgramData\Storm\update\enljb.dlc family_gh0strat C:\ProgramData\Storm\update\enljb.dlc family_gh0strat C:\ProgramData\Storm\update\enljb.dlc family_gh0strat -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 212 svchost.exe 1296 svchost.exe 3088 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\jkobshxxet svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\jssyythoea svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\jsjexdohrl svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exedescription ioc process File opened for modification C:\PROGRA~3\APPLIC~1\Storm\update\enljb.dlc eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2044 212 WerFault.exe svchost.exe 2332 1296 WerFault.exe svchost.exe 4876 3088 WerFault.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeBackupPrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeRestorePrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeBackupPrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeRestorePrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeBackupPrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeRestorePrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeBackupPrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeRestorePrivilege 1292 eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeRestorePrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeRestorePrivilege 212 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeRestorePrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeSecurityPrivilege 1296 svchost.exe Token: SeSecurityPrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeSecurityPrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeSecurityPrivilege 1296 svchost.exe Token: SeBackupPrivilege 1296 svchost.exe Token: SeRestorePrivilege 1296 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeRestorePrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeSecurityPrivilege 3088 svchost.exe Token: SeSecurityPrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeSecurityPrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeSecurityPrivilege 3088 svchost.exe Token: SeBackupPrivilege 3088 svchost.exe Token: SeRestorePrivilege 3088 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe"C:\Users\Admin\AppData\Local\Temp\eb71cb4f8955cb0f0f4f56605fc76c6c6b7e5f655c0f34e34c83648b20711584.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 8642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 2121⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 8322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1296 -ip 12961⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 8842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3088 -ip 30881⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Storm\update\enljb.dlcFilesize
896KB
MD5b3758a0a553fd8b89cfe1db692b81026
SHA1449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d
SHA2564edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680
SHA51220cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f
-
C:\ProgramData\Storm\update\enljb.dlcFilesize
896KB
MD5b3758a0a553fd8b89cfe1db692b81026
SHA1449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d
SHA2564edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680
SHA51220cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f
-
C:\ProgramData\Storm\update\enljb.dlcFilesize
896KB
MD5b3758a0a553fd8b89cfe1db692b81026
SHA1449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d
SHA2564edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680
SHA51220cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
201B
MD51d0a2e28fc3087ae6cd8d8b273223dd8
SHA1a27c51dc5a9a776aeeacfc3a7afaa135eaeb3ab5
SHA25609550f91830ad3e98a9a101864700304b4409e1b66cb058359091ec7bf2047af
SHA512643cc5e05e173f96454f5e61c7a1c5745a74a189935f21ef87798536ca46f13a77845dbe6ba0403dde54d24feca9f5370ef6ce3d48002697589317f96095006b
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
302B
MD5485ef44c47d697dd0d25ad2693c249ca
SHA127ed455d300e365535225b00ea6fa3f43f552a59
SHA256a269a456433d9c1e8f12edf50c3b997df149d66b0fa7e9b449bf122aa57c4b29
SHA512e56c248c0428561c349348b9128b9e020eeb5616c41e6003dd68e09fe1d23faba0715116081cb9aaf2c8e32f8b18e13f5585267bea2e6384cac05e4bf5d1318b
-
\??\c:\progra~3\applic~1\storm\update\enljb.dlcFilesize
896KB
MD5b3758a0a553fd8b89cfe1db692b81026
SHA1449bd6c3e272b74b12eb5fc6b5b068dbc5abaa5d
SHA2564edb1d530db90f459be6ed88bb576732ca39a598850221f151c20064d3b92680
SHA51220cbbeb7924f7b05bc97dfc58deb79092630f4301e03c3196b8dfff9dbeccb66462f70a218f30ff81d06c870325cdc8bcb5cb850ef99ac4cf4f55a14319f8c1f