Analysis
-
max time kernel
173s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 15:54
Behavioral task
behavioral1
Sample
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
Resource
win10v2004-20220812-en
General
-
Target
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
-
Size
156KB
-
MD5
1710258343ac8af4dae7b976125f119f
-
SHA1
c69a8f32b03fb5630ba33be642fcff4a756f8cec
-
SHA256
e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf
-
SHA512
51bf5c9c4f797b755b7e080a31eecdbd74f352472a362a8133d584f6de569ecce11b764d46f8176162c49ee181820a1ba44005149dbe1a80684fb89e3f1db0c9
-
SSDEEP
3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05K3i+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05K3DIk
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/files/0x001b00000001d9f9-134.dat family_gh0strat behavioral2/files/0x001b00000001d9f9-133.dat family_gh0strat behavioral2/files/0x000300000001e64d-136.dat family_gh0strat behavioral2/files/0x000300000001e64d-137.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 4964 inpleqlxa.exe -
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{igtln61s-rmi4-bfmk-4770-2btbt0k82b2y} e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{igtln61s-rmi4-bfmk-4770-2btbt0k82b2y}\ = "ϵͳÉèÖÃ" e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{igtln61s-rmi4-bfmk-4770-2btbt0k82b2y}\stubpath = "C:\\Windows\\System32\\inpleqlxa.exe" e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe -
Loads dropped DLL 1 IoCs
pid Process 524 userinit.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\inpleqlxa.exe e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe File created C:\Windows\SysWOW64\inpleqlxa.exe_lang.ini e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe File opened for modification C:\Windows\SysWOW64\inpleqlxa.exe_lang.ini e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2508 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 2508 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 4964 inpleqlxa.exe 4964 inpleqlxa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2508 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe Token: SeDebugPrivilege 4964 inpleqlxa.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2508 wrote to memory of 4964 2508 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 81 PID 2508 wrote to memory of 4964 2508 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 81 PID 2508 wrote to memory of 4964 2508 e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe 81 PID 4964 wrote to memory of 524 4964 inpleqlxa.exe 82 PID 4964 wrote to memory of 524 4964 inpleqlxa.exe 82 PID 4964 wrote to memory of 524 4964 inpleqlxa.exe 82 PID 4964 wrote to memory of 524 4964 inpleqlxa.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\inpleqlxa.exeC:\Windows\System32\inpleqlxa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\userinit.exeuserinit.exe3⤵
- Loads dropped DLL
PID:524
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD584969a0da5920a151b8ae9b4c1afde4c
SHA1284cb96c3933a99d03b8646d22b451d3f5d90a23
SHA25631f523ab4050c6d591dde7cd9ed7a23a38bedd1e1a7a410bada2674e368c983e
SHA512807a215d60a8c3bd19fc27a0c1bfa354c23667106a3611da8a5c78a836cab067a5b5104d33ea1f37a8828ad7ec2d6536ac5d9d73efd9f41091a98090c13a1046
-
Filesize
114KB
MD584969a0da5920a151b8ae9b4c1afde4c
SHA1284cb96c3933a99d03b8646d22b451d3f5d90a23
SHA25631f523ab4050c6d591dde7cd9ed7a23a38bedd1e1a7a410bada2674e368c983e
SHA512807a215d60a8c3bd19fc27a0c1bfa354c23667106a3611da8a5c78a836cab067a5b5104d33ea1f37a8828ad7ec2d6536ac5d9d73efd9f41091a98090c13a1046
-
Filesize
156KB
MD50893d226328a4c39bd926eaf9fb56a01
SHA1daeb9f8a694834700b01dd59fafb7948f288c4e1
SHA256ba13c41f8274d831167ce8e919a73082d584cd3712ccbb3c242d1c1a69033c50
SHA51263405540c2dec09ed27a5b721efb2cbd33240a52eb5ea219e5c134140698ce0cff88537d9e9fecb4d463db31f4703373f9176684397aec8badb6705b5e24af7d
-
Filesize
156KB
MD50893d226328a4c39bd926eaf9fb56a01
SHA1daeb9f8a694834700b01dd59fafb7948f288c4e1
SHA256ba13c41f8274d831167ce8e919a73082d584cd3712ccbb3c242d1c1a69033c50
SHA51263405540c2dec09ed27a5b721efb2cbd33240a52eb5ea219e5c134140698ce0cff88537d9e9fecb4d463db31f4703373f9176684397aec8badb6705b5e24af7d