Analysis
-
max time kernel
20s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 01:22
Behavioral task
behavioral1
Sample
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
Resource
win10v2004-20220812-en
General
-
Target
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
-
Size
33KB
-
MD5
fc4fbe618aa4f23e8bbbfa0babb0e4ff
-
SHA1
cc3eeed97dd8c71f08992cbba002d9cefc6f6585
-
SHA256
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0
-
SHA512
4c3eac897ec9e5309a159c2df4094482df4d8ec4d3a7f1b13d12cb3530f3b63d1be3044bfe5f1b2679d473aaa0563b886c4f9d873f5572ececd316707978a4cf
-
SSDEEP
768:Yw/iOWTK3JWhOM/qZh7UJGcZ/VQRpWGKnbcuyD7UmGV:3QK52fqZSIA9QQnouy8mGV
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\7101009.dll family_gh0strat \Windows\SysWOW64\7101009.dll family_gh0strat \??\c:\windows\SysWOW64\7101009.dll family_gh0strat behavioral1/memory/880-60-0x0000000000400000-0x0000000000420000-memory.dmp family_gh0strat \Windows\SysWOW64\7101009.dll family_gh0strat \Windows\SysWOW64\7101009.dll family_gh0strat \Windows\SysWOW64\7101009.dll family_gh0strat \Windows\SysWOW64\7101009.dll family_gh0strat -
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
RunningRat payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/880-55-0x0000000000400000-0x0000000000420000-memory.dmp family_runningrat -
Executes dropped EXE 1 IoCs
Processes:
serivecs.exepid process 1640 serivecs.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\serivecs\Parameters\ServiceDll = "C:\\Windows\\system32\\7101009.dll" c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Processes:
resource yara_rule behavioral1/memory/880-55-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/880-60-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 852 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exesvchost.exeserivecs.exepid process 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe 632 svchost.exe 632 svchost.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe -
Creates a Windows Service
-
Drops file in System32 directory 3 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\7101009.dll c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe File created C:\Windows\SysWOW64\serivecs.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serivecs.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
serivecs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 serivecs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz serivecs.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
serivecs.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum serivecs.exe Key created \REGISTRY\USER\.DEFAULT\Software serivecs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft serivecs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie serivecs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" serivecs.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exeserivecs.exepid process 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe 1640 serivecs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exedescription pid process Token: SeIncBasePriorityPrivilege 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exepid process 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.execmd.exesvchost.exedescription pid process target process PID 880 wrote to memory of 852 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 880 wrote to memory of 852 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 880 wrote to memory of 852 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 880 wrote to memory of 852 880 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 852 wrote to memory of 1720 852 cmd.exe PING.EXE PID 852 wrote to memory of 1720 852 cmd.exe PING.EXE PID 852 wrote to memory of 1720 852 cmd.exe PING.EXE PID 852 wrote to memory of 1720 852 cmd.exe PING.EXE PID 632 wrote to memory of 1640 632 svchost.exe serivecs.exe PID 632 wrote to memory of 1640 632 svchost.exe serivecs.exe PID 632 wrote to memory of 1640 632 svchost.exe serivecs.exe PID 632 wrote to memory of 1640 632 svchost.exe serivecs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
PID:1720
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivecs"1⤵PID:1376
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivecs"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\serivecs.exeC:\Windows\system32\serivecs.exe "c:\windows\system32\7101009.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d