Analysis
-
max time kernel
122s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 01:22
Behavioral task
behavioral1
Sample
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
Resource
win10v2004-20220812-en
General
-
Target
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
-
Size
33KB
-
MD5
fc4fbe618aa4f23e8bbbfa0babb0e4ff
-
SHA1
cc3eeed97dd8c71f08992cbba002d9cefc6f6585
-
SHA256
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0
-
SHA512
4c3eac897ec9e5309a159c2df4094482df4d8ec4d3a7f1b13d12cb3530f3b63d1be3044bfe5f1b2679d473aaa0563b886c4f9d873f5572ececd316707978a4cf
-
SSDEEP
768:Yw/iOWTK3JWhOM/qZh7UJGcZ/VQRpWGKnbcuyD7UmGV:3QK52fqZSIA9QQnouy8mGV
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240573296.dll family_gh0strat C:\Windows\SysWOW64\240573296.dll family_gh0strat \??\c:\windows\SysWOW64\240573296.dll family_gh0strat behavioral2/memory/4668-137-0x0000000000400000-0x0000000000420000-memory.dmp family_gh0strat C:\Windows\SysWOW64\240573296.dll family_gh0strat -
RunningRat
RunningRat is a remote access trojan first seen in 2018.
-
Executes dropped EXE 1 IoCs
Processes:
serivecs.exepid process 1104 serivecs.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\serivecs\Parameters\ServiceDll = "C:\\Windows\\system32\\240573296.dll" c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Processes:
resource yara_rule behavioral2/memory/4668-132-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/4668-137-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Loads dropped DLL 3 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exesvchost.exeserivecs.exepid process 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe 4208 svchost.exe 1104 serivecs.exe -
Creates a Windows Service
-
Drops file in System32 directory 3 IoCs
Processes:
svchost.exec4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exedescription ioc process File created C:\Windows\SysWOW64\serivecs.exe svchost.exe File opened for modification C:\Windows\SysWOW64\serivecs.exe svchost.exe File created C:\Windows\SysWOW64\240573296.dll c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
serivecs.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 serivecs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz serivecs.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
serivecs.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software serivecs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft serivecs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie serivecs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" serivecs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum serivecs.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exeserivecs.exepid process 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe 1104 serivecs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exedescription pid process Token: SeIncBasePriorityPrivilege 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exepid process 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.execmd.exesvchost.exedescription pid process target process PID 4668 wrote to memory of 2068 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 4668 wrote to memory of 2068 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 4668 wrote to memory of 2068 4668 c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe cmd.exe PID 2068 wrote to memory of 944 2068 cmd.exe PING.EXE PID 2068 wrote to memory of 944 2068 cmd.exe PING.EXE PID 2068 wrote to memory of 944 2068 cmd.exe PING.EXE PID 4208 wrote to memory of 1104 4208 svchost.exe serivecs.exe PID 4208 wrote to memory of 1104 4208 svchost.exe serivecs.exe PID 4208 wrote to memory of 1104 4208 svchost.exe serivecs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
PID:944
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivecs"1⤵PID:2084
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "serivecs"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\serivecs.exeC:\Windows\system32\serivecs.exe "c:\windows\system32\240573296.dll",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
37KB
MD5e6c90401901f1c50afcd1d33d7d38e9c
SHA11bb4d24d064a2545d1a4a4b8d7291b33713b5c43
SHA256a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d
SHA51283275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a