Analysis
-
max time kernel
31s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:46
Behavioral task
behavioral1
Sample
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe
Resource
win10v2004-20220812-en
General
-
Target
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe
-
Size
680KB
-
MD5
d50d4545b85f36b58fdd1b2bfefbf05a
-
SHA1
b266a95c41407298ea4a742dfef3fc4045df3fa0
-
SHA256
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0
-
SHA512
21aeb170b091e060f148117af9d5a3a49c582ac3e9ebf18560121871ecb4061bd9cd61d65c2ffee5ee35edec7600575863e1995370949e41fe5ffcbdac45c226
-
SSDEEP
6144:yMhOwNU1k/whA0BN8PwaO/kPNNduO4FOqOVaazcpof8ALthThFu3:hxNUy/whA0mwBMPQAJRUGf
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1464-62-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral1/memory/1464-65-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
upx.exepid process 1464 upx.exe -
Processes:
resource yara_rule behavioral1/memory/1164-64-0x0000000000400000-0x0000000000585000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exepid process 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
upx.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run upx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CEB3B4E0 = "C:\\Windows\\CEB3B4E0\\svchsot.exe" upx.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
upx.exepid process 1464 upx.exe 1464 upx.exe 1464 upx.exe 1464 upx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
upx.exedescription pid process Token: SeDebugPrivilege 1464 upx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exepid process 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exeupx.exenet.exedescription pid process target process PID 1164 wrote to memory of 1464 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe upx.exe PID 1164 wrote to memory of 1464 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe upx.exe PID 1164 wrote to memory of 1464 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe upx.exe PID 1164 wrote to memory of 1464 1164 ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe upx.exe PID 1464 wrote to memory of 1112 1464 upx.exe net.exe PID 1464 wrote to memory of 1112 1464 upx.exe net.exe PID 1464 wrote to memory of 1112 1464 upx.exe net.exe PID 1464 wrote to memory of 1112 1464 upx.exe net.exe PID 1112 wrote to memory of 904 1112 net.exe net1.exe PID 1112 wrote to memory of 904 1112 net.exe net1.exe PID 1112 wrote to memory of 904 1112 net.exe net1.exe PID 1112 wrote to memory of 904 1112 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe"C:\Users\Admin\AppData\Local\Temp\ea1ae30dd4f6c4db60fdd49beabf03b499cd1cb79c132eb4cb4d739f9e2f98f0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\upx.exeC:\Users\Admin\Desktop\upx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\upx.exeFilesize
80KB
MD5552c9b6b5d2df50f740c3531865ad307
SHA18bc28dbcdecda6366ad9a14db5dd6d67e81d04b0
SHA256b650e60013239f8a916ffd571ea66aedc6a0f88be43a003ed444a0592c29d632
SHA5128fa284f51d34a25fa982f291fd2c033bb7070b32a8eaa8e3e91e85c2c366ebfb6f0967060eebdc7237496b29cfcf58f6ede545049caf74176f8674efffbc996f
-
C:\Users\Admin\Desktop\upx.exeFilesize
80KB
MD5552c9b6b5d2df50f740c3531865ad307
SHA18bc28dbcdecda6366ad9a14db5dd6d67e81d04b0
SHA256b650e60013239f8a916ffd571ea66aedc6a0f88be43a003ed444a0592c29d632
SHA5128fa284f51d34a25fa982f291fd2c033bb7070b32a8eaa8e3e91e85c2c366ebfb6f0967060eebdc7237496b29cfcf58f6ede545049caf74176f8674efffbc996f
-
\Users\Admin\Desktop\upx.exeFilesize
80KB
MD5552c9b6b5d2df50f740c3531865ad307
SHA18bc28dbcdecda6366ad9a14db5dd6d67e81d04b0
SHA256b650e60013239f8a916ffd571ea66aedc6a0f88be43a003ed444a0592c29d632
SHA5128fa284f51d34a25fa982f291fd2c033bb7070b32a8eaa8e3e91e85c2c366ebfb6f0967060eebdc7237496b29cfcf58f6ede545049caf74176f8674efffbc996f
-
\Users\Admin\Desktop\upx.exeFilesize
80KB
MD5552c9b6b5d2df50f740c3531865ad307
SHA18bc28dbcdecda6366ad9a14db5dd6d67e81d04b0
SHA256b650e60013239f8a916ffd571ea66aedc6a0f88be43a003ed444a0592c29d632
SHA5128fa284f51d34a25fa982f291fd2c033bb7070b32a8eaa8e3e91e85c2c366ebfb6f0967060eebdc7237496b29cfcf58f6ede545049caf74176f8674efffbc996f
-
memory/904-68-0x0000000000000000-mapping.dmp
-
memory/1112-67-0x0000000000000000-mapping.dmp
-
memory/1164-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1164-64-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/1464-57-0x0000000000000000-mapping.dmp
-
memory/1464-60-0x0000000010000000-0x0000000010046000-memory.dmpFilesize
280KB
-
memory/1464-62-0x0000000010000000-0x0000000010046000-memory.dmpFilesize
280KB
-
memory/1464-65-0x0000000010000000-0x0000000010046000-memory.dmpFilesize
280KB