Analysis
-
max time kernel
47s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe
Resource
win10v2004-20221111-en
General
-
Target
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe
-
Size
80KB
-
MD5
717a8e1c9d0debf0fa71d7a98ee5524b
-
SHA1
5a8523499a61381eed5c898a57b7d483bb5b7476
-
SHA256
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0
-
SHA512
ee3fe4f9f5b0211a087beb7b537dcc5700aa17f39dbc5a26ee02782ffa09cc9c36f5fc49b2b148189d93c0f92af8e691ec1fdcf5508d6bbd2bcc63594ea6e8b6
-
SSDEEP
1536:sFz0LnC0atiq+9Cc73McaTBFb0bJ+oa/xrpnHTlyojsjxNe22JjIHM:sFz90hq+Yc7Hf4oa5r5sojsj+oM
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-57-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral1/memory/1184-61-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22FD71B1 = "C:\\Windows\\22FD71B1\\svchsot.exe" 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe -
Drops file in Windows directory 2 IoCs
Processes:
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exedescription ioc process File created C:\Windows\22FD71B1\svchsot.exe 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe File opened for modification C:\Windows\22FD71B1\svchsot.exe 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exepid process 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exedescription pid process Token: SeDebugPrivilege 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe Token: SeDebugPrivilege 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exenet.exedescription pid process target process PID 1184 wrote to memory of 280 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe net.exe PID 1184 wrote to memory of 280 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe net.exe PID 1184 wrote to memory of 280 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe net.exe PID 1184 wrote to memory of 280 1184 2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe net.exe PID 280 wrote to memory of 764 280 net.exe net1.exe PID 280 wrote to memory of 764 280 net.exe net1.exe PID 280 wrote to memory of 764 280 net.exe net1.exe PID 280 wrote to memory of 764 280 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe"C:\Users\Admin\AppData\Local\Temp\2c012e2501d1b5020c86c6b2cc44eb7ff765da9a16b616b4f41cb2c185fe97c0.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"2⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"3⤵PID:764