Analysis
-
max time kernel
56s -
max time network
54s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 14:41
Behavioral task
behavioral1
Sample
2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe
Resource
win10v2004-20221111-en
General
-
Target
2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe
-
Size
175KB
-
MD5
595fd6cbd1f481b47f418ac0bc33ed77
-
SHA1
e2963683df4f6c2713f5a2a5bbddf71bcfeed220
-
SHA256
2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7
-
SHA512
9f2aa78b939560277b4c4991ce416dfa9bb01abe06eda4830625231245c4c9bf7be0baf4512b4113d036c0cb9422fa6d14be3d69b1c6322104fbe66300ed6257
-
SSDEEP
3072:HwRH8SJuKDjXTklcU7TRYMla/U1NaHJxjEdlRh1BtD/qk7E5aGVOke54eKFYQu7F:HaBjDkFRYMlwLAb9BtG6+aoOkwkCQuvZ
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/968-60-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
Processes:
lei.EXEleii.EXEleiii.EXEpid process 968 lei.EXE 900 leii.EXE 1116 leiii.EXE -
Processes:
resource yara_rule behavioral1/memory/1668-56-0x0000000000400000-0x00000000004AE000-memory.dmp upx behavioral1/memory/1668-85-0x0000000000400000-0x00000000004AE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
leii.EXEleiii.EXE2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exelei.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run leii.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\87338114 = "C:\\Windows\\87338114\\svchsot.exe" leii.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run leiii.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3FB9296B = "C:\\Windows\\3FB9296B\\svchsot.exe" leiii.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Hal = "c:\\sott.exe" 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lei.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23A1C2AD = "C:\\Windows\\23A1C2AD\\svchsot.exe" lei.EXE -
Drops file in Windows directory 6 IoCs
Processes:
leii.EXEleiii.EXElei.EXEdescription ioc process File created C:\Windows\87338114\svchsot.exe leii.EXE File opened for modification C:\Windows\87338114\svchsot.exe leii.EXE File created C:\Windows\3FB9296B\svchsot.exe leiii.EXE File opened for modification C:\Windows\3FB9296B\svchsot.exe leiii.EXE File created C:\Windows\23A1C2AD\svchsot.exe lei.EXE File opened for modification C:\Windows\23A1C2AD\svchsot.exe lei.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
lei.EXEleii.EXEleiii.EXEpid process 968 lei.EXE 968 lei.EXE 900 leii.EXE 900 leii.EXE 1116 leiii.EXE 1116 leiii.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
lei.EXEleii.EXEleiii.EXEdescription pid process Token: SeDebugPrivilege 968 lei.EXE Token: SeDebugPrivilege 968 lei.EXE Token: SeDebugPrivilege 900 leii.EXE Token: SeDebugPrivilege 900 leii.EXE Token: SeDebugPrivilege 1116 leiii.EXE Token: SeDebugPrivilege 1116 leiii.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exelei.EXEleii.EXEnet.exenet.exeleiii.EXEnet.exedescription pid process target process PID 1668 wrote to memory of 968 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe lei.EXE PID 1668 wrote to memory of 968 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe lei.EXE PID 1668 wrote to memory of 968 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe lei.EXE PID 1668 wrote to memory of 968 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe lei.EXE PID 1668 wrote to memory of 900 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leii.EXE PID 1668 wrote to memory of 900 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leii.EXE PID 1668 wrote to memory of 900 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leii.EXE PID 1668 wrote to memory of 900 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leii.EXE PID 1668 wrote to memory of 1116 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leiii.EXE PID 1668 wrote to memory of 1116 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leiii.EXE PID 1668 wrote to memory of 1116 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leiii.EXE PID 1668 wrote to memory of 1116 1668 2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe leiii.EXE PID 968 wrote to memory of 680 968 lei.EXE net.exe PID 968 wrote to memory of 680 968 lei.EXE net.exe PID 968 wrote to memory of 680 968 lei.EXE net.exe PID 968 wrote to memory of 680 968 lei.EXE net.exe PID 900 wrote to memory of 1876 900 leii.EXE net.exe PID 900 wrote to memory of 1876 900 leii.EXE net.exe PID 900 wrote to memory of 1876 900 leii.EXE net.exe PID 900 wrote to memory of 1876 900 leii.EXE net.exe PID 680 wrote to memory of 1652 680 net.exe net1.exe PID 680 wrote to memory of 1652 680 net.exe net1.exe PID 680 wrote to memory of 1652 680 net.exe net1.exe PID 680 wrote to memory of 1652 680 net.exe net1.exe PID 1876 wrote to memory of 1568 1876 net.exe net1.exe PID 1876 wrote to memory of 1568 1876 net.exe net1.exe PID 1876 wrote to memory of 1568 1876 net.exe net1.exe PID 1876 wrote to memory of 1568 1876 net.exe net1.exe PID 1116 wrote to memory of 904 1116 leiii.EXE net.exe PID 1116 wrote to memory of 904 1116 leiii.EXE net.exe PID 1116 wrote to memory of 904 1116 leiii.EXE net.exe PID 1116 wrote to memory of 904 1116 leiii.EXE net.exe PID 904 wrote to memory of 1484 904 net.exe net1.exe PID 904 wrote to memory of 1484 904 net.exe net1.exe PID 904 wrote to memory of 1484 904 net.exe net1.exe PID 904 wrote to memory of 1484 904 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe"C:\Users\Admin\AppData\Local\Temp\2c7abcb4802c2f5b8a6cbc2c09ad526618d8101e7d789dc3717dc9015f357ee7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\lei.EXEC:\lei.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
-
C:\leii.EXEC:\leii.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
-
C:\leiii.EXEC:\leiii.EXE2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\lei.EXEFilesize
216KB
MD5162ca20ef8ea6b71ee6fad3e27639b8d
SHA1a3c64daf3e3a33ccd517cb667fe6bdb180bafa1c
SHA256fb7cb898249331790349a213dd555887a7ba80ea97b6bb59f39f0dccb5de9dc5
SHA51231e18744a8407f13dbb78804382e1f12d1f880fa84d11f1cc05c68d6465ec97dfa158e0c4ed8ce64bf91cb5a4e6996e28bae6656b77b2fa3c36b51d876ac8669
-
C:\lei.EXEFilesize
216KB
MD5162ca20ef8ea6b71ee6fad3e27639b8d
SHA1a3c64daf3e3a33ccd517cb667fe6bdb180bafa1c
SHA256fb7cb898249331790349a213dd555887a7ba80ea97b6bb59f39f0dccb5de9dc5
SHA51231e18744a8407f13dbb78804382e1f12d1f880fa84d11f1cc05c68d6465ec97dfa158e0c4ed8ce64bf91cb5a4e6996e28bae6656b77b2fa3c36b51d876ac8669
-
C:\leii.EXEFilesize
216KB
MD57f00b395a356f5bb1ceffd779ed8ffa7
SHA1a6f1968b403d96d382521466e0d6c4ac2cb868c6
SHA2561ba6ff06f32475f5796a406c240a9f1c58e2fd06069c87b3ce55194510e59735
SHA5126c466ff147913356689dad4c7de5b8c652a59740f7f18b8348420bba5e2c5b648113a7ca5519da2369717122ce13509c461b9bdb498a9bf2a08b2da8e20aa467
-
C:\leii.EXEFilesize
216KB
MD57f00b395a356f5bb1ceffd779ed8ffa7
SHA1a6f1968b403d96d382521466e0d6c4ac2cb868c6
SHA2561ba6ff06f32475f5796a406c240a9f1c58e2fd06069c87b3ce55194510e59735
SHA5126c466ff147913356689dad4c7de5b8c652a59740f7f18b8348420bba5e2c5b648113a7ca5519da2369717122ce13509c461b9bdb498a9bf2a08b2da8e20aa467
-
C:\leiii.EXEFilesize
216KB
MD593aa18cf26e67dcd3110feecc11a1aa8
SHA16c663a9e46e572b23ebc295cc627e4b2a3c77306
SHA256d6976cae1694e34ec112d9b1d6e94adb238f3e1e69caf827b4d6312b78ddbbb5
SHA51214ddd9aa5389af9ae4e5c9dfd4ce6db66d57e52727eee5a435a26e38c323f61acab1bd450707908f4569a8ff47d403a30ecf492991b93e848296d2f27235e666
-
C:\leiii.EXEFilesize
216KB
MD593aa18cf26e67dcd3110feecc11a1aa8
SHA16c663a9e46e572b23ebc295cc627e4b2a3c77306
SHA256d6976cae1694e34ec112d9b1d6e94adb238f3e1e69caf827b4d6312b78ddbbb5
SHA51214ddd9aa5389af9ae4e5c9dfd4ce6db66d57e52727eee5a435a26e38c323f61acab1bd450707908f4569a8ff47d403a30ecf492991b93e848296d2f27235e666
-
memory/680-72-0x0000000000000000-mapping.dmp
-
memory/900-58-0x0000000000000000-mapping.dmp
-
memory/904-83-0x0000000000000000-mapping.dmp
-
memory/968-57-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/968-60-0x0000000010000000-0x0000000010023000-memory.dmpFilesize
140KB
-
memory/968-54-0x0000000000000000-mapping.dmp
-
memory/1116-69-0x0000000000000000-mapping.dmp
-
memory/1484-84-0x0000000000000000-mapping.dmp
-
memory/1568-81-0x0000000000000000-mapping.dmp
-
memory/1652-80-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/1668-85-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/1876-79-0x0000000000000000-mapping.dmp