Analysis
-
max time kernel
260s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe
Resource
win7-20221111-en
General
-
Target
45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe
-
Size
292KB
-
MD5
8516e3653d6c34810423ca3ed98275f5
-
SHA1
2eb9f748e9276718e89acc4098040177f72b0d2a
-
SHA256
45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49
-
SHA512
4e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5
-
SSDEEP
3072:GfvUpXXkVMO4gCwd3E5y1mZtGbvKa2x719Iy/jvuyttPlLcHUzPtVKqdlg:ivUpHu4gvqQ1HKPyIjftxdkUz2m
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/896-55-0x0000000010000000-0x0000000010016000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
hsznok.exepid process 268 hsznok.exe -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1116 WScript.exe -
Drops file in Windows directory 2 IoCs
Processes:
45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exedescription ioc process File created C:\Windows\hsznok.exe 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe File opened for modification C:\Windows\hsznok.exe 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exehsznok.exepid process 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe 268 hsznok.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exedescription pid process target process PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe PID 896 wrote to memory of 1116 896 45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe"C:\Users\Admin\AppData\Local\Temp\45baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\499.vbs"2⤵
- Deletes itself
PID:1116
-
C:\Windows\hsznok.exeC:\Windows\hsznok.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\499.vbsFilesize
500B
MD5ddc469cab3c3daf211f2f271876eea17
SHA14760a0aa14c73db997677bc9e0c9ec697cc15e5e
SHA256cbb4065ceaa15f2218f8593311c79d6f08c4a750e037d196b4e4ceaf5d3eb94a
SHA51250537115db27e43d7e6c263b71ef994b2be3b9ec7f1376b3f2a834981404e91994b1a5da1b543e2117d4f51f1cf4a091367f202f6c61d534e6534e1a1a24bffa
-
C:\Windows\hsznok.exeFilesize
292KB
MD58516e3653d6c34810423ca3ed98275f5
SHA12eb9f748e9276718e89acc4098040177f72b0d2a
SHA25645baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49
SHA5124e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5
-
C:\Windows\hsznok.exeFilesize
292KB
MD58516e3653d6c34810423ca3ed98275f5
SHA12eb9f748e9276718e89acc4098040177f72b0d2a
SHA25645baa21da760f852f60c7089e1b2d9b2e32d4a887df71f6cbb9a16d0b903fa49
SHA5124e6fa7bf087aaf7499c0e1eba1c23ea43b90e3cba6d307a22341e4ba48a8e19d5e21cd2d78f45a887ec238be661f092888d26c0a39ed1cebfb309b429396f8f5
-
memory/896-54-0x0000000075E81000-0x0000000075E83000-memory.dmpFilesize
8KB
-
memory/896-55-0x0000000010000000-0x0000000010016000-memory.dmpFilesize
88KB
-
memory/1116-67-0x0000000000000000-mapping.dmp