Analysis
-
max time kernel
277s -
max time network
382s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
Resource
win10v2004-20221111-en
General
-
Target
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe
-
Size
172KB
-
MD5
abd457f404c29c5a256f31efaeb3cb4d
-
SHA1
dc183ff7f1a7ae60dd2e1eb077514a067375b0e1
-
SHA256
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13
-
SHA512
be893db0a2822a2eb92673730eb64ad7af8a83219bd1f6b5fc024eda7d6dab943470f9c1a76f5b64927f3b5088c7ef622dd67bc1c5f7e21e69408a5450a08e60
-
SSDEEP
3072:FZyAqSH/lSea50OcvB4oZ4O9BJ3+YcAAUNLsF8bYdDNMD4JBnhYN:Ty6lSJdSiI9ncAbLstDNPJdmN
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\mt6f8e0em.dll family_gh0strat \Windows\SysWOW64\mt6f8e0em.dll family_gh0strat \??\c:\windows\SysWOW64\mt6f8e0em.dll family_gh0strat \Windows\SysWOW64\mt6f8e0em.dll family_gh0strat \Windows\SysWOW64\mt6f8e0em.dll family_gh0strat \Windows\SysWOW64\mt6f8e0em.dll family_gh0strat \Windows\SysWOW64\mt6f8e0em.dll family_gh0strat -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 364 rundll32.exe 7 364 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\s90e02v5432e42nfa7\Parameters\ServiceDll = "C:\\Windows\\system32\\mt6f8e0em.dll" 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe" rundll32.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1384 cmd.exe -
Loads dropped DLL 6 IoCs
Processes:
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exesvchost.exerundll32.exepid process 784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe 820 svchost.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exedescription ioc process File created C:\Windows\SysWOW64\mt6f8e0em.dll 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 820 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exepid process 784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exesvchost.exedescription pid process target process PID 784 wrote to memory of 1384 784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe cmd.exe PID 784 wrote to memory of 1384 784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe cmd.exe PID 784 wrote to memory of 1384 784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe cmd.exe PID 784 wrote to memory of 1384 784 96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe cmd.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe PID 820 wrote to memory of 364 820 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe"C:\Users\Admin\AppData\Local\Temp\96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\96e219554988bdd68df233414aef40f669a84f3aadbc978eddbf647b880d0c13.exe"2⤵
- Deletes itself
PID:1384
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "s90e02v5432e42nfa7"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mt6f8e0em.dll, slexp2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
\Windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
\Windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
\Windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
\Windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
\Windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
\Windows\SysWOW64\mt6f8e0em.dllFilesize
142KB
MD51ac50700edbeca3ec5ec30792f83c682
SHA172e4470b1252c6c2ecd53d4949583032f60ec3bd
SHA2560249b37e10ebbc3f44ae97bb6fe22741f00252f8df6082b945172907e7945a44
SHA5120b4f46ca6f51defeb84627a52a790707dbd16510e620641a43b1a6b8724ef9be4afe0cd88eca56ea1ffb6f1766e46bb8844f3549e5b88eaf8c48426b3217a85b
-
memory/364-58-0x0000000000000000-mapping.dmp
-
memory/364-59-0x00000000767C1000-0x00000000767C3000-memory.dmpFilesize
8KB
-
memory/1384-57-0x0000000000000000-mapping.dmp