Analysis
-
max time kernel
250s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:50
Static task
static1
Behavioral task
behavioral1
Sample
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe
Resource
win10v2004-20220812-en
General
-
Target
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe
-
Size
155KB
-
MD5
1ddf24afb515caf1faf2eebda651ffac
-
SHA1
e597c41603d653fe44bf608467870ae43be822db
-
SHA256
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206
-
SHA512
7b4f524a4f14be1a1c5526aab319ee914695a30398e5e061504dd4d76995c1a5c6f59338667188ab77eccbbe325290715d1acdcd34464129162e367cf61e9b7c
-
SSDEEP
3072:ZCPZ9uL11yu46qfPr6WjhKGdzALTZCl+VFbe1N9JJuusBBlMPmuf6znw9rzy0Sw7:sPZ9up1v46q3RhKGdzAQm4N9JJzqyyLi
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/468-57-0x0000000010000000-0x0000000010050000-memory.dmp family_gh0strat behavioral1/memory/468-58-0x0000000010000000-0x0000000010050000-memory.dmp family_gh0strat behavioral1/memory/468-62-0x0000000010000000-0x0000000010050000-memory.dmp family_gh0strat -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4FAEC2CA = "C:\\Windows\\4FAEC2CA\\svchsot.exe" ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe -
Drops file in Windows directory 2 IoCs
Processes:
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exedescription ioc process File created C:\Windows\4FAEC2CA\svchsot.exe ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe File opened for modification C:\Windows\4FAEC2CA\svchsot.exe ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exepid process 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exedescription pid process Token: SeDebugPrivilege 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe Token: SeDebugPrivilege 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exenet.exedescription pid process target process PID 468 wrote to memory of 580 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe net.exe PID 468 wrote to memory of 580 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe net.exe PID 468 wrote to memory of 580 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe net.exe PID 468 wrote to memory of 580 468 ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe net.exe PID 580 wrote to memory of 2044 580 net.exe net1.exe PID 580 wrote to memory of 2044 580 net.exe net1.exe PID 580 wrote to memory of 2044 580 net.exe net1.exe PID 580 wrote to memory of 2044 580 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe"C:\Users\Admin\AppData\Local\Temp\ecdbebfad72c6ceca3cee5bc4843f7df6bddb86f3d67dd5f16cc5b9cee8b0206.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/468-54-0x0000000075E81000-0x0000000075E83000-memory.dmpFilesize
8KB
-
memory/468-55-0x0000000010000000-0x0000000010050000-memory.dmpFilesize
320KB
-
memory/468-57-0x0000000010000000-0x0000000010050000-memory.dmpFilesize
320KB
-
memory/468-58-0x0000000010000000-0x0000000010050000-memory.dmpFilesize
320KB
-
memory/468-62-0x0000000010000000-0x0000000010050000-memory.dmpFilesize
320KB
-
memory/580-60-0x0000000000000000-mapping.dmp
-
memory/2044-61-0x0000000000000000-mapping.dmp