Analysis Overview
SHA256
cb5892e66ce5c2e7b5ab9946e77e1e634fdc5588a729ad6fdaaa4fd822f27051
Threat Level: Known bad
The file cb5892e66ce5c2e7b5ab9946e77e1e634fdc5588a729ad6fdaaa4fd822f27051 was found to be: Known bad.
Malicious Activity Summary
RunningRat payload
Runningrat family
Executes dropped EXE
Sets DLL path for service in the registry
Loads dropped DLL
Checks computer location settings
Deletes itself
Creates a Windows Service
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 18:03
Signatures
RunningRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Runningrat family
Analysis: behavioral4
Detonation Overview
Submitted
2022-11-26 18:03
Reported
2022-11-27 09:44
Platform
win10v2004-20221111-en
Max time kernel
150s
Max time network
165s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1328 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1328 wrote to memory of 616 | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 616 wrote to memory of 4424 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 616 wrote to memory of 4424 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 616 wrote to memory of 4424 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 104.46.162.226:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\240622734.dll
| MD5 | d577f66de7124b80ef14b558be6a90f9 |
| SHA1 | 688c3cab5c53f1708adbf7f5e548deec69a316e2 |
| SHA256 | 4f14d7c1b36f30f3965cd3610538e3246cb6df8bf6472cf48eece6d9d516179c |
| SHA512 | 16427d1eeab8ea8cdef25983ee14e12c783afbee1ccd7b0996a1481b1070267f0db61a9e3d76c69eec46379ed45c0da36e8cae167ecc2e8841c7fd7fc533ebbe |
memory/616-133-0x0000000000000000-mapping.dmp
memory/4424-134-0x0000000000000000-mapping.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2022-11-26 18:03
Reported
2022-11-27 09:43
Platform
win7-20220812-en
Max time kernel
171s
Max time network
176s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\7109074.dll" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\7109074.dll | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\SysWOW64\123.exe
C:\Windows\system32\123.exe "c:\program files (x86)\google\7109074.dll",MainThread
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
| N/A | 172.67.135.10:80 | ip.cn | tcp |
Files
memory/1056-54-0x0000000075E31000-0x0000000075E33000-memory.dmp
\Program Files (x86)\Google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\??\c:\program files (x86)\google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
memory/2044-58-0x0000000000000000-mapping.dmp
memory/1984-59-0x0000000000000000-mapping.dmp
memory/1176-61-0x0000000000000000-mapping.dmp
\Windows\SysWOW64\123.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\123.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
C:\Windows\SysWOW64\123.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
\Program Files (x86)\Google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\Program Files (x86)\Google\7109074.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
Analysis: behavioral6
Detonation Overview
Submitted
2022-11-26 18:03
Reported
2022-11-27 09:44
Platform
win10v2004-20221111-en
Max time kernel
156s
Max time network
176s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240607953.dll" | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\123.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\123.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\240607953.dll | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1736 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1736 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2328 wrote to memory of 4412 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2328 wrote to memory of 4412 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2328 wrote to memory of 4412 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 3224 wrote to memory of 3388 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\123.exe |
| PID 3224 wrote to memory of 3388 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\123.exe |
| PID 3224 wrote to memory of 3388 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\123.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "123"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
C:\Windows\SysWOW64\123.exe
C:\Windows\system32\123.exe "c:\program files (x86)\google\240607953.dll",MainThread
Network
| Country | Destination | Domain | Proto |
| N/A | 13.78.111.199:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 8.8.8.8:53 | ip.cn | udp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
| N/A | 8.8.8.8:53 | a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 104.21.6.167:80 | ip.cn | tcp |
Files
C:\Program Files (x86)\Google\240607953.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
C:\Program Files (x86)\Google\240607953.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
\??\c:\program files (x86)\google\240607953.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
memory/2328-135-0x0000000000000000-mapping.dmp
memory/4412-136-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\123.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
memory/3388-137-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\123.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |
C:\Program Files (x86)\Google\240607953.dll
| MD5 | 7584e503fa363f192940905470467f87 |
| SHA1 | 212df83d88300008faef1730d14f7945930c6836 |
| SHA256 | b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913 |
| SHA512 | c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 18:03
Reported
2022-11-27 09:47
Platform
win7-20221111-en
Max time kernel
227s
Max time network
336s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Gh0st.exe
"C:\Users\Admin\AppData\Local\Temp\Gh0st.exe"
Network
Files
memory/1768-54-0x0000000076D71000-0x0000000076D73000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 18:03
Reported
2022-11-27 09:43
Platform
win10v2004-20220812-en
Max time kernel
172s
Max time network
191s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gh0st.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Gh0st.exe
"C:\Users\Admin\AppData\Local\Temp\Gh0st.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 13.69.109.130:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-11-26 18:03
Reported
2022-11-27 09:43
Platform
win7-20220812-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\Install.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
Network
Files
memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp
\Users\Admin\AppData\Local\Temp\7072118.dll
| MD5 | d577f66de7124b80ef14b558be6a90f9 |
| SHA1 | 688c3cab5c53f1708adbf7f5e548deec69a316e2 |
| SHA256 | 4f14d7c1b36f30f3965cd3610538e3246cb6df8bf6472cf48eece6d9d516179c |
| SHA512 | 16427d1eeab8ea8cdef25983ee14e12c783afbee1ccd7b0996a1481b1070267f0db61a9e3d76c69eec46379ed45c0da36e8cae167ecc2e8841c7fd7fc533ebbe |
memory/904-56-0x0000000000000000-mapping.dmp
memory/948-58-0x0000000000000000-mapping.dmp