Analysis
-
max time kernel
155s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:36
Behavioral task
behavioral1
Sample
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
Resource
win7-20220901-en
General
-
Target
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
-
Size
146KB
-
MD5
1aa6c0f4e9869aead8511af2c54457cd
-
SHA1
14244d08470d18da13ec13dbbf00eeadf895638c
-
SHA256
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba
-
SHA512
dff8a6dfda35a8cfed35e0cda10737c7c6eceb7e52d68285c4f0bfe65b6af563c236e3a07b3f87a3b41c4179e8dc37d85f7c1644e0d0540d91bd5323fd0f84ec
-
SSDEEP
3072:NgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:NgEehkHkmMoY0xoV00uz1PZAS
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule \??\c:\program files (x86)\agef\fpyesabfa.pic family_gh0strat \Program Files (x86)\Agef\Fpyesabfa.pic family_gh0strat C:\windows\xinstall1072400.dll family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1724 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1724 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exedescription ioc process File opened for modification C:\Program Files (x86)\Agef\Fpyesabfa.pic 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe File created C:\Program Files (x86)\Agef\Fpyesabfa.pic 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe -
Drops file in Windows directory 2 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exedescription ioc process File created C:\windows\xinstall1072400.dll 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe File opened for modification C:\windows\xinstall1072400.dll 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
svchost.exepid process 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe 1724 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exedescription pid process Token: SeBackupPrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeBackupPrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeBackupPrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeBackupPrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 1396 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe"C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\windows\xinstall1072400.dllFilesize
126KB
MD59ea83111253838ac029211df562cd717
SHA1e1ef851cb46bb7423ac785f1d4846acc9684b2cb
SHA2560efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f
SHA512345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786
-
\??\c:\NT_Path.jpgFilesize
133B
MD56d40b2ec8e2aca4cec566b07a13ef1bb
SHA1a3e487cd1cca1354d56a0e305b234852092cf244
SHA256eed8e68ab36d4b8925ee1fe31b42a974c67985ec0d4952558a21dc8149764394
SHA51274cb40f1c20b6e0ed3ad113b5b5e7373501f24bf9e1d15f4f76943b014afb630cc670984928efad0509622e3bacca0bc8f56bf2b8ebfd0337ba32f23f6fef4ab
-
\??\c:\program files (x86)\agef\fpyesabfa.picFilesize
13.6MB
MD5c53323d9e82f121913847b630ecb0515
SHA1e1450f4efb499f9ece7549b3c01a35c0908081af
SHA2567c4ab3d8682907773b8a5887f24cbc50824466a3771299d4b46b3772b8ea508c
SHA512a705e497cb1d3aea92cbf2d3aad7e92fbc3183c7f7b2f34feb8d7f34d80b73333f9b98b63ec9f881776623e48ab8c4e578cce7d096862a618d79e8c207513fee
-
\Program Files (x86)\Agef\Fpyesabfa.picFilesize
13.6MB
MD5c53323d9e82f121913847b630ecb0515
SHA1e1450f4efb499f9ece7549b3c01a35c0908081af
SHA2567c4ab3d8682907773b8a5887f24cbc50824466a3771299d4b46b3772b8ea508c
SHA512a705e497cb1d3aea92cbf2d3aad7e92fbc3183c7f7b2f34feb8d7f34d80b73333f9b98b63ec9f881776623e48ab8c4e578cce7d096862a618d79e8c207513fee
-
memory/1396-54-0x00000000760E1000-0x00000000760E3000-memory.dmpFilesize
8KB