Analysis
-
max time kernel
158s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 04:36
Behavioral task
behavioral1
Sample
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
Resource
win7-20220901-en
General
-
Target
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
-
Size
146KB
-
MD5
1aa6c0f4e9869aead8511af2c54457cd
-
SHA1
14244d08470d18da13ec13dbbf00eeadf895638c
-
SHA256
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba
-
SHA512
dff8a6dfda35a8cfed35e0cda10737c7c6eceb7e52d68285c4f0bfe65b6af563c236e3a07b3f87a3b41c4179e8dc37d85f7c1644e0d0540d91bd5323fd0f84ec
-
SSDEEP
3072:NgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:NgEehkHkmMoY0xoV00uz1PZAS
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule C:\Windows\xinstall1943000.dll family_gh0strat \??\c:\program files (x86)\agef\fpyesabfa.pic family_gh0strat C:\Program Files (x86)\Agef\Fpyesabfa.pic family_gh0strat C:\windows\xinstall1943000.dll family_gh0strat -
Loads dropped DLL 2 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exesvchost.exepid process 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe 3752 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exedescription ioc process File opened for modification C:\Program Files (x86)\Agef\Fpyesabfa.pic 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe File created C:\Program Files (x86)\Agef\Fpyesabfa.pic 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe -
Drops file in Windows directory 2 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exedescription ioc process File created C:\windows\xinstall1943000.dll 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe File opened for modification C:\windows\xinstall1943000.dll 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe 3752 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 664 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exedescription pid process Token: SeBackupPrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeBackupPrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeBackupPrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeBackupPrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe Token: SeRestorePrivilege 632 16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe"C:\Users\Admin\AppData\Local\Temp\16c48f8bc347b6ebd65f077a499be8d955a31450573d3758b6983de9924b0eba.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Agef\Fpyesabfa.picFilesize
988KB
MD5f28d2ea754a888e9da33ff7552bd0045
SHA152fd86dba37dc86e4d377ed823b317f8f5205d7a
SHA2566f4552e87852f6fd92eb5d8680c06574f0aa499b4f79395952efd41e0282e20e
SHA5125803f562493c913e4a7fd627d857e48c4a977ab318ce97922b79162cdbab649bd31c6bc0c2ef0351409403f8181608b40a75462f7ba2b09aa2910b5aeb56e31c
-
C:\Windows\xinstall1943000.dllFilesize
126KB
MD59ea83111253838ac029211df562cd717
SHA1e1ef851cb46bb7423ac785f1d4846acc9684b2cb
SHA2560efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f
SHA512345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786
-
C:\windows\xinstall1943000.dllFilesize
126KB
MD59ea83111253838ac029211df562cd717
SHA1e1ef851cb46bb7423ac785f1d4846acc9684b2cb
SHA2560efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f
SHA512345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786
-
\??\c:\NT_Path.jpgFilesize
133B
MD55b41d460d9e5a48aa5a09655042a4426
SHA1ad499e9706916c525bd7724ade634f55872a900b
SHA256ab710f901e3c7106e82ad9d7405b00656ffc08156940cf2a0e7c915a8027938c
SHA512fcaaa59970f9560351b25a28d598a18b3aeb77322d7b670123352acfa0de4675f5b4d6d9cb3d649e3073d8880aa701c1fe8c3c084d5af29137594ffb07f66951
-
\??\c:\program files (x86)\agef\fpyesabfa.picFilesize
988KB
MD5f28d2ea754a888e9da33ff7552bd0045
SHA152fd86dba37dc86e4d377ed823b317f8f5205d7a
SHA2566f4552e87852f6fd92eb5d8680c06574f0aa499b4f79395952efd41e0282e20e
SHA5125803f562493c913e4a7fd627d857e48c4a977ab318ce97922b79162cdbab649bd31c6bc0c2ef0351409403f8181608b40a75462f7ba2b09aa2910b5aeb56e31c