Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 06:17
Behavioral task
behavioral1
Sample
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
Resource
win10v2004-20221111-en
General
-
Target
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe
-
Size
176KB
-
MD5
7c714e971bd8afd88af899253fd77f3d
-
SHA1
ca348c8d2215e807fec62c549d677b3e6292f2ce
-
SHA256
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546
-
SHA512
31effab420dabca0f3146f97b076804fbe6778126e4a7b3fc82d04f6ee0ac9144623932cc37a4a2de96440dba88b96637a5578189504a1785f24f250f89171ec
-
SSDEEP
3072:0cYcYKEzcW526y6hs6PhwtqrorsVlkTEIcy1O4F3JhMWIknqX5d+vIjc8UW:0cBYKEz557e2VroYoTU4JOWnS5d+v0cu
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule \??\c:\windows\SysWOW64\winnie.cmd family_gh0strat \Windows\SysWOW64\winnie.cmd family_gh0strat \Windows\SysWOW64\winnie.cmd family_gh0strat -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 816 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Rspdates Apxplicatioan\Parameters\ServiceDll 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 816 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
svchost.exerundll32.exepid process 592 svchost.exe 816 rundll32.exe -
Drops file in Windows directory 3 IoCs
Processes:
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exedescription ioc process File opened for modification C:\Windows\hfsetemp.ini 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe File created C:\Windows\Svchost.txt 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe File created C:\Windows\Svchost.reg 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
svchost.exepid process 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe 592 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exesvchost.exedescription pid process Token: SeBackupPrivilege 992 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe Token: SeRestorePrivilege 992 4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe Token: SeDebugPrivilege 592 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
svchost.exedescription pid process target process PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe PID 592 wrote to memory of 816 592 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe"C:\Users\Admin\AppData\Local\Temp\4f6fd88c0b7af992e43b8372604c68208017f8119eab39f3f494f6d26e2fb546.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "c:\windows\system32\winnie.cmd",EASTNOD Rspdates Apxplicatioan2⤵
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\winnie.cmdFilesize
1.1MB
MD553b735bb0b6473676d1529916a606472
SHA126b0804de2e3dbffdf5bd840e78d2e6bc8682b14
SHA256ec99bec45e94481200651b4d2b3e53d35ccc5f7c90c2e32eef45b87c52d04ebb
SHA512192f9fb137e72d32085776de32f54f021978513c33e8eba609ff606cdaa56f03d75c1c5b4f166fb2a7046663d4b8f889481ee22cc1c271cb3ba690a1768a78d2
-
\Windows\SysWOW64\winnie.cmdFilesize
1.1MB
MD553b735bb0b6473676d1529916a606472
SHA126b0804de2e3dbffdf5bd840e78d2e6bc8682b14
SHA256ec99bec45e94481200651b4d2b3e53d35ccc5f7c90c2e32eef45b87c52d04ebb
SHA512192f9fb137e72d32085776de32f54f021978513c33e8eba609ff606cdaa56f03d75c1c5b4f166fb2a7046663d4b8f889481ee22cc1c271cb3ba690a1768a78d2
-
\Windows\SysWOW64\winnie.cmdFilesize
1.1MB
MD553b735bb0b6473676d1529916a606472
SHA126b0804de2e3dbffdf5bd840e78d2e6bc8682b14
SHA256ec99bec45e94481200651b4d2b3e53d35ccc5f7c90c2e32eef45b87c52d04ebb
SHA512192f9fb137e72d32085776de32f54f021978513c33e8eba609ff606cdaa56f03d75c1c5b4f166fb2a7046663d4b8f889481ee22cc1c271cb3ba690a1768a78d2
-
memory/592-56-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/816-57-0x0000000000000000-mapping.dmp