Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
Resource
win10v2004-20220812-en
General
-
Target
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe
-
Size
152KB
-
MD5
5cf6ef1e3cdd65b37f31c9822ed3753e
-
SHA1
21eb377b21d9e3fb8c521c454a5367e971063fa2
-
SHA256
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f
-
SHA512
c1facaf8ebab8b3b38a6c54189297c22ba9e9891b58362e7e9349dc36e6d64b7fc59a91c1a033ebe08e8a687ab2c66090173de1cecaf79a853357a598e0ee719
-
SSDEEP
3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUP:8FCqxB4Ng9GLjcoCmFJLXUP
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\mte566d55m.dll family_gh0strat C:\Windows\SysWOW64\mte566d55m.dll family_gh0strat \??\c:\windows\SysWOW64\mte566d55m.dll family_gh0strat C:\Windows\SysWOW64\mte566d55m.dll family_gh0strat -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 11 2640 rundll32.exe 43 2640 rundll32.exe 50 2640 rundll32.exe 78 2640 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jkgsaia22kjznl\Parameters\ServiceDll = "C:\\Windows\\system32\\mte566d55m.dll" 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exesvchost.exerundll32.exepid process 2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe 4768 svchost.exe 2640 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exedescription ioc process File created C:\Windows\SysWOW64\mte566d55m.dll 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 4768 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exepid process 2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe 2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exesvchost.exedescription pid process target process PID 2836 wrote to memory of 2252 2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe cmd.exe PID 2836 wrote to memory of 2252 2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe cmd.exe PID 2836 wrote to memory of 2252 2836 34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe cmd.exe PID 4768 wrote to memory of 2640 4768 svchost.exe rundll32.exe PID 4768 wrote to memory of 2640 4768 svchost.exe rundll32.exe PID 4768 wrote to memory of 2640 4768 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe"C:\Users\Admin\AppData\Local\Temp\34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\34b63019852ccf1381b11b24034cef4ba842c93ecd10b2d69c0fbaaed57ae89f.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "jkgsaia22kjznl"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mte566d55m.dll, slexp2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\mte566d55m.dllFilesize
134KB
MD5ab420e65df285fe0ae0579dd93223dc6
SHA18709614eca06c722dc51f90d9bf993bf0c532b2c
SHA25642d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103
SHA5123b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666
-
C:\Windows\SysWOW64\mte566d55m.dllFilesize
134KB
MD5ab420e65df285fe0ae0579dd93223dc6
SHA18709614eca06c722dc51f90d9bf993bf0c532b2c
SHA25642d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103
SHA5123b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666
-
C:\Windows\SysWOW64\mte566d55m.dllFilesize
134KB
MD5ab420e65df285fe0ae0579dd93223dc6
SHA18709614eca06c722dc51f90d9bf993bf0c532b2c
SHA25642d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103
SHA5123b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666
-
\??\c:\windows\SysWOW64\mte566d55m.dllFilesize
134KB
MD5ab420e65df285fe0ae0579dd93223dc6
SHA18709614eca06c722dc51f90d9bf993bf0c532b2c
SHA25642d763d33e677910ad8fff393684296ac86106abe6478675ea8a29ab79e61103
SHA5123b7bd58cb8a93f3d5ce47ffd3b9a42bdee06251707f2a80e5cbe07adb957589f24ab2741b4fbc6ff39184881acf4397e36e6053959f80a53b1451afa5c7b2666
-
memory/2252-135-0x0000000000000000-mapping.dmp
-
memory/2640-136-0x0000000000000000-mapping.dmp