Analysis
-
max time kernel
121s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe
Resource
win7-20220812-en
General
-
Target
22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe
-
Size
96KB
-
MD5
143d616b1ba8dc45a2a4d506b2365ec7
-
SHA1
0e7569741b996a7ad72e4175025a69205712a775
-
SHA256
22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03
-
SHA512
947e789a37db4b692157c1fb409a763353dbb6234cd1c53a530253ffd4936413d47e3d2c2d7248db3c78ec9680e96111e39c6b8776dd52721b6a058bac2d056f
-
SSDEEP
1536:gcFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prbrJRlRjdCQ35HFP:gOS4jHS8q/3nTzePCwNUh4E9bvfjwiFP
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\eocol.cc3 family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3 family_gh0strat behavioral2/memory/4672-139-0x0000000000400000-0x000000000044E354-memory.dmp family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3 family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3 family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
intwtluvicpid process 4672 intwtluvic -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 1368 svchost.exe 3792 svchost.exe 1776 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\dcihcehmdq svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\dlykofnfce svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\dtejvrxvck svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4560 1368 WerFault.exe svchost.exe 332 3792 WerFault.exe svchost.exe 2396 1776 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
intwtluvicpid process 4672 intwtluvic 4672 intwtluvic -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
intwtluvicsvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 4672 intwtluvic Token: SeBackupPrivilege 4672 intwtluvic Token: SeBackupPrivilege 4672 intwtluvic Token: SeRestorePrivilege 4672 intwtluvic Token: SeBackupPrivilege 1368 svchost.exe Token: SeRestorePrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeSecurityPrivilege 1368 svchost.exe Token: SeSecurityPrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeSecurityPrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeSecurityPrivilege 1368 svchost.exe Token: SeBackupPrivilege 1368 svchost.exe Token: SeRestorePrivilege 1368 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeRestorePrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeSecurityPrivilege 3792 svchost.exe Token: SeSecurityPrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeSecurityPrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeSecurityPrivilege 3792 svchost.exe Token: SeBackupPrivilege 3792 svchost.exe Token: SeRestorePrivilege 3792 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeRestorePrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeSecurityPrivilege 1776 svchost.exe Token: SeSecurityPrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeSecurityPrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeSecurityPrivilege 1776 svchost.exe Token: SeBackupPrivilege 1776 svchost.exe Token: SeRestorePrivilege 1776 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exedescription pid process target process PID 992 wrote to memory of 4672 992 22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe intwtluvic PID 992 wrote to memory of 4672 992 22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe intwtluvic PID 992 wrote to memory of 4672 992 22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe intwtluvic
Processes
-
C:\Users\Admin\AppData\Local\Temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe"C:\Users\Admin\AppData\Local\Temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\intwtluvic"C:\Users\Admin\AppData\Local\Temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe" a -sc:\users\admin\appdata\local\temp\22b055e9d5da1c2a8dfb21777dab21d4093eb65aef5c959d56caacf34f656b03.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 8682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 11122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3792 -ip 37921⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 10562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1776 -ip 17761⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3Filesize
20.1MB
MD52ed6ac1f95fb26fccbe1e11940c7a531
SHA12de6a0e35727ad20c6468acc85303f46b1f323b7
SHA256df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0
SHA512afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876
-
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3Filesize
20.1MB
MD52ed6ac1f95fb26fccbe1e11940c7a531
SHA12de6a0e35727ad20c6468acc85303f46b1f323b7
SHA256df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0
SHA512afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876
-
C:\ProgramData\Storm\update\%SESSIONNAME%\eocol.cc3Filesize
20.1MB
MD52ed6ac1f95fb26fccbe1e11940c7a531
SHA12de6a0e35727ad20c6468acc85303f46b1f323b7
SHA256df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0
SHA512afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876
-
C:\Users\Admin\AppData\Local\intwtluvicFilesize
22.8MB
MD5229575d7ad4e8e49190b06c01f9f8646
SHA1a11877a33d284309fc0cb939181a84d31d8ae780
SHA25632976c9f023eb2da3ea23f83d31432bbc6db71020d4048fc021b0cc00bf93524
SHA51269baccae65fc29ce4b0973b547965a5cf579fdb4601c23f48d7b2638167271c646cc3f0f5add700f84b6f2d7750cbc4f38b98c9090b117600349e13be40d4085
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
204B
MD56259d97901a73e77dd4c12c525726e68
SHA1bd64bb6c8192572a03e6bc9644aee6cf7a606bb9
SHA256d0a3749c6287c0a35f524f272c688a7895817feabd0767df184c9a70282408a3
SHA5128e7cad2dbdba4005d93daa43b43af98ad1fa83b8af9aa6ac15a94ae561f86813d86688df119e76b836bb881c704414d3fb2af507fb9bf5174cb7dd0fdbef1802
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
307B
MD5bfa91b3a88cc6a6bea830937e11917c2
SHA17d5c4403f4d26a0cfaf963c4a627779ea1ba2ddf
SHA2562595247f9b53d2f6ecea2775fdba9148e9a0b2fcf6db368163a5b43100d7e9d1
SHA5127d4d460d14ae04fca62910e9b9e393b38cfde11f8c3e49324dc65c04d61ebe6b0976f90771cb6b2906bef27f70349beeb1b5a934cb517f518a5ea652a965ee2e
-
\??\c:\programdata\application data\storm\update\%sessionname%\eocol.cc3Filesize
20.1MB
MD52ed6ac1f95fb26fccbe1e11940c7a531
SHA12de6a0e35727ad20c6468acc85303f46b1f323b7
SHA256df9b107c1e022ad40d5d698a340695b143a9d8718c4cbd2e314c0ef349c4ece0
SHA512afb2709b01097e9013d3f2d3352972ee91665c7de028d352e20f20ef0f5440415e46d6994218da3aaa471971dde2a5524da3f358eace3c15e9acdaa61bc6e876
-
\??\c:\users\admin\appdata\local\intwtluvicFilesize
22.8MB
MD5229575d7ad4e8e49190b06c01f9f8646
SHA1a11877a33d284309fc0cb939181a84d31d8ae780
SHA25632976c9f023eb2da3ea23f83d31432bbc6db71020d4048fc021b0cc00bf93524
SHA51269baccae65fc29ce4b0973b547965a5cf579fdb4601c23f48d7b2638167271c646cc3f0f5add700f84b6f2d7750cbc4f38b98c9090b117600349e13be40d4085
-
memory/992-132-0x0000000000400000-0x000000000044E354-memory.dmpFilesize
312KB
-
memory/4672-133-0x0000000000000000-mapping.dmp
-
memory/4672-136-0x0000000000400000-0x000000000044E354-memory.dmpFilesize
312KB
-
memory/4672-139-0x0000000000400000-0x000000000044E354-memory.dmpFilesize
312KB