Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
Resource
win10v2004-20220812-en
General
-
Target
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe
-
Size
152KB
-
MD5
18d79e48f4a53fd03da55cab229c0960
-
SHA1
5369878ae807b98073ffdb7a4eaea05d2a824198
-
SHA256
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee
-
SHA512
ef226bd3e81cdd028d12e155fb51045c2cd435ba1c05ea8dab880a7f55dc66f0da571a37da5795bd1830186469a205f9bdae570630b830b663a0c37b8f4effdc
-
SSDEEP
3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUa:8FCqxB4Ng9GLjcoCmFJLXUa
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\mte56f67am.dll family_gh0strat \??\c:\windows\SysWOW64\mte56f67am.dll family_gh0strat C:\Windows\SysWOW64\mte56f67am.dll family_gh0strat C:\Windows\SysWOW64\mte56f67am.dll family_gh0strat -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 6 4544 rundll32.exe 61 4544 rundll32.exe 70 4544 rundll32.exe 87 4544 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gajho29zghkbnak\Parameters\ServiceDll = "C:\\Windows\\system32\\mte56f67am.dll" 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exesvchost.exerundll32.exepid process 1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe 2840 svchost.exe 4544 rundll32.exe -
Drops file in System32 directory 3 IoCs
Processes:
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\mte56f67am.dll 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8D70DC8F-D875-47AF-BDFE-F3314E620E25}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F69E676D-8C25-49D6-A63B-542B42688EF3}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2840 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exepid process 1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe 1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exesvchost.exedescription pid process target process PID 1544 wrote to memory of 4832 1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe cmd.exe PID 1544 wrote to memory of 4832 1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe cmd.exe PID 1544 wrote to memory of 4832 1544 19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe cmd.exe PID 2840 wrote to memory of 4544 2840 svchost.exe rundll32.exe PID 2840 wrote to memory of 4544 2840 svchost.exe rundll32.exe PID 2840 wrote to memory of 4544 2840 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe"C:\Users\Admin\AppData\Local\Temp\19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\19f22811c7d9d8abb70dd9a1e81fd4836802687c0f37b5b5b0189be3c37cf1ee.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "gajho29zghkbnak"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mte56f67am.dll, slexp2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\mte56f67am.dllFilesize
134KB
MD50e07a1c32d423ce761f6cc9aa7737195
SHA140bfe4c0df22872ca03b38ec91403dbcfaede60a
SHA256deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35
SHA512e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b
-
C:\Windows\SysWOW64\mte56f67am.dllFilesize
134KB
MD50e07a1c32d423ce761f6cc9aa7737195
SHA140bfe4c0df22872ca03b38ec91403dbcfaede60a
SHA256deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35
SHA512e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b
-
C:\Windows\SysWOW64\mte56f67am.dllFilesize
134KB
MD50e07a1c32d423ce761f6cc9aa7737195
SHA140bfe4c0df22872ca03b38ec91403dbcfaede60a
SHA256deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35
SHA512e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b
-
\??\c:\windows\SysWOW64\mte56f67am.dllFilesize
134KB
MD50e07a1c32d423ce761f6cc9aa7737195
SHA140bfe4c0df22872ca03b38ec91403dbcfaede60a
SHA256deb384072eeadaf820b4725ad2206380755a8f0a5a28430e5f0dd28a3db5ca35
SHA512e8a8fd6ccbcc3ccf7ff03115f41337e6abce5a77127eaae5a3230823f1922b0213eaef061e4a42daacab5f742eb811bb03111ddc50233c4613232ca106a9892b
-
memory/4544-136-0x0000000000000000-mapping.dmp
-
memory/4832-135-0x0000000000000000-mapping.dmp