Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 05:43
Static task
static1
Behavioral task
behavioral1
Sample
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe
Resource
win10v2004-20221111-en
General
-
Target
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe
-
Size
156KB
-
MD5
3b167ad87eae016771c79d323622c84a
-
SHA1
6d882793461f4692bed40a902b75b302bd090106
-
SHA256
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474
-
SHA512
833a8ae0e8a19a7c2ad06c71beea0c9e9dbbe0a5da2732b1c8515749eb7879c4880689596cb6f73fe78000c3a1d29421586fc148a464a655dd8d080a276224a9
-
SSDEEP
3072:PO+JlkeHRQFxJZWg/Dnq0iurbi6ZYYWYR5UtJ+c+aia:XlkeHR4ZVDPxVFWq5Ur+c+9a
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\mt6c204em.dll family_gh0strat \??\c:\windows\SysWOW64\mt6c204em.dll family_gh0strat \Windows\SysWOW64\mt6c204em.dll family_gh0strat \Windows\SysWOW64\mt6c204em.dll family_gh0strat \Windows\SysWOW64\mt6c204em.dll family_gh0strat \Windows\SysWOW64\mt6c204em.dll family_gh0strat \Windows\SysWOW64\mt6c204em.dll family_gh0strat -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 4 1224 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rihjkdf3kjkdf3\Parameters\ServiceDll = "C:\\Windows\\system32\\mt6c204em.dll" d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe" rundll32.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Loads dropped DLL 6 IoCs
Processes:
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exesvchost.exerundll32.exepid process 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe 1300 svchost.exe 1224 rundll32.exe 1224 rundll32.exe 1224 rundll32.exe 1224 rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exerundll32.exedescription ioc process File created C:\Windows\SysWOW64\mt6c204em.dll d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 24 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8} rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\6a-9b-22-b4-3b-a7 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadNetworkName = "Network" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecisionReason = "1" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecisionTime = a03f307fd803d901 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7\WpadDecision = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadDecisionTime = a03f307fd803d901 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AC7D188-5E1B-45B5-8B9E-4E1BECD6D9A8}\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-9b-22-b4-3b-a7 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1300 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exed533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exepid process 1200 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe 1200 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exed533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exesvchost.exedescription pid process target process PID 1200 wrote to memory of 900 1200 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe PID 1200 wrote to memory of 900 1200 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe PID 1200 wrote to memory of 900 1200 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe PID 1200 wrote to memory of 900 1200 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe PID 900 wrote to memory of 2020 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe cmd.exe PID 900 wrote to memory of 2020 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe cmd.exe PID 900 wrote to memory of 2020 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe cmd.exe PID 900 wrote to memory of 2020 900 d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe cmd.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe PID 1300 wrote to memory of 1224 1300 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe"C:\Users\Admin\AppData\Local\Temp\d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe"C:\Users\Admin\AppData\Local\Temp\d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe" TWO2⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\d533791983d8f51eff0567cf66b471e9e69bd9b5096a84287260bd21ace9f474.exe" TWO3⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "rihjkdf3kjkdf3"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mt6c204em.dll, slexp2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
\Windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
\Windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
\Windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
\Windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
\Windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
\Windows\SysWOW64\mt6c204em.dllFilesize
137KB
MD541310eb3d0015982157b547ad801864c
SHA15132f679fc59e7f82a8d77d19073c1dd73f6772d
SHA2561ddf3693e1e4086d9899fd96e42027759ac467536d63f928e319fc37423c7a25
SHA51297099d805a11e9360980a44cffb7eb94b49ce5ee9f6b55a5197e53b8e1ee82333158512c8182bbd0053d4b837c8f848c49d88364bdb6bc9136d7dff39c87e46d
-
memory/900-55-0x0000000000000000-mapping.dmp
-
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1224-62-0x0000000000000000-mapping.dmp
-
memory/2020-61-0x0000000000000000-mapping.dmp