Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe
Resource
win10v2004-20220812-en
General
-
Target
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe
-
Size
152KB
-
MD5
553704745f569ee423914de4067db62a
-
SHA1
c5cc3b31d96851ca2402cce1aa0da5764af2d1a3
-
SHA256
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a
-
SHA512
e5146f98621c8c2ff84468c650e2d07bcc57a171e1bd99e28381ae2e0af23e6080cbde91455be1fb233a3c833d3e7a33944c40717ce2bf54aea8dc4302118a3a
-
SSDEEP
3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUZ:8FCqxB4Ng9GLjcoCmFJLXUZ
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\mte56edd0m.dll family_gh0strat \??\c:\windows\SysWOW64\mte56edd0m.dll family_gh0strat C:\Windows\SysWOW64\mte56edd0m.dll family_gh0strat C:\Windows\SysWOW64\mte56edd0m.dll family_gh0strat -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 6 8 rundll32.exe 38 8 rundll32.exe 42 8 rundll32.exe 44 8 rundll32.exe 46 8 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hiuoak27hbzkla\Parameters\ServiceDll = "C:\\Windows\\system32\\mte56edd0m.dll" acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe" rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exesvchost.exerundll32.exepid process 3028 acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe 2056 svchost.exe 8 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exedescription ioc process File created C:\Windows\SysWOW64\mte56edd0m.dll acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
rundll32.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2056 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exepid process 3028 acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe 3028 acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exesvchost.exedescription pid process target process PID 3028 wrote to memory of 3184 3028 acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe cmd.exe PID 3028 wrote to memory of 3184 3028 acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe cmd.exe PID 3028 wrote to memory of 3184 3028 acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe cmd.exe PID 2056 wrote to memory of 8 2056 svchost.exe rundll32.exe PID 2056 wrote to memory of 8 2056 svchost.exe rundll32.exe PID 2056 wrote to memory of 8 2056 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe"C:\Users\Admin\AppData\Local\Temp\acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\acba7be5d97ab5945782666e4b9379775b483d67fd6451b6dabac3ddf6a9e02a.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "hiuoak27hbzkla"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mte56edd0m.dll, slexp2⤵
- Blocklisted process makes network request
- Sets file execution options in registry
- Loads dropped DLL
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\mte56edd0m.dllFilesize
134KB
MD50b935e31b86356120d0f5dc83acda5d4
SHA1e6de4855dff47032b3c4001faf4be42895e1d079
SHA256f20beefbc2cad2e8c3826b5201e4451c5384d39fbb107d854cf4cfe22a170b37
SHA512037bdebee74a02cde79c977d399a8ece588c525934b837e2b3c644203b6bdfd90197a00ff5326d86b1d416ff29dcdac933e0e0259bbae712e9c1265ea87eadb0
-
C:\Windows\SysWOW64\mte56edd0m.dllFilesize
134KB
MD50b935e31b86356120d0f5dc83acda5d4
SHA1e6de4855dff47032b3c4001faf4be42895e1d079
SHA256f20beefbc2cad2e8c3826b5201e4451c5384d39fbb107d854cf4cfe22a170b37
SHA512037bdebee74a02cde79c977d399a8ece588c525934b837e2b3c644203b6bdfd90197a00ff5326d86b1d416ff29dcdac933e0e0259bbae712e9c1265ea87eadb0
-
C:\Windows\SysWOW64\mte56edd0m.dllFilesize
134KB
MD50b935e31b86356120d0f5dc83acda5d4
SHA1e6de4855dff47032b3c4001faf4be42895e1d079
SHA256f20beefbc2cad2e8c3826b5201e4451c5384d39fbb107d854cf4cfe22a170b37
SHA512037bdebee74a02cde79c977d399a8ece588c525934b837e2b3c644203b6bdfd90197a00ff5326d86b1d416ff29dcdac933e0e0259bbae712e9c1265ea87eadb0
-
\??\c:\windows\SysWOW64\mte56edd0m.dllFilesize
134KB
MD50b935e31b86356120d0f5dc83acda5d4
SHA1e6de4855dff47032b3c4001faf4be42895e1d079
SHA256f20beefbc2cad2e8c3826b5201e4451c5384d39fbb107d854cf4cfe22a170b37
SHA512037bdebee74a02cde79c977d399a8ece588c525934b837e2b3c644203b6bdfd90197a00ff5326d86b1d416ff29dcdac933e0e0259bbae712e9c1265ea87eadb0
-
memory/8-136-0x0000000000000000-mapping.dmp
-
memory/3184-135-0x0000000000000000-mapping.dmp