Analysis
-
max time kernel
263s -
max time network
353s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 05:52
Static task
static1
Behavioral task
behavioral1
Sample
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe
Resource
win10v2004-20221111-en
General
-
Target
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe
-
Size
152KB
-
MD5
6cd0fe95a1bb5751717bd2b3d828c515
-
SHA1
c88b7eafd039d9152e4d758f6e515176a3ba8c25
-
SHA256
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9
-
SHA512
d1dd8ae6996595f6dceaf22bee88c85180e644036f40ba4d62b38073a2d8c1a9446cda660367ae1b375c65ecf4e647946974d32ae882085d26ce0e514b1d8190
-
SSDEEP
3072:LwF8T0PAmr9B4NgVjGt1rOikGML7oCmFZKnbmLLLUF:8FCqxB4Ng9GLjcoCmFJLXUF
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\mt6f345am.dll family_gh0strat \??\c:\windows\SysWOW64\mt6f345am.dll family_gh0strat \Windows\SysWOW64\mt6f345am.dll family_gh0strat \Windows\SysWOW64\mt6f345am.dll family_gh0strat \Windows\SysWOW64\mt6f345am.dll family_gh0strat \Windows\SysWOW64\mt6f345am.dll family_gh0strat \Windows\SysWOW64\mt6f345am.dll family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\opgajk23nzkljgb\Parameters\ServiceDll = "C:\\Windows\\system32\\mt6f345am.dll" a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASDSvc.exe\Debugger = "services.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restrict.exe rundll32.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1056 cmd.exe -
Loads dropped DLL 6 IoCs
Processes:
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exesvchost.exerundll32.exepid process 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe 972 svchost.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe 1672 rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exerundll32.exedescription ioc process File created C:\Windows\SysWOW64\mt6f345am.dll a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 7 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 972 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exea754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exepid process 612 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe 612 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exea754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exesvchost.exedescription pid process target process PID 612 wrote to memory of 1168 612 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe PID 612 wrote to memory of 1168 612 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe PID 612 wrote to memory of 1168 612 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe PID 612 wrote to memory of 1168 612 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe PID 1168 wrote to memory of 1056 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe cmd.exe PID 1168 wrote to memory of 1056 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe cmd.exe PID 1168 wrote to memory of 1056 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe cmd.exe PID 1168 wrote to memory of 1056 1168 a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe cmd.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe PID 972 wrote to memory of 1672 972 svchost.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe"C:\Users\Admin\AppData\Local\Temp\a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe"C:\Users\Admin\AppData\Local\Temp\a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe" TWO2⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\a754b241d602848b7c8847798694abe524adfe6bc1587a83d36756ffd71a51b9.exe" TWO3⤵
- Deletes itself
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "opgajk23nzkljgb"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mt6f345am.dll, slexp2⤵
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
\Windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
\Windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
\Windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
\Windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
\Windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
\Windows\SysWOW64\mt6f345am.dllFilesize
134KB
MD5b35589af84a598aeb068ce083583b377
SHA1d4df6eac6b164b51d92ccc8e0468e6d3917121b2
SHA256fd108c82f9b204ef1ed694e62013592c38097f9b5dc91bd26d430b7a32f44a46
SHA512066509562b8e84a2e52422a5d15d1c9ff2542b381a82d7f7aa25d36e54cc3dc9e219fcf79323116deaf778ed12a85e3c775e34b2c2cb9192ebf94abd37971e5e
-
memory/612-54-0x00000000767C1000-0x00000000767C3000-memory.dmpFilesize
8KB
-
memory/1056-61-0x0000000000000000-mapping.dmp
-
memory/1168-55-0x0000000000000000-mapping.dmp
-
memory/1672-62-0x0000000000000000-mapping.dmp