Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:04
Static task
static1
Behavioral task
behavioral1
Sample
7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe
Resource
win7-20220901-en
General
-
Target
7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe
-
Size
95KB
-
MD5
f7476fb58982ba61167f4932e396849b
-
SHA1
04ab56afb2175afb83e7c4b953ef6bf1a7036124
-
SHA256
7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6
-
SHA512
fe6362492b29be045008461b14450b2c0f6e131223a38701e6c5fd47821769310fb5a1f10b5c1edba646b5daec57c72d4a0584fdbc9a30f1044e5c81705fa497
-
SSDEEP
1536:emFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prAp6o521TT:esS4jHS8q/3nTzePCwNUh4E9nT
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\utelu.cc3 family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3 family_gh0strat behavioral2/memory/4988-139-0x0000000000400000-0x000000000044E240-memory.dmp family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3 family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3 family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
ktoysvkjnlpid process 4988 ktoysvkjnl -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 3308 svchost.exe 4560 svchost.exe 3544 svchost.exe -
Drops file in System32 directory 7 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\cdichtncdh svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\dubeeygsia svchost.exe File created C:\Windows\SysWOW64\ddgcllpjjg svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\dabicpislw svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4176 3308 WerFault.exe svchost.exe 212 4560 WerFault.exe svchost.exe 4948 3544 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ktoysvkjnlpid process 4988 ktoysvkjnl 4988 ktoysvkjnl -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
ktoysvkjnlsvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 4988 ktoysvkjnl Token: SeBackupPrivilege 4988 ktoysvkjnl Token: SeBackupPrivilege 4988 ktoysvkjnl Token: SeRestorePrivilege 4988 ktoysvkjnl Token: SeBackupPrivilege 3308 svchost.exe Token: SeRestorePrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeSecurityPrivilege 3308 svchost.exe Token: SeSecurityPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeSecurityPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeSecurityPrivilege 3308 svchost.exe Token: SeBackupPrivilege 3308 svchost.exe Token: SeRestorePrivilege 3308 svchost.exe Token: SeBackupPrivilege 4560 svchost.exe Token: SeRestorePrivilege 4560 svchost.exe Token: SeBackupPrivilege 4560 svchost.exe Token: SeBackupPrivilege 4560 svchost.exe Token: SeSecurityPrivilege 4560 svchost.exe Token: SeSecurityPrivilege 4560 svchost.exe Token: SeBackupPrivilege 4560 svchost.exe Token: SeBackupPrivilege 4560 svchost.exe Token: SeSecurityPrivilege 4560 svchost.exe Token: SeBackupPrivilege 3544 svchost.exe Token: SeRestorePrivilege 3544 svchost.exe Token: SeBackupPrivilege 3544 svchost.exe Token: SeBackupPrivilege 3544 svchost.exe Token: SeSecurityPrivilege 3544 svchost.exe Token: SeSecurityPrivilege 3544 svchost.exe Token: SeBackupPrivilege 3544 svchost.exe Token: SeBackupPrivilege 3544 svchost.exe Token: SeSecurityPrivilege 3544 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exedescription pid process target process PID 704 wrote to memory of 4988 704 7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe ktoysvkjnl PID 704 wrote to memory of 4988 704 7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe ktoysvkjnl PID 704 wrote to memory of 4988 704 7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe ktoysvkjnl
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe"C:\Users\Admin\AppData\Local\Temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\ktoysvkjnl"C:\Users\Admin\AppData\Local\Temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe" a -sc:\users\admin\appdata\local\temp\7f868ec88b44bdbba15d1b37cc7a2dc0aa7ba396d12b55b0faaa24220066dde6.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 10122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3308 -ip 33081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 11162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4560 -ip 45601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 8002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3544 -ip 35441⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3Filesize
23.1MB
MD5ae66259783164199ce386eda14489d49
SHA1a6abf6c258393435a1d43588fb17d2604b519dfb
SHA25607f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea
SHA512ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6
-
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3Filesize
23.1MB
MD5ae66259783164199ce386eda14489d49
SHA1a6abf6c258393435a1d43588fb17d2604b519dfb
SHA25607f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea
SHA512ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6
-
C:\ProgramData\Storm\update\%SESSIONNAME%\utelu.cc3Filesize
23.1MB
MD5ae66259783164199ce386eda14489d49
SHA1a6abf6c258393435a1d43588fb17d2604b519dfb
SHA25607f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea
SHA512ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6
-
C:\Users\Admin\AppData\Local\ktoysvkjnlFilesize
24.2MB
MD5f3956f8f480817b444c63302c95c3a23
SHA193ab1a438173e31daebfb43ae32d37ba212e58b8
SHA256c89989b53db9a80fe86a21a63bf71d95cf2672e4227b46e20f1c47f629ef8c40
SHA51255e9064bb9503c928c07f69f76b10dce9334cfeb91b6b643a91369fb3ad804b5bb5b41bd81ef112bd16927fbdc803982ca86e27976c1c10d620b4ab5a1153cd6
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
206B
MD50d0cdf36bde076b59878dedca87269d5
SHA14c84f6531bd8c40fbc10c36638e019c9613da91b
SHA256d22ecdae9d8a5444a9ddd7e259b2a5e140c4c9cec6a7fec062cccf6709dcf703
SHA512e7dd4b3e7550f13f9e233787a61f49de2345e465d00fdea1ece809b9de1e54c957bb37ebdceee137095df4a6d748b4fd5689d64334a20b188d5cb525de2380c0
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
308B
MD55b35d402e16be2860bdc1fc4c40ab8f4
SHA158751eea800ca45f70626d3e335c44411bdedaa1
SHA25628bab3264e38e3cee41547e40dda3d8b9b7d93b0f369c66134437699870bfd1f
SHA51252fc8307a9845768fe3f743f266ef8325b6370e45185bada3c3c68c9a862d0f266ff8dfed5e8cef157df3c70ba070046d5a5450b5a391f2b95a2599f30ea34ca
-
\??\c:\programdata\application data\storm\update\%sessionname%\utelu.cc3Filesize
23.1MB
MD5ae66259783164199ce386eda14489d49
SHA1a6abf6c258393435a1d43588fb17d2604b519dfb
SHA25607f9b14033efb6b9033096041ad8ba6d1a1fc82696f4428ba7bb1718761f15ea
SHA512ce9092d5a56f1d3e166bf2c66365d926d16a7aacf075c840791b6976ecc0cdae5904e4cbfc84f9d5a0eebe36d0ca0a9df4759bb5ede817bf228bdf7fc21744b6
-
\??\c:\users\admin\appdata\local\ktoysvkjnlFilesize
24.2MB
MD5f3956f8f480817b444c63302c95c3a23
SHA193ab1a438173e31daebfb43ae32d37ba212e58b8
SHA256c89989b53db9a80fe86a21a63bf71d95cf2672e4227b46e20f1c47f629ef8c40
SHA51255e9064bb9503c928c07f69f76b10dce9334cfeb91b6b643a91369fb3ad804b5bb5b41bd81ef112bd16927fbdc803982ca86e27976c1c10d620b4ab5a1153cd6
-
memory/704-132-0x0000000000400000-0x000000000044E240-memory.dmpFilesize
312KB
-
memory/4988-133-0x0000000000000000-mapping.dmp
-
memory/4988-136-0x0000000000400000-0x000000000044E240-memory.dmpFilesize
312KB
-
memory/4988-139-0x0000000000400000-0x000000000044E240-memory.dmpFilesize
312KB