Analysis
-
max time kernel
52s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe
Resource
win7-20221111-en
General
-
Target
6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe
-
Size
96KB
-
MD5
fe46056fc8bd9d648a29e076650a2bdf
-
SHA1
d8e087bf82884fd900fa6bab3019e73cf7ebf213
-
SHA256
6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1
-
SHA512
1ea0fa142d386e2007b57c0335b18be583b624aebee187e86102d943c65631977c8c26fb02ef8c248445d6166bb0939edaaa4b579d1a1f15a50a9e8c9a017d4b
-
SSDEEP
3072:iOS4jHS8q/3nTzePCwNUh4E90yp9w7RUTV/LUz:ih428q/nTzePCwG70ywSS
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule \??\c:\programdata\application data\storm\update\%sessionname%\ifpnf.cc3 family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3 family_gh0strat behavioral2/memory/4740-140-0x0000000000400000-0x000000000044E29C-memory.dmp family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3 family_gh0strat C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3 family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
efsknwbmrgpid process 4740 efsknwbmrg -
Loads dropped DLL 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 5004 svchost.exe 212 svchost.exe 4360 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\eeelepbbnr svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\eeurdyitad svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\euwdtfnpbt svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1396 5004 WerFault.exe svchost.exe 3884 212 WerFault.exe svchost.exe 3564 4360 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
efsknwbmrgpid process 4740 efsknwbmrg 4740 efsknwbmrg -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
efsknwbmrgsvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 4740 efsknwbmrg Token: SeBackupPrivilege 4740 efsknwbmrg Token: SeBackupPrivilege 4740 efsknwbmrg Token: SeRestorePrivilege 4740 efsknwbmrg Token: SeBackupPrivilege 5004 svchost.exe Token: SeRestorePrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeSecurityPrivilege 5004 svchost.exe Token: SeSecurityPrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeSecurityPrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeSecurityPrivilege 5004 svchost.exe Token: SeBackupPrivilege 5004 svchost.exe Token: SeRestorePrivilege 5004 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeRestorePrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeSecurityPrivilege 212 svchost.exe Token: SeBackupPrivilege 212 svchost.exe Token: SeRestorePrivilege 212 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeRestorePrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeSecurityPrivilege 4360 svchost.exe Token: SeSecurityPrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeSecurityPrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeSecurityPrivilege 4360 svchost.exe Token: SeBackupPrivilege 4360 svchost.exe Token: SeRestorePrivilege 4360 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exedescription pid process target process PID 2364 wrote to memory of 4740 2364 6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe efsknwbmrg PID 2364 wrote to memory of 4740 2364 6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe efsknwbmrg PID 2364 wrote to memory of 4740 2364 6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe efsknwbmrg
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe"C:\Users\Admin\AppData\Local\Temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\efsknwbmrg"C:\Users\Admin\AppData\Local\Temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe" a -sc:\users\admin\appdata\local\temp\6c7a4c2eb323324b2591e838c5b3391c28828d8466a138533aff7bbf123fdbd1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 8722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5004 -ip 50041⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 8802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 212 -ip 2121⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4360 -ip 43601⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3Filesize
20.1MB
MD5ef5c0f76915d5763205ee9eb3726842b
SHA1ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b
SHA25608f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af
SHA5125f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b
-
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3Filesize
20.1MB
MD5ef5c0f76915d5763205ee9eb3726842b
SHA1ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b
SHA25608f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af
SHA5125f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b
-
C:\ProgramData\Storm\update\%SESSIONNAME%\ifpnf.cc3Filesize
20.1MB
MD5ef5c0f76915d5763205ee9eb3726842b
SHA1ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b
SHA25608f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af
SHA5125f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b
-
C:\Users\Admin\AppData\Local\efsknwbmrgFilesize
24.8MB
MD568f5705d340b73be7542cc2e0ea5d1fb
SHA114b7410e820354b26980b75d1544bc7f495d4cff
SHA2562b0e13c88e93efa683e8852adb55c2d1808d9e455acef34ebdaf765d1b50717b
SHA5126f2d88a81afc9dfc21e9d57ffc233215e521c9bd2a617ca7e827c6adab0f7ae7048695333f25022113339e568f97842059b68e7f773fd542677d2e40b0eb1615
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
204B
MD5867076513d2c20c71cd11a97fe99fb50
SHA11ca804a949c6ec8394d0dc5d92de298f0aff3ea2
SHA256e3269edd40d5d49db93d73a272bdde6a8882d107ca50798c15eba1864d5fa435
SHA512b2757aab6ddb2fc8f9be443efe2e50c6c1aab8ca0c0504291f56eea4680bfc2d25b68fe40324052c53518befc91fca96aadf23ecad81142b0b16a0eae177a2c7
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
306B
MD59291a75c26d98ee09aa7be2ec2368847
SHA195aae8ce5cb57ef34d51996a49376c4c0bdf4605
SHA2561290f48bb329f167f8beb969a077c663f86e28dfb3daa665e2a771f85dfd5a0d
SHA5127e2e5e6391123550fc25c551bb4b8bd4af3cb74f872882c17f57c2f2f6d1b400f9d1b0c9dbfae3de4534e061eb6d8f126bf118f780044c20e47c4d259980593b
-
\??\c:\programdata\application data\storm\update\%sessionname%\ifpnf.cc3Filesize
20.1MB
MD5ef5c0f76915d5763205ee9eb3726842b
SHA1ed4e5fe33bebc2a6a9bcedfbbfbee99cdf16f21b
SHA25608f316b3acc510131c7eb978e65c3739937e95a1cdc5e9b87b77010f108a32af
SHA5125f005f1701ea8dfd0ae0e4407005054225d44b88c759d584541a78e5e187e6c2c7e10be3548880e7cd88bc71e50a505540fadadf3a2bdbd170674034d71e124b
-
\??\c:\users\admin\appdata\local\efsknwbmrgFilesize
24.8MB
MD568f5705d340b73be7542cc2e0ea5d1fb
SHA114b7410e820354b26980b75d1544bc7f495d4cff
SHA2562b0e13c88e93efa683e8852adb55c2d1808d9e455acef34ebdaf765d1b50717b
SHA5126f2d88a81afc9dfc21e9d57ffc233215e521c9bd2a617ca7e827c6adab0f7ae7048695333f25022113339e568f97842059b68e7f773fd542677d2e40b0eb1615
-
memory/2364-132-0x0000000000400000-0x000000000044E29C-memory.dmpFilesize
312KB
-
memory/2364-135-0x0000000000400000-0x000000000044E29C-memory.dmpFilesize
312KB
-
memory/4740-140-0x0000000000400000-0x000000000044E29C-memory.dmpFilesize
312KB
-
memory/4740-137-0x0000000000400000-0x000000000044E29C-memory.dmpFilesize
312KB
-
memory/4740-133-0x0000000000000000-mapping.dmp