Analysis
-
max time kernel
237s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 06:36
Behavioral task
behavioral1
Sample
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe
Resource
win10v2004-20220812-en
General
-
Target
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe
-
Size
285KB
-
MD5
e571fff236c7bee77e157fc3fcb9d6ea
-
SHA1
7d3fe018030a4b8d6cd95f113600615d29158e0b
-
SHA256
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f
-
SHA512
ead3d54219efce992c871abf9169538c9d8ad69ba38d5142081f46d02cec64318b3749ea847013bd00f6d6ed2f4c0bdd469144d5b5b68e25fe6a278124963264
-
SSDEEP
6144:If4ciXeyVT51buHjCgvXSOhSFi62Tgbny7a34cq3H3i34X04vnyNOwmjtG:xXWmgvXJgFid5XSIN/yNmxG
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/520-58-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat behavioral1/memory/520-61-0x0000000010000000-0x0000000010046000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral1/memory/520-54-0x0000000000400000-0x0000000000485000-memory.dmp vmprotect behavioral1/memory/520-60-0x0000000000400000-0x0000000000485000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CAF49ABD = "C:\\Windows\\CAF49ABD\\svchsot.exe" 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe -
Drops file in Windows directory 2 IoCs
Processes:
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exedescription ioc process File created C:\Windows\CAF49ABD\svchsot.exe 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe File opened for modification C:\Windows\CAF49ABD\svchsot.exe 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exepid process 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exedescription pid process Token: SeDebugPrivilege 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe Token: SeDebugPrivilege 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exenet.exedescription pid process target process PID 520 wrote to memory of 1884 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe net.exe PID 520 wrote to memory of 1884 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe net.exe PID 520 wrote to memory of 1884 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe net.exe PID 520 wrote to memory of 1884 520 84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe net.exe PID 1884 wrote to memory of 1892 1884 net.exe net1.exe PID 1884 wrote to memory of 1892 1884 net.exe net1.exe PID 1884 wrote to memory of 1892 1884 net.exe net1.exe PID 1884 wrote to memory of 1892 1884 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe"C:\Users\Admin\AppData\Local\Temp\84bb149505d8d1b3a32527aac0dbdeeefeefdfe0d9830798057985484e3c713f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-54-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/520-55-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/520-56-0x0000000010000000-0x0000000010046000-memory.dmpFilesize
280KB
-
memory/520-58-0x0000000010000000-0x0000000010046000-memory.dmpFilesize
280KB
-
memory/520-60-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/520-61-0x0000000010000000-0x0000000010046000-memory.dmpFilesize
280KB
-
memory/1884-62-0x0000000000000000-mapping.dmp
-
memory/1892-63-0x0000000000000000-mapping.dmp