Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:31
Behavioral task
behavioral1
Sample
06958f1b31d88752a1ba9b11b19424a2.exe
Resource
win10v2004-20220812-en
General
-
Target
06958f1b31d88752a1ba9b11b19424a2.exe
-
Size
473KB
-
MD5
06958f1b31d88752a1ba9b11b19424a2
-
SHA1
498359f2df703ad8d6fb0a897d306736096ba7aa
-
SHA256
d4989fbd8ab2cd81f7e882649dcd1cf1c27b48a7e1895538d557469b307571d2
-
SHA512
8e00fc9ca52551c47244372b00d8b624d049b7abe301160bae599c561f9960044218cb9d6f74ed177ec149220bca45a1d70ae397bcd251fc438a9808b08db2d7
-
SSDEEP
12288:nsaY8revhYIOyzGWIyr+VtivWByO/c690YWLF56KID:B/repYIOyZ+VtS301uNv0
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Temp\server.exe family_gh0strat C:\Users\Admin\AppData\Local\Temp\Temp\server.exe family_gh0strat C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe family_gh0strat C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe family_gh0strat -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½Ã˱à¼Æ÷.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½Ã˱à¼Æ÷.exe aspack_v212_v242 -
Executes dropped EXE 3 IoCs
Processes:
MuÕ½Ã˱à¼Æ÷.exeserver.exesvchost.exepid process 3040 MuÕ½Ã˱à¼Æ÷.exe 3600 server.exe 3364 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/3620-132-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/3620-133-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/3620-140-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06958f1b31d88752a1ba9b11b19424a2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 06958f1b31d88752a1ba9b11b19424a2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\2016916113342 svchost.exe File opened for modification C:\Windows\SysWOW64\2016916113342 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\WINDOWS\V2011.exe svchost.exe File created C:\WINDOWS\V2011.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
server.exesvchost.exepid process 3600 server.exe 3600 server.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe 3364 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 3364 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 3364 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
06958f1b31d88752a1ba9b11b19424a2.exeserver.exedescription pid process target process PID 3620 wrote to memory of 3040 3620 06958f1b31d88752a1ba9b11b19424a2.exe MuÕ½Ã˱à¼Æ÷.exe PID 3620 wrote to memory of 3040 3620 06958f1b31d88752a1ba9b11b19424a2.exe MuÕ½Ã˱à¼Æ÷.exe PID 3620 wrote to memory of 3040 3620 06958f1b31d88752a1ba9b11b19424a2.exe MuÕ½Ã˱à¼Æ÷.exe PID 3620 wrote to memory of 3600 3620 06958f1b31d88752a1ba9b11b19424a2.exe server.exe PID 3620 wrote to memory of 3600 3620 06958f1b31d88752a1ba9b11b19424a2.exe server.exe PID 3620 wrote to memory of 3600 3620 06958f1b31d88752a1ba9b11b19424a2.exe server.exe PID 3600 wrote to memory of 3364 3600 server.exe svchost.exe PID 3600 wrote to memory of 3364 3600 server.exe svchost.exe PID 3600 wrote to memory of 3364 3600 server.exe svchost.exe PID 3600 wrote to memory of 4084 3600 server.exe cmd.exe PID 3600 wrote to memory of 4084 3600 server.exe cmd.exe PID 3600 wrote to memory of 4084 3600 server.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06958f1b31d88752a1ba9b11b19424a2.exe"C:\Users\Admin\AppData\Local\Temp\06958f1b31d88752a1ba9b11b19424a2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½Ã˱à¼Æ÷.exe"C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½Ã˱à¼Æ÷.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exeC:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½Ã˱à¼Æ÷.exeFilesize
372KB
MD529416110d4cb995431cb69d5ce027cd3
SHA1bf9112166fb90e4440f1d4496e022cf88d5c2d2a
SHA25672401d35cf04cb934a232c629d2bd8b4333375df0063d8cb3c050ab27b555db5
SHA512a15a3570c686c9b7ff0ffcaeb8261e66e1b5d30390bcde3a940c305c8fd7490007484713b37cfea95da8812cd090a210cc6afe58333091eabb9fa109e982d5f7
-
C:\Users\Admin\AppData\Local\Temp\Temp\MuÕ½Ã˱à¼Æ÷.exeFilesize
372KB
MD529416110d4cb995431cb69d5ce027cd3
SHA1bf9112166fb90e4440f1d4496e022cf88d5c2d2a
SHA25672401d35cf04cb934a232c629d2bd8b4333375df0063d8cb3c050ab27b555db5
SHA512a15a3570c686c9b7ff0ffcaeb8261e66e1b5d30390bcde3a940c305c8fd7490007484713b37cfea95da8812cd090a210cc6afe58333091eabb9fa109e982d5f7
-
C:\Users\Admin\AppData\Local\Temp\Temp\server.exeFilesize
204KB
MD5d008818e7d7d9879a14fb9f4ea73424a
SHA1cf4272699397b24bb82e8efa283c296ff23d5eef
SHA2568613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef
SHA51290f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646
-
C:\Users\Admin\AppData\Local\Temp\Temp\server.exeFilesize
204KB
MD5d008818e7d7d9879a14fb9f4ea73424a
SHA1cf4272699397b24bb82e8efa283c296ff23d5eef
SHA2568613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef
SHA51290f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646
-
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exeFilesize
204KB
MD5d008818e7d7d9879a14fb9f4ea73424a
SHA1cf4272699397b24bb82e8efa283c296ff23d5eef
SHA2568613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef
SHA51290f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646
-
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exeFilesize
204KB
MD5d008818e7d7d9879a14fb9f4ea73424a
SHA1cf4272699397b24bb82e8efa283c296ff23d5eef
SHA2568613c81bddeced214c53b42419b7af4e9c17f77be411b2639d7c8ebe3e3c0bef
SHA51290f0c8f471983a0240e2aa81224317519d46cf3a18d0ea40f738d6cb2a27a593d67fd8e936f36d260ab38e816c3e03a9b17c337b1941a72c232ca9bdb5396646
-
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.batFilesize
2KB
MD5224467b852777be7c3f78bbdbe7b8ac1
SHA19fd26140ca6be8c1911767b908bc5ba8009b4825
SHA256bc88b96014ebe9291ea65e654e12942fd203f9600a6f045ba8e8c10c635c2a3c
SHA51295452b3564e5f4fff8121c6509a6fd4ea1169b3935f7ed2ff27daf12ad6f611a643ef522d1c0d261775ddfcfbd74ddfe199557d7ada501bee6e1626aa99f58f5
-
memory/3040-134-0x0000000000000000-mapping.dmp
-
memory/3364-141-0x0000000000000000-mapping.dmp
-
memory/3600-137-0x0000000000000000-mapping.dmp
-
memory/3620-133-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3620-132-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/3620-140-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/4084-144-0x0000000000000000-mapping.dmp