Analysis
-
max time kernel
275s -
max time network
284s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe
Resource
win7-20220901-en
General
-
Target
304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe
-
Size
1.8MB
-
MD5
5e4e6beee345bc64fb79b527f24cbdbb
-
SHA1
eb09e2cac1201f6859a2a32617c38ca8ca3e29dd
-
SHA256
304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee
-
SHA512
011758622d12280a9ea6d51874fd108294c54f2554996a480b24d6e6ba4ab1e848612b16fda0ba6b0ec2e1450b1a18cfc064400245e103ae8714a7c389095c97
-
SSDEEP
49152:bpobWsin5UdSluJGOjft7sEFF5fSJbTwU9rT4nRmzD2rlWT:dobQ5uSrOjfi454bTwizDxT
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule C:\Server.exe family_gh0strat C:\Server.exe family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmp acprotect C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmp acprotect -
Executes dropped EXE 2 IoCs
Processes:
ÐÞ¸´.exeServer.exepid process 1332 ÐÞ¸´.exe 1928 Server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe -
Loads dropped DLL 2 IoCs
Processes:
ÐÞ¸´.exepid process 1332 ÐÞ¸´.exe 1332 ÐÞ¸´.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Server.exedescription ioc process File created C:\Program Files (x86)\wi240830703nd.temp Server.exe -
Drops file in Windows directory 1 IoCs
Processes:
Server.exedescription ioc process File opened for modification C:\Windows\MySomeInfo.ini Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Server.exepid process 1928 Server.exe 1928 Server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exedescription pid process target process PID 3268 wrote to memory of 1332 3268 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe ÐÞ¸´.exe PID 3268 wrote to memory of 1332 3268 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe ÐÞ¸´.exe PID 3268 wrote to memory of 1332 3268 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe ÐÞ¸´.exe PID 3268 wrote to memory of 1928 3268 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe Server.exe PID 3268 wrote to memory of 1928 3268 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe Server.exe PID 3268 wrote to memory of 1928 3268 304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe Server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe"C:\Users\Admin\AppData\Local\Temp\304b22f1b534dd5d8cc94896a5d4c19553fbd1740add6b6b94154f86157053ee.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ÐÞ¸´.exe"C:\ÐÞ¸´.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Server.exe"C:\Server.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Server.exeFilesize
157KB
MD50ed8d43d8f4e3f766d5a7478875334e5
SHA1cf1779a1cb34ca5bfff9418d64a19b1c9bcc4d30
SHA2561274fd21aebb6567eb888496d6bb9f3fe0f5af75ee86352adf367fef0976e813
SHA512be4999e11c262d123cd5cf75d24638493e9558c56d759d6ac5daaeaf5e81ef93655de06e1588a578c28ab6701a1c11f1b7ab13a78c872aa0a80ca664744c4c87
-
C:\Server.exeFilesize
157KB
MD50ed8d43d8f4e3f766d5a7478875334e5
SHA1cf1779a1cb34ca5bfff9418d64a19b1c9bcc4d30
SHA2561274fd21aebb6567eb888496d6bb9f3fe0f5af75ee86352adf367fef0976e813
SHA512be4999e11c262d123cd5cf75d24638493e9558c56d759d6ac5daaeaf5e81ef93655de06e1588a578c28ab6701a1c11f1b7ab13a78c872aa0a80ca664744c4c87
-
C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\xujC8EF.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\ÐÞ¸´.exeFilesize
4.8MB
MD53517b7e7eaa58562d0878a76a2221974
SHA155a9ef7019b3d11329779e6d8c56317caa3bbad2
SHA256c2b945574253e3770f86ea667960aa81767b4d5794b9494c0f7c22cf22b32fee
SHA512985a3b53d46e49f4f4e83c2277e7368f34676915bcfc62957dfe6b3c213e1f41b6713a7f6f40de6685a2ce1775eb99380fe1802d1f52d225fa7ce4adf95e98b9
-
C:\ÐÞ¸´.exeFilesize
4.8MB
MD53517b7e7eaa58562d0878a76a2221974
SHA155a9ef7019b3d11329779e6d8c56317caa3bbad2
SHA256c2b945574253e3770f86ea667960aa81767b4d5794b9494c0f7c22cf22b32fee
SHA512985a3b53d46e49f4f4e83c2277e7368f34676915bcfc62957dfe6b3c213e1f41b6713a7f6f40de6685a2ce1775eb99380fe1802d1f52d225fa7ce4adf95e98b9
-
memory/1332-132-0x0000000000000000-mapping.dmp
-
memory/1332-135-0x0000000000400000-0x00000000008A8000-memory.dmpFilesize
4.7MB
-
memory/1332-141-0x0000000000A40000-0x0000000000AB3000-memory.dmpFilesize
460KB
-
memory/1928-136-0x0000000000000000-mapping.dmp