Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:31
Behavioral task
behavioral1
Sample
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe
Resource
win10v2004-20221111-en
General
-
Target
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe
-
Size
146KB
-
MD5
9d9ff31b49bbabbd33c529a166d83618
-
SHA1
b0d97aa6647ee23af5f2bfebad02466ca70481fb
-
SHA256
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308
-
SHA512
e2ae9698a8e91e4a3efbbc39e521d7b8195b5f6733d449929f44ee0d7728786333ade7ff82a7937a7b922dc4d9bbd883e12c50466b766151c172a30951d353b0
-
SSDEEP
3072:IgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:IgEehkHkmMoY0xoV00uz1PZAS
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule \??\c:\program files (x86)\agef\fpyesabfa.pic family_gh0strat \Program Files (x86)\Agef\Fpyesabfa.pic family_gh0strat C:\windows\xinstall1384100.dll family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1220 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1220 svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exedescription ioc process File opened for modification C:\Program Files (x86)\Agef\Fpyesabfa.pic cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe File created C:\Program Files (x86)\Agef\Fpyesabfa.pic cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe -
Drops file in Windows directory 2 IoCs
Processes:
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exedescription ioc process File created C:\windows\xinstall1384100.dll cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe File opened for modification C:\windows\xinstall1384100.dll cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
svchost.exepid process 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe 1220 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exedescription pid process Token: SeBackupPrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeRestorePrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeBackupPrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeRestorePrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeBackupPrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeRestorePrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeBackupPrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe Token: SeRestorePrivilege 852 cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe"C:\Users\Admin\AppData\Local\Temp\cb4c6e8e022a23ee7e61a0463215ad3be51deed4d5004f1215618312c586a308.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\windows\xinstall1384100.dllFilesize
126KB
MD59ea83111253838ac029211df562cd717
SHA1e1ef851cb46bb7423ac785f1d4846acc9684b2cb
SHA2560efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f
SHA512345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786
-
\??\c:\NT_Path.jpgFilesize
133B
MD5cfd3c40aa85b9ea846ab7bdece99c5aa
SHA1d3174e658d9bbddbe4bd62d802520691bb6e3635
SHA25636bdcb617dddd47b98b3c03a1a73d3e743c5358ca35c5d897a7c32593d06178e
SHA51287013fe7e146daa4cd6a5292e947c97686bcfdf50f59f24d85cb6562d0772013e617dd85cf94f808939064891f78d1cd8d93257173300b42b294ef6b39e5bfb0
-
\??\c:\program files (x86)\agef\fpyesabfa.picFilesize
4.8MB
MD50df03e456dada914c5613dc5404b75a4
SHA189779022fec5397354f76942f94a9344ed8bc406
SHA25650afcaf39cfe3e2e126e903cd81cd1b70a7e19210793c02de65c887d27f10e50
SHA512c9be22ce32f519d210c6f4ccc2ee975fba84680e14c7413b3242ea2e4b2da8d45f3e7b2fd2a2739de3d5343ff50bf73cb5fdd0d920614a587a30a9cafe54a2d6
-
\Program Files (x86)\Agef\Fpyesabfa.picFilesize
4.8MB
MD50df03e456dada914c5613dc5404b75a4
SHA189779022fec5397354f76942f94a9344ed8bc406
SHA25650afcaf39cfe3e2e126e903cd81cd1b70a7e19210793c02de65c887d27f10e50
SHA512c9be22ce32f519d210c6f4ccc2ee975fba84680e14c7413b3242ea2e4b2da8d45f3e7b2fd2a2739de3d5343ff50bf73cb5fdd0d920614a587a30a9cafe54a2d6
-
memory/852-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB