Analysis
-
max time kernel
171s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:33
Behavioral task
behavioral1
Sample
aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe
Resource
win10v2004-20221111-en
General
-
Target
aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe
-
Size
108KB
-
MD5
0e1ccb59daeffd4c3f95f265f0fc2c3c
-
SHA1
a898f0b55a807a4a963fbb74457041134d987790
-
SHA256
aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6
-
SHA512
087796f8a48cd9caf0de1a1a21b38fb0f2223103241997ffdba16c58eb8e86238654b9bd1935bdfb9ce8d02eecf625e3a24b3e58e7567947d00aa106daad95c0
-
SSDEEP
3072:nEDp5IucmVVLVTuoKem/1EQ6vEpvHa3Ha16nzJ:nyp5IucmVVLVxj6HTpf716F
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1520-54-0x0000000000400000-0x000000000041C000-memory.dmp family_gh0strat behavioral1/memory/1520-58-0x0000000000400000-0x000000000041C000-memory.dmp family_gh0strat \??\c:\documents and settings\local user\onlycjeg.dll family_gh0strat \Users\Local User\onlycjeg.dll family_gh0strat behavioral1/memory/900-61-0x0000000010000000-0x0000000010019000-memory.dmp family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\onlycjeg.dll" aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe -
Deletes itself 1 IoCs
Processes:
SVCHOST.EXEpid process 900 SVCHOST.EXE -
Loads dropped DLL 1 IoCs
Processes:
SVCHOST.EXEpid process 900 SVCHOST.EXE -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 472 taskkill.exe 572 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SVCHOST.EXEpid process 900 SVCHOST.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 472 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exedescription pid process target process PID 1520 wrote to memory of 472 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 472 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 472 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 472 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 572 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 572 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 572 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe PID 1520 wrote to memory of 572 1520 aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe"C:\Users\Admin\AppData\Local\Temp\aa8d6c51236f9b97959a8e963d4573c6cb41ceff9532ab3cc5ad18d70c5ddeb6.exe"1⤵
- Sets DLL path for service in the registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im 360inst.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im ZhuDongFangYu.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\SVCHOST.EXEC:\Windows\SysWOW64\SVCHOST.EXE -K NETSVCS1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\documents and settings\local user\onlycjeg.dllFilesize
91KB
MD58985cb817bf4fe84bb28ca9446684b7c
SHA1bc868d16ddb51c112189324a920b1f67637a6c22
SHA25683bfdb30c6147e4f90d3719cbc60ec1ed9655b15fa77d8424fb992b8b5ab10ff
SHA512a58130ffd8a5b21ded1feaa19bd96077dd9dc5abfe69ee8b2672fe1b7fdd1446e679e656c48925e3fd3d639aedd770184d55c71f15fa759b85149e14196320d5
-
\Users\Local User\onlycjeg.dllFilesize
91KB
MD58985cb817bf4fe84bb28ca9446684b7c
SHA1bc868d16ddb51c112189324a920b1f67637a6c22
SHA25683bfdb30c6147e4f90d3719cbc60ec1ed9655b15fa77d8424fb992b8b5ab10ff
SHA512a58130ffd8a5b21ded1feaa19bd96077dd9dc5abfe69ee8b2672fe1b7fdd1446e679e656c48925e3fd3d639aedd770184d55c71f15fa759b85149e14196320d5
-
memory/472-55-0x0000000000000000-mapping.dmp
-
memory/572-56-0x0000000000000000-mapping.dmp
-
memory/900-60-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/900-61-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1520-54-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1520-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB