Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2022, 02:57
Static task
static1
Behavioral task
behavioral1
Sample
f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe
Resource
win7-20220901-en
General
-
Target
f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe
-
Size
185KB
-
MD5
b11e7218cb481804403951feca2b5c23
-
SHA1
734dd67c960c786c2c55026605d5702dae6d0d86
-
SHA256
f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721
-
SHA512
6b7226dec6aa578c6a7f8c179be95604eaf426003d1726b47ebe18f31848df7d018b1396b49c07f4a6366b05b77382f40dc8b94907fb475828f63040e8acd073
-
SSDEEP
3072:2R1+aJe1mgawzxsBub861jIHxowh8j6X/3VGVnpUlCz764/9xpEEBqbZuwSy/Gmo:2RUTV5nA8j6XPVGpxx9b3wZuwSOGmYTJ
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral2/files/0x000200000001e2b3-133.dat family_gh0strat behavioral2/files/0x000200000001e2b3-134.dat family_gh0strat behavioral2/files/0x000200000001e2b4-135.dat family_gh0strat behavioral2/files/0x000b000000022e47-136.dat family_gh0strat behavioral2/files/0x000b000000022e47-137.dat family_gh0strat behavioral2/files/0x000200000001e2b4-139.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 1696 Kscrsu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe -
Loads dropped DLL 2 IoCs
pid Process 1696 Kscrsu.exe 1176 svchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kscrsu.exe f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\TvbPlayer\135.jpg Kscrsu.exe File created C:\Program Files (x86)\TvbPlayer\135.jpg Kscrsu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\NetSubKey svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe 1176 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1696 Kscrsu.exe Token: SeRestorePrivilege 1696 Kscrsu.exe Token: SeBackupPrivilege 1696 Kscrsu.exe Token: SeRestorePrivilege 1696 Kscrsu.exe Token: SeBackupPrivilege 1696 Kscrsu.exe Token: SeRestorePrivilege 1696 Kscrsu.exe Token: SeBackupPrivilege 1696 Kscrsu.exe Token: SeRestorePrivilege 1696 Kscrsu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3536 wrote to memory of 1696 3536 f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe 79 PID 3536 wrote to memory of 1696 3536 f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe 79 PID 3536 wrote to memory of 1696 3536 f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe"C:\Users\Admin\AppData\Local\Temp\f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Kscrsu.exe"C:\Windows\System32\Kscrsu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD58ac6d30b724bd5669cc6d062da672d9b
SHA1a972660927e926576b492bddbf48f8b920965159
SHA2563f299a304c3781e36dc7746ec4193e1df76df55303e65b4de2b70df0c3259498
SHA512bfc6ff7edaa603bb6bb586c2a66f9b1110bc54544561cb7ca033dcce7ab87652624cbd10fdd2cfe1c6ac6f6de9772b2767ad4d3e76977d9960aaf2c839fb829f
-
Filesize
113KB
MD58ac6d30b724bd5669cc6d062da672d9b
SHA1a972660927e926576b492bddbf48f8b920965159
SHA2563f299a304c3781e36dc7746ec4193e1df76df55303e65b4de2b70df0c3259498
SHA512bfc6ff7edaa603bb6bb586c2a66f9b1110bc54544561cb7ca033dcce7ab87652624cbd10fdd2cfe1c6ac6f6de9772b2767ad4d3e76977d9960aaf2c839fb829f
-
Filesize
7.2MB
MD56e0d143346489059460240f940abbc8e
SHA16b2bb5255171b76f2e7d6b66321e5726e7e62b3f
SHA256f436cf9f95c4ce0f2280fe63f42407ce6e610d850fd14cc845edcd8275b9c2f2
SHA5123a02ae98606f52a049e43f0a39009a3949d4e09f7645b52ce36c319393d819dc79419ae6b29e675bcd609947a97e6aeddbf1563227faf377b22c6117f9836f5f
-
Filesize
145KB
MD597e4261c496accf6eecb9d1f37fb1074
SHA1951c902816a0ca83769dfdbd34e898d6bcb4af7d
SHA256f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700
SHA5121c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308
-
Filesize
145KB
MD597e4261c496accf6eecb9d1f37fb1074
SHA1951c902816a0ca83769dfdbd34e898d6bcb4af7d
SHA256f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700
SHA5121c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308
-
Filesize
45B
MD55842100cc769231b2ab403017c83b3d9
SHA17e3636e44d7906cf00d391e849ce5ff2bec2a79f
SHA25685089b0ac93d3f4c7addaf25efea7f293d6960827f5fca77a977178e8af39ce2
SHA51215469b0c504d61de3b570dd7942e840d499dc2f291949bcda27a1a17a09e7831b59db22a6efe4770795b9a95466e8d662ab5582919e42e6172c3aa669f60fa87
-
Filesize
7.2MB
MD56e0d143346489059460240f940abbc8e
SHA16b2bb5255171b76f2e7d6b66321e5726e7e62b3f
SHA256f436cf9f95c4ce0f2280fe63f42407ce6e610d850fd14cc845edcd8275b9c2f2
SHA5123a02ae98606f52a049e43f0a39009a3949d4e09f7645b52ce36c319393d819dc79419ae6b29e675bcd609947a97e6aeddbf1563227faf377b22c6117f9836f5f