Analysis
-
max time kernel
43s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-02-2023 16:46
Static task
static1
Behavioral task
behavioral1
Sample
4fae4e3df84f89f77df25ed6e9674940.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4fae4e3df84f89f77df25ed6e9674940.exe
Resource
win10v2004-20221111-en
General
-
Target
4fae4e3df84f89f77df25ed6e9674940.exe
-
Size
1.8MB
-
MD5
4fae4e3df84f89f77df25ed6e9674940
-
SHA1
720372d130c4931506ed0df1ede36dada6803f72
-
SHA256
cf1de08c2a552617a6e8591a2bd25c72d597854e9564246a700329aa60b08be7
-
SHA512
08161380459a529918a94acb6acf9d149ba1e4de0a78f90c4db32cabb54a24114d1902da57dbbe49750e61607af667c8ff851201caf42cde83f2391bca6d2c2a
-
SSDEEP
49152:diszHX1u6cLxfOEPZldmn0TAI5FWQzt+1wBcv+lRA6ZtrPt9gsjGvlaQz:EszHXM6c1dmsAIiQzt+1wmv+lRAorPLq
Malware Config
Extracted
Protocol: ftp- Host:
43.155.145.155 - Port:
21 - Username:
123 - Password:
123
Extracted
asyncrat
Gh0st RAT
Default
43.249.30.55:8848
DcRatMutex
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/908-66-0x0000000002240000-0x0000000002252000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
Processes:
wwlib.exeWINWORD.exepid process 908 wwlib.exe 1932 WINWORD.exe -
Loads dropped DLL 2 IoCs
Processes:
4fae4e3df84f89f77df25ed6e9674940.exepid process 364 4fae4e3df84f89f77df25ed6e9674940.exe 364 4fae4e3df84f89f77df25ed6e9674940.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wwlib.exedescription pid process Token: SeDebugPrivilege 908 wwlib.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wwlib.exepid process 908 wwlib.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4fae4e3df84f89f77df25ed6e9674940.exedescription pid process target process PID 364 wrote to memory of 908 364 4fae4e3df84f89f77df25ed6e9674940.exe wwlib.exe PID 364 wrote to memory of 908 364 4fae4e3df84f89f77df25ed6e9674940.exe wwlib.exe PID 364 wrote to memory of 908 364 4fae4e3df84f89f77df25ed6e9674940.exe wwlib.exe PID 364 wrote to memory of 908 364 4fae4e3df84f89f77df25ed6e9674940.exe wwlib.exe PID 364 wrote to memory of 1932 364 4fae4e3df84f89f77df25ed6e9674940.exe WINWORD.exe PID 364 wrote to memory of 1932 364 4fae4e3df84f89f77df25ed6e9674940.exe WINWORD.exe PID 364 wrote to memory of 1932 364 4fae4e3df84f89f77df25ed6e9674940.exe WINWORD.exe PID 364 wrote to memory of 1932 364 4fae4e3df84f89f77df25ed6e9674940.exe WINWORD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fae4e3df84f89f77df25ed6e9674940.exe"C:\Users\Admin\AppData\Local\Temp\4fae4e3df84f89f77df25ed6e9674940.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\test2\wwlib.exeC:\ProgramData\test2\wwlib.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\test2\WINWORD.exeC:\ProgramData\test2\WINWORD.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\test2\WINWORD.exeFilesize
142KB
MD54ff52e75438413467ddd272199e70366
SHA1b4f53f04321031ea927dbd4c52acaf3e5fc01b77
SHA256c756d4795d2a54189bc62af7df05dea22edf9c7e113550bac5e75cfdf4481306
SHA512789040e729aae68d0d9ef42918c9b0d289b80a5942d766b40f3b4a6afd48896cc3dbc69b315aaf3419ec9c252212bac38596b66e3908377f7cf754d77cfd19fb
-
C:\ProgramData\test2\WINWORD.exeFilesize
142KB
MD54ff52e75438413467ddd272199e70366
SHA1b4f53f04321031ea927dbd4c52acaf3e5fc01b77
SHA256c756d4795d2a54189bc62af7df05dea22edf9c7e113550bac5e75cfdf4481306
SHA512789040e729aae68d0d9ef42918c9b0d289b80a5942d766b40f3b4a6afd48896cc3dbc69b315aaf3419ec9c252212bac38596b66e3908377f7cf754d77cfd19fb
-
C:\ProgramData\test2\wwlib.exeFilesize
1.6MB
MD50c506cd4887583473cce3bb72614aa64
SHA17af74582a2b916855a5c6b49f32c9449dd06a614
SHA256beb1eda4c7c0ee27f1a17c8a4faae3dba515a45f6b4ef3b63079cc2de77b7112
SHA5123368ac6c7caded66e0a0d6f7e2b163b2e83801108b15bcbadf641031dbdd4a7c304a890ce504d02afb1b02fd5d80fce7f4d5c0279819714ad439fdef66dbeaa7
-
C:\ProgramData\test2\wwlib.exeFilesize
1.6MB
MD50c506cd4887583473cce3bb72614aa64
SHA17af74582a2b916855a5c6b49f32c9449dd06a614
SHA256beb1eda4c7c0ee27f1a17c8a4faae3dba515a45f6b4ef3b63079cc2de77b7112
SHA5123368ac6c7caded66e0a0d6f7e2b163b2e83801108b15bcbadf641031dbdd4a7c304a890ce504d02afb1b02fd5d80fce7f4d5c0279819714ad439fdef66dbeaa7
-
\ProgramData\test2\WINWORD.exeFilesize
142KB
MD54ff52e75438413467ddd272199e70366
SHA1b4f53f04321031ea927dbd4c52acaf3e5fc01b77
SHA256c756d4795d2a54189bc62af7df05dea22edf9c7e113550bac5e75cfdf4481306
SHA512789040e729aae68d0d9ef42918c9b0d289b80a5942d766b40f3b4a6afd48896cc3dbc69b315aaf3419ec9c252212bac38596b66e3908377f7cf754d77cfd19fb
-
\ProgramData\test2\wwlib.exeFilesize
1.6MB
MD50c506cd4887583473cce3bb72614aa64
SHA17af74582a2b916855a5c6b49f32c9449dd06a614
SHA256beb1eda4c7c0ee27f1a17c8a4faae3dba515a45f6b4ef3b63079cc2de77b7112
SHA5123368ac6c7caded66e0a0d6f7e2b163b2e83801108b15bcbadf641031dbdd4a7c304a890ce504d02afb1b02fd5d80fce7f4d5c0279819714ad439fdef66dbeaa7
-
memory/908-58-0x0000000075131000-0x0000000075133000-memory.dmpFilesize
8KB
-
memory/908-55-0x0000000000000000-mapping.dmp
-
memory/908-66-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/1932-59-0x0000000000000000-mapping.dmp
-
memory/1932-63-0x0000000001010000-0x000000000103A000-memory.dmpFilesize
168KB
-
memory/1932-64-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/1932-65-0x000000001B0B6000-0x000000001B0D5000-memory.dmpFilesize
124KB