Analysis
-
max time kernel
123s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 07:52
Static task
static1
Behavioral task
behavioral1
Sample
ӷƱ (03).exe
Resource
win7-20230220-en
General
-
Target
ӷƱ (03).exe
-
Size
36KB
-
MD5
bf0a28efc4c32b857332250dbb1d132a
-
SHA1
61039a5ec49b283775a232cb9c23ead25ca4d8d9
-
SHA256
0525947d2063f56a8288dd3d54210fc49a3a615c338c4bd7260731649f9b7e5b
-
SHA512
8ba699251c9a037d723b89b6edf57b1da0982e860983be4f340bd789214aff6ee98637999864641b281f9570ba3d60362c74c2ba151a1f3deb08cc9f84a7f6f0
-
SSDEEP
192:tXU60V/WmoI+af4R9JNRcJLef3Rmtj0IRmtSgUoynSYgH9L1nnCQBRmlFQ93M3pc:tk60V/wI4PJhGYSGS1EtdLVC+w7QSc
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4756-170-0x0000000010000000-0x000000001017B000-memory.dmp family_gh0strat -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 27 4756 cmd.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\SqlVersion.dll acprotect C:\ProgramData\SqlVersion.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
LiveUpdate.exepid process 3696 LiveUpdate.exe -
Loads dropped DLL 1 IoCs
Processes:
ӷƱ (03).exepid process 4360 ӷƱ (03).exe -
Processes:
resource yara_rule C:\ProgramData\SqlVersion.dll upx C:\ProgramData\SqlVersion.dll upx C:\ProgramData\Thunder\LiveUpdate.exe upx behavioral2/memory/4360-158-0x00000000738E0000-0x00000000739D0000-memory.dmp upx behavioral2/memory/3696-163-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral2/memory/3696-189-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral2/memory/3696-198-0x0000000000400000-0x000000000053F000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\Q: cmd.exe File opened (read-only) \??\S: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\N: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\V: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\F: cmd.exe File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\U: cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LiveUpdate.exedescription pid process target process PID 3696 set thread context of 4756 3696 LiveUpdate.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ӷƱ (03).execmd.exepid process 4360 ӷƱ (03).exe 4360 ӷƱ (03).exe 4360 ӷƱ (03).exe 4360 ӷƱ (03).exe 4360 ӷƱ (03).exe 4360 ӷƱ (03).exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe 4756 cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
cmd.exedescription pid process Token: 33 4756 cmd.exe Token: SeIncBasePriorityPrivilege 4756 cmd.exe Token: 33 4756 cmd.exe Token: SeIncBasePriorityPrivilege 4756 cmd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ӷƱ (03).exeLiveUpdate.exepid process 4360 ӷƱ (03).exe 4360 ӷƱ (03).exe 3696 LiveUpdate.exe 3696 LiveUpdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
LiveUpdate.exedescription pid process target process PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe PID 3696 wrote to memory of 4756 3696 LiveUpdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ӷƱ (03).exe"C:\Users\Admin\AppData\Local\Temp\ӷƱ (03).exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4360
-
C:\ProgramData\Thunder\LiveUpdate.exeC:\ProgramData\Thunder\LiveUpdate.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1.txtFilesize
1.1MB
MD599cb9755677981518e59ba049e4b2e5a
SHA135a7899576f5bb2f0a99ea69e03acd4f9b63f831
SHA256c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba
SHA51212ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74
-
C:\ProgramData\SqlVersion.dllFilesize
173KB
MD5193abd962e6d777ca12b3d238ab986b3
SHA10e9975cd70583ddb0a56b06d0cfaf2b3d87b772f
SHA256aeb10015a45bd06af3cafd82bd85ed3098a538ccbbb10a798145b677b45f7eda
SHA512077a738f09d3f8497630c4fa722dd7cae405cc47f1b1338cdef0d65c5f1e4f79062e30ecbcb79813280037f764f006037dbcb51b688e678de3dd96db590e24b0
-
C:\ProgramData\SqlVersion.dllFilesize
173KB
MD5193abd962e6d777ca12b3d238ab986b3
SHA10e9975cd70583ddb0a56b06d0cfaf2b3d87b772f
SHA256aeb10015a45bd06af3cafd82bd85ed3098a538ccbbb10a798145b677b45f7eda
SHA512077a738f09d3f8497630c4fa722dd7cae405cc47f1b1338cdef0d65c5f1e4f79062e30ecbcb79813280037f764f006037dbcb51b688e678de3dd96db590e24b0
-
C:\ProgramData\Thunder\LiveUpdate.datFilesize
29KB
MD50548ecfa93438e3126129b52c8aec910
SHA12bc74dc6ac92a8b92da0b90a92225304d1addd0b
SHA2560951a0e07f3bf8fd0b2bc2bb84f2f9cb462b9e348eebc98e2b6de74c58eb13f8
SHA5122fc3843c17ebfac7a420e7c75a68c6add88e53e137a9fdc3cc43dc0e1fb9dc5427890b7f1779853411e8c3d35fc6c0cfe29959220d11692ef69435905c229a56
-
C:\ProgramData\Thunder\LiveUpdate.exeFilesize
470KB
MD596e4b47a136910d6f588b40d872e7f9d
SHA10d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e
SHA256f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b
SHA5126776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4
-
C:\ProgramData\setting.iniFilesize
14B
MD588cc3e3a35ac7a57a2d9b2632c7fc5f8
SHA167a04a547a9add726932e00447e1c6939f1639fb
SHA25618739435f66131b1c596d73fada3d1219ea0a4f2d4ccee56573baef4161d5e43
SHA5121c40fc3635b2117a1a970778a8dcc11ba97d77a34cbb43583a018e43c1648138a5f8aacaf4d1767deed0b0e39879476e0069a43506b93d19c4997a10b3060038
-
memory/3696-164-0x0000000002CE0000-0x0000000002CE7000-memory.dmpFilesize
28KB
-
memory/3696-166-0x0000000002CE0000-0x0000000002CE7000-memory.dmpFilesize
28KB
-
memory/3696-163-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/3696-189-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/3696-198-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/4360-158-0x00000000738E0000-0x00000000739D0000-memory.dmpFilesize
960KB
-
memory/4756-165-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4756-168-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4756-170-0x0000000010000000-0x000000001017B000-memory.dmpFilesize
1.5MB
-
memory/4756-187-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB