Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 01:55
Behavioral task
behavioral1
Sample
f1ec2cf6256a7c8543586065a07da47a.exe
Resource
win7-20230220-en
General
-
Target
f1ec2cf6256a7c8543586065a07da47a.exe
-
Size
114KB
-
MD5
f1ec2cf6256a7c8543586065a07da47a
-
SHA1
4b09ea264e9762305f30668fe2ce7fc7999adc2f
-
SHA256
8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895
-
SHA512
faaa3483ebb0f02d1247788ec6cd41e83ecb3529ffb419b39d63b6068e1db388ffcce7557972f7349481462ffb3e4aba0a5991490163d4d84f84684dc5e3d78a
-
SSDEEP
3072:yyETbqC8r+DfEnMIXRyGcCHwuWWDPD6QbF6sRa:DEyifMXfcCQ+DOpC
Malware Config
Extracted
gh0strat
81.68.216.37
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1280-134-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral2/memory/1280-151-0x0000000000400000-0x0000000000463000-memory.dmp family_gh0strat -
Processes:
server.exeeomfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eomfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eomfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Processes:
eomfc.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" eomfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
server.exeeomfc.exepid process 2500 server.exe 3252 eomfc.exe -
Processes:
resource yara_rule behavioral2/memory/1280-133-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/1280-151-0x0000000000400000-0x0000000000463000-memory.dmp upx -
Processes:
server.exeeomfc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" eomfc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f1ec2cf6256a7c8543586065a07da47a.exeserver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f1ec2cf6256a7c8543586065a07da47a.exe" f1ec2cf6256a7c8543586065a07da47a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eomfc.exe = "C:\\Windows\\WindowsUpdate\\eomfc.exe" server.exe -
Processes:
eomfc.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eomfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f1ec2cf6256a7c8543586065a07da47a.exedescription ioc process File opened (read-only) \??\T: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\H: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\L: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\N: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\Q: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\P: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\V: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\E: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\J: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\M: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\O: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\R: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\S: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\U: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\Y: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\B: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\F: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\G: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\K: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\Z: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\I: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\W: f1ec2cf6256a7c8543586065a07da47a.exe File opened (read-only) \??\X: f1ec2cf6256a7c8543586065a07da47a.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exeeomfc.exedescription ioc process File created C:\Windows\WindowsUpdate\.temp.fortest server.exe File created C:\Windows\WindowsUpdate\eomfc.exe server.exe File opened for modification C:\Windows\WindowsUpdate\eomfc.exe server.exe File created C:\Windows\WindowsUpdate\.temp.fortest eomfc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f1ec2cf6256a7c8543586065a07da47a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f1ec2cf6256a7c8543586065a07da47a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz f1ec2cf6256a7c8543586065a07da47a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
f1ec2cf6256a7c8543586065a07da47a.exepid process 1280 f1ec2cf6256a7c8543586065a07da47a.exe 1280 f1ec2cf6256a7c8543586065a07da47a.exe 1280 f1ec2cf6256a7c8543586065a07da47a.exe 1280 f1ec2cf6256a7c8543586065a07da47a.exe 1280 f1ec2cf6256a7c8543586065a07da47a.exe 1280 f1ec2cf6256a7c8543586065a07da47a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exeeomfc.exedescription pid process Token: SeBackupPrivilege 2500 server.exe Token: SeBackupPrivilege 3252 eomfc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f1ec2cf6256a7c8543586065a07da47a.exeserver.exedescription pid process target process PID 1280 wrote to memory of 2500 1280 f1ec2cf6256a7c8543586065a07da47a.exe server.exe PID 1280 wrote to memory of 2500 1280 f1ec2cf6256a7c8543586065a07da47a.exe server.exe PID 1280 wrote to memory of 2500 1280 f1ec2cf6256a7c8543586065a07da47a.exe server.exe PID 2500 wrote to memory of 3252 2500 server.exe eomfc.exe PID 2500 wrote to memory of 3252 2500 server.exe eomfc.exe PID 2500 wrote to memory of 3252 2500 server.exe eomfc.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
eomfc.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eomfc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eomfc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1ec2cf6256a7c8543586065a07da47a.exe"C:\Users\Admin\AppData\Local\Temp\f1ec2cf6256a7c8543586065a07da47a.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\server.exec:\server.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\WindowsUpdate\eomfc.exeC:\Windows\WindowsUpdate\eomfc.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WindowsUpdate\eomfc.exeFilesize
34.1MB
MD53d0154c2ab464d4dec7d73d4088f7e7c
SHA166ebaef96fee703d77c8e126c76ddfe23e8a84bc
SHA2560896508122226acb0073d015aaba182c78fe8c06fd22d654103e1c00ef8cada3
SHA51217e407c3290967a5b6c3b73ff75aba54309437fb9500d68f6c0f3e6764235b59592e6c6dffe7e5e6df38727ed6d622772688af2dc5e347350e03055f5597b25a
-
C:\Windows\WindowsUpdate\eomfc.exeFilesize
34.1MB
MD53d0154c2ab464d4dec7d73d4088f7e7c
SHA166ebaef96fee703d77c8e126c76ddfe23e8a84bc
SHA2560896508122226acb0073d015aaba182c78fe8c06fd22d654103e1c00ef8cada3
SHA51217e407c3290967a5b6c3b73ff75aba54309437fb9500d68f6c0f3e6764235b59592e6c6dffe7e5e6df38727ed6d622772688af2dc5e347350e03055f5597b25a
-
C:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
C:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
\??\c:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
memory/1280-133-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1280-134-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/1280-151-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB