Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 05:16
Behavioral task
behavioral1
Sample
3ff09c343d8a50e9c9bb1332bf21998a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3ff09c343d8a50e9c9bb1332bf21998a.exe
Resource
win10v2004-20230221-en
General
-
Target
3ff09c343d8a50e9c9bb1332bf21998a.exe
-
Size
124KB
-
MD5
3ff09c343d8a50e9c9bb1332bf21998a
-
SHA1
1406b01f0d4a258ff883978104903cbc4941cfe8
-
SHA256
4b74fbd877b7e3e1e325df75ddd3cfece7404a4104a646a65a1a4b7614f9478c
-
SHA512
79200774264254c770cf7b4f8878d558abb6d0dcb31a39b9cfe29620e04afb055f91f6d7c9dbd7df3affa8352794d22f6780046fb2522d0b6f95e3947bb8b28e
-
SSDEEP
3072:PZ8FyFwFD6HDIgRAD+rG8RsaESUjx/kKYjzt:PZ8IFjHm4G0JGjxstjZ
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-56-0x0000000000400000-0x0000000000421000-memory.dmp family_gh0strat \??\c:\windows\SysWOW64\service.dll family_gh0strat \Windows\SysWOW64\Service.dll family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
3ff09c343d8a50e9c9bb1332bf21998a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Microsoft MR\Parameters\ServiceDll = "C:\\Windows\\system32\\Service.dll" 3ff09c343d8a50e9c9bb1332bf21998a.exe -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1996 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1996 svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
3ff09c343d8a50e9c9bb1332bf21998a.exedescription ioc process File created C:\Windows\SysWOW64\Service.dll 3ff09c343d8a50e9c9bb1332bf21998a.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
svchost.exepid process 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ff09c343d8a50e9c9bb1332bf21998a.exe"C:\Users\Admin\AppData\Local\Temp\3ff09c343d8a50e9c9bb1332bf21998a.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:1064
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\service.dllFilesize
117KB
MD5b220c41bba7822a4355a09fde5e27e02
SHA118861a2312c70e963e7fddcac5fb1ad87ccba862
SHA2564d5a3111ac3fae026fc2f7a77a176c45047ce3807fbf5e3d42c2c73398123ae6
SHA512441794444e42c9b824b3ccc52d529315c91034738649039fa6a95a9be25ac558cd08b62810d79bf3829d728df2073adf7246d84247231241e56e2beda2c62526
-
\Windows\SysWOW64\Service.dllFilesize
117KB
MD5b220c41bba7822a4355a09fde5e27e02
SHA118861a2312c70e963e7fddcac5fb1ad87ccba862
SHA2564d5a3111ac3fae026fc2f7a77a176c45047ce3807fbf5e3d42c2c73398123ae6
SHA512441794444e42c9b824b3ccc52d529315c91034738649039fa6a95a9be25ac558cd08b62810d79bf3829d728df2073adf7246d84247231241e56e2beda2c62526
-
memory/1064-56-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB