Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2023 15:49
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
114KB
-
MD5
f1ec2cf6256a7c8543586065a07da47a
-
SHA1
4b09ea264e9762305f30668fe2ce7fc7999adc2f
-
SHA256
8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895
-
SHA512
faaa3483ebb0f02d1247788ec6cd41e83ecb3529ffb419b39d63b6068e1db388ffcce7557972f7349481462ffb3e4aba0a5991490163d4d84f84684dc5e3d78a
-
SSDEEP
3072:yyETbqC8r+DfEnMIXRyGcCHwuWWDPD6QbF6sRa:DEyifMXfcCQ+DOpC
Malware Config
Extracted
gh0strat
81.68.216.37
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1388-54-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral1/memory/1388-61-0x0000000000400000-0x0000000000463000-memory.dmp family_gh0strat behavioral1/memory/1848-68-0x0000000000400000-0x0000000000463000-memory.dmp family_gh0strat behavioral1/memory/1524-72-0x0000000000400000-0x0000000000463000-memory.dmp family_gh0strat -
Processes:
server.exeekzx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ekzx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ekzx.exe -
Processes:
server.exeekzx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" ekzx.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
Kcyyqug.exeKcyyqug.exeserver.exeekzx.exepid process 1848 Kcyyqug.exe 1524 Kcyyqug.exe 972 server.exe 1576 ekzx.exe -
Loads dropped DLL 1 IoCs
Processes:
server.exepid process 972 server.exe -
Processes:
resource yara_rule C:\Program Files (x86)\Kcyyqug.exe upx behavioral1/memory/1388-61-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral1/memory/1848-62-0x0000000000400000-0x0000000000463000-memory.dmp upx C:\Program Files (x86)\Kcyyqug.exe upx C:\Program Files (x86)\Kcyyqug.exe upx behavioral1/memory/1848-68-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral1/memory/1524-72-0x0000000000400000-0x0000000000463000-memory.dmp upx -
Processes:
server.exeekzx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" ekzx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ekzx.exe = "C:\\Windows\\WindowsUpdate\\ekzx.exe" server.exe -
Processes:
server.exeekzx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ekzx.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\F: tmp.exe -
Drops file in System32 directory 2 IoCs
Processes:
Kcyyqug.exeKcyyqug.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Kcyyqug.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Kcyyqug.exe -
Drops file in Program Files directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files (x86)\Kcyyqug.exe tmp.exe File opened for modification C:\Program Files (x86)\Kcyyqug.exe tmp.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exeekzx.exedescription ioc process File created C:\Windows\WindowsUpdate\.temp.fortest server.exe File created C:\Windows\WindowsUpdate\ekzx.exe server.exe File opened for modification C:\Windows\WindowsUpdate\ekzx.exe server.exe File created C:\Windows\WindowsUpdate\.temp.fortest ekzx.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe -
Modifies data under HKEY_USERS 25 IoCs
Processes:
Kcyyqug.exeKcyyqug.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Kcyyqug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Kcyyqug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kcyyqug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Kcyyqug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Kcyyqug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Kcyyqug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Kcyyqug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Kcyyqug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Kcyyqug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Kcyyqug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Kcyyqug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Kcyyqug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Kcyyqug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Kcyyqug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Kcyyqug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Kcyyqug.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
tmp.exeKcyyqug.exeKcyyqug.exepid process 1388 tmp.exe 1388 tmp.exe 1848 Kcyyqug.exe 1848 Kcyyqug.exe 1524 Kcyyqug.exe 1524 Kcyyqug.exe 1388 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exeekzx.exedescription pid process Token: SeBackupPrivilege 972 server.exe Token: SeBackupPrivilege 1576 ekzx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Kcyyqug.exetmp.exeserver.exedescription pid process target process PID 1848 wrote to memory of 1524 1848 Kcyyqug.exe Kcyyqug.exe PID 1848 wrote to memory of 1524 1848 Kcyyqug.exe Kcyyqug.exe PID 1848 wrote to memory of 1524 1848 Kcyyqug.exe Kcyyqug.exe PID 1848 wrote to memory of 1524 1848 Kcyyqug.exe Kcyyqug.exe PID 1388 wrote to memory of 972 1388 tmp.exe server.exe PID 1388 wrote to memory of 972 1388 tmp.exe server.exe PID 1388 wrote to memory of 972 1388 tmp.exe server.exe PID 1388 wrote to memory of 972 1388 tmp.exe server.exe PID 972 wrote to memory of 1576 972 server.exe ekzx.exe PID 972 wrote to memory of 1576 972 server.exe ekzx.exe PID 972 wrote to memory of 1576 972 server.exe ekzx.exe PID 972 wrote to memory of 1576 972 server.exe ekzx.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
server.exeekzx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ekzx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ekzx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\server.exec:\server.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\WindowsUpdate\ekzx.exeC:\Windows\WindowsUpdate\ekzx.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Kcyyqug.exe"C:\Program Files (x86)\Kcyyqug.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Kcyyqug.exe"C:\Program Files (x86)\Kcyyqug.exe" Win72⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Kcyyqug.exeFilesize
114KB
MD5f1ec2cf6256a7c8543586065a07da47a
SHA14b09ea264e9762305f30668fe2ce7fc7999adc2f
SHA2568ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895
SHA512faaa3483ebb0f02d1247788ec6cd41e83ecb3529ffb419b39d63b6068e1db388ffcce7557972f7349481462ffb3e4aba0a5991490163d4d84f84684dc5e3d78a
-
C:\Program Files (x86)\Kcyyqug.exeFilesize
114KB
MD5f1ec2cf6256a7c8543586065a07da47a
SHA14b09ea264e9762305f30668fe2ce7fc7999adc2f
SHA2568ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895
SHA512faaa3483ebb0f02d1247788ec6cd41e83ecb3529ffb419b39d63b6068e1db388ffcce7557972f7349481462ffb3e4aba0a5991490163d4d84f84684dc5e3d78a
-
C:\Program Files (x86)\Kcyyqug.exeFilesize
114KB
MD5f1ec2cf6256a7c8543586065a07da47a
SHA14b09ea264e9762305f30668fe2ce7fc7999adc2f
SHA2568ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895
SHA512faaa3483ebb0f02d1247788ec6cd41e83ecb3529ffb419b39d63b6068e1db388ffcce7557972f7349481462ffb3e4aba0a5991490163d4d84f84684dc5e3d78a
-
C:\Windows\WindowsUpdate\ekzx.exeFilesize
58.1MB
MD56505aabf59a0d9bbe6f240c55f9f2f0f
SHA1157695c96fbea74822e35b89361c5f22359b072f
SHA2564daa949496af752c2cc42a221617624ee69d8e4c8a703aa886ab3eaf2e597ee6
SHA512bb426d5f0a0f4e2b9c9e3f5326aa57ef9d36d1c695f1f0e3d00c8578f26888871c69966cf5d6e2d4baf0cccaaaa6df5e7788283dadaf500c7e7293719d810c9c
-
C:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
C:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
\??\c:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
\Windows\WindowsUpdate\ekzx.exeFilesize
58.1MB
MD56505aabf59a0d9bbe6f240c55f9f2f0f
SHA1157695c96fbea74822e35b89361c5f22359b072f
SHA2564daa949496af752c2cc42a221617624ee69d8e4c8a703aa886ab3eaf2e597ee6
SHA512bb426d5f0a0f4e2b9c9e3f5326aa57ef9d36d1c695f1f0e3d00c8578f26888871c69966cf5d6e2d4baf0cccaaaa6df5e7788283dadaf500c7e7293719d810c9c
-
memory/1388-61-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1388-54-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/1524-72-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1848-62-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1848-68-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB