Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 15:49
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
114KB
-
MD5
f1ec2cf6256a7c8543586065a07da47a
-
SHA1
4b09ea264e9762305f30668fe2ce7fc7999adc2f
-
SHA256
8ad50e2cd339bb8033e62937f73308441bdbe8acf61ad9edd1489eb35f3a2895
-
SHA512
faaa3483ebb0f02d1247788ec6cd41e83ecb3529ffb419b39d63b6068e1db388ffcce7557972f7349481462ffb3e4aba0a5991490163d4d84f84684dc5e3d78a
-
SSDEEP
3072:yyETbqC8r+DfEnMIXRyGcCHwuWWDPD6QbF6sRa:DEyifMXfcCQ+DOpC
Malware Config
Extracted
gh0strat
81.68.216.37
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4508-134-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral2/memory/4508-151-0x0000000000400000-0x0000000000463000-memory.dmp family_gh0strat -
Processes:
server.exegbcsxuiqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gbcsxuiqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gbcsxuiqg.exe -
Processes:
server.exegbcsxuiqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" gbcsxuiqg.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
server.exegbcsxuiqg.exepid process 4516 server.exe 2828 gbcsxuiqg.exe -
Processes:
resource yara_rule behavioral2/memory/4508-133-0x0000000000400000-0x0000000000463000-memory.dmp upx behavioral2/memory/4508-151-0x0000000000400000-0x0000000000463000-memory.dmp upx -
Processes:
server.exegbcsxuiqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" gbcsxuiqg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exeserver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gbcsxuiqg.exe = "C:\\Windows\\WindowsUpdate\\gbcsxuiqg.exe" server.exe -
Processes:
server.exegbcsxuiqg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gbcsxuiqg.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\K: tmp.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exegbcsxuiqg.exedescription ioc process File created C:\Windows\WindowsUpdate\.temp.fortest server.exe File created C:\Windows\WindowsUpdate\gbcsxuiqg.exe server.exe File opened for modification C:\Windows\WindowsUpdate\gbcsxuiqg.exe server.exe File created C:\Windows\WindowsUpdate\.temp.fortest gbcsxuiqg.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
tmp.exepid process 4508 tmp.exe 4508 tmp.exe 4508 tmp.exe 4508 tmp.exe 4508 tmp.exe 4508 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
server.exegbcsxuiqg.exedescription pid process Token: SeBackupPrivilege 4516 server.exe Token: SeBackupPrivilege 2828 gbcsxuiqg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
tmp.exeserver.exedescription pid process target process PID 4508 wrote to memory of 4516 4508 tmp.exe server.exe PID 4508 wrote to memory of 4516 4508 tmp.exe server.exe PID 4508 wrote to memory of 4516 4508 tmp.exe server.exe PID 4516 wrote to memory of 2828 4516 server.exe gbcsxuiqg.exe PID 4516 wrote to memory of 2828 4516 server.exe gbcsxuiqg.exe PID 4516 wrote to memory of 2828 4516 server.exe gbcsxuiqg.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
gbcsxuiqg.exeserver.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gbcsxuiqg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gbcsxuiqg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
\??\c:\server.exec:\server.exe2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\WindowsUpdate\gbcsxuiqg.exeC:\Windows\WindowsUpdate\gbcsxuiqg.exe3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WindowsUpdate\gbcsxuiqg.exeFilesize
45.1MB
MD5777a0a9a6dedafb3c2605dfee2cd0482
SHA134b6087666d7ba4241c351e6957ff223b1e4eba2
SHA256466d7f258f897f97a1a9f3d3d3d7588e6db3750ed6b6a04294b45dfa3cbc46f6
SHA5129a46865921a2b5c1c074b7bd888703cd8654e4658b008a3531e9cfff0d7b1348b671bbb790e8fba782f6bbd4de4b764b5c79cd7931cc8b76fe0dd37ec9d77b5c
-
C:\Windows\WindowsUpdate\gbcsxuiqg.exeFilesize
45.1MB
MD5777a0a9a6dedafb3c2605dfee2cd0482
SHA134b6087666d7ba4241c351e6957ff223b1e4eba2
SHA256466d7f258f897f97a1a9f3d3d3d7588e6db3750ed6b6a04294b45dfa3cbc46f6
SHA5129a46865921a2b5c1c074b7bd888703cd8654e4658b008a3531e9cfff0d7b1348b671bbb790e8fba782f6bbd4de4b764b5c79cd7931cc8b76fe0dd37ec9d77b5c
-
C:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
C:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
\??\c:\server.exeFilesize
145KB
MD5faf3c47c4d784d20688a8cfd37198518
SHA170eec20185e813526fa9f08ae37f4b89e3b86907
SHA256ba99e2163f2a673708f5f6f4c8b6ba6e739ec852c25f239b10b1eefcc41d0022
SHA5124e10590aad82ae1d99b9729e628a01cec9e6bbcf5b4852790d135c0fb2154503864a47dfe0a91e2f8f6880c1fcc8fe2a0676ba9a9d1d2e99554cd164c4b8b8c1
-
memory/4508-133-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/4508-134-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/4508-151-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB