Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 06:44
Static task
static1
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20230220-en
General
-
Target
test.exe
-
Size
36KB
-
MD5
df8410184a39df8fe0bb38682632a28e
-
SHA1
566daf16f0ae29f27458e627232549f2d3b8e11d
-
SHA256
17eb7cf69711747cc912e9685f6c1e79846f030bd5fb4e854b6e3e9e715ab0de
-
SHA512
75c6a1187ac692d00331bf1205cdca31e0e06a7e5d50deea48967c7540de99bc5843d230fca485c37ce6c10e552a6625238a6f1bd8b5d153fd3850f329633774
-
SSDEEP
192:Y/l8yP7/73boE8jPJNJN1Rd/GO8LdubfXbLphoynfgH9teiDlFQ93M3pkR:8TLcPHJBIOvfZhWdteiD7QSc
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-113-0x0000000010000000-0x000000001017B000-memory.dmp family_gh0strat -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 6 1944 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
LiveUpdate.exeLiveUpdate.exepid process 1216 LiveUpdate.exe 1484 LiveUpdate.exe -
Loads dropped DLL 1 IoCs
Processes:
test.exepid process 1308 test.exe -
Processes:
resource yara_rule C:\ProgramData\Thunder\LiveUpdate.exe upx C:\ProgramData\Thunder\LiveUpdate.exe upx behavioral1/memory/1216-79-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1216-80-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1216-85-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1216-86-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1216-88-0x0000000000400000-0x000000000053F000-memory.dmp upx C:\ProgramData\Thunder\LiveUpdate.exe upx behavioral1/memory/1484-90-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1216-94-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1484-95-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/1484-110-0x0000000000400000-0x000000000053F000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\L: cmd.exe File opened (read-only) \??\R: cmd.exe File opened (read-only) \??\S: cmd.exe File opened (read-only) \??\X: cmd.exe File opened (read-only) \??\Y: cmd.exe File opened (read-only) \??\Z: cmd.exe File opened (read-only) \??\G: cmd.exe File opened (read-only) \??\I: cmd.exe File opened (read-only) \??\J: cmd.exe File opened (read-only) \??\K: cmd.exe File opened (read-only) \??\U: cmd.exe File opened (read-only) \??\V: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\H: cmd.exe File opened (read-only) \??\O: cmd.exe File opened (read-only) \??\P: cmd.exe File opened (read-only) \??\W: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\F: cmd.exe File opened (read-only) \??\Q: cmd.exe File opened (read-only) \??\T: cmd.exe File opened (read-only) \??\M: cmd.exe File opened (read-only) \??\N: cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LiveUpdate.exedescription pid process target process PID 1216 set thread context of 1944 1216 LiveUpdate.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz cmd.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
test.execmd.exepid process 1308 test.exe 1308 test.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe 1944 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exedescription pid process Token: 33 1944 cmd.exe Token: SeIncBasePriorityPrivilege 1944 cmd.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
test.exeLiveUpdate.exeLiveUpdate.execmd.exepid process 1308 test.exe 1216 LiveUpdate.exe 1216 LiveUpdate.exe 1484 LiveUpdate.exe 1484 LiveUpdate.exe 1944 cmd.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
taskeng.exeLiveUpdate.exeLiveUpdate.exedescription pid process target process PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1216 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 924 wrote to memory of 1484 924 taskeng.exe LiveUpdate.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1484 wrote to memory of 1032 1484 LiveUpdate.exe cmd.exe PID 1484 wrote to memory of 1032 1484 LiveUpdate.exe cmd.exe PID 1484 wrote to memory of 1032 1484 LiveUpdate.exe cmd.exe PID 1484 wrote to memory of 1032 1484 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe PID 1216 wrote to memory of 1944 1216 LiveUpdate.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1308
-
C:\Windows\system32\taskeng.exetaskeng.exe {73D5DF3A-CE4E-4BE6-8D9E-2EC80FE4D335} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\ProgramData\Thunder\LiveUpdate.exeC:\ProgramData\Thunder\LiveUpdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1944 -
C:\ProgramData\Thunder\LiveUpdate.exeC:\ProgramData\Thunder\LiveUpdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:1032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1.txtFilesize
1.1MB
MD599cb9755677981518e59ba049e4b2e5a
SHA135a7899576f5bb2f0a99ea69e03acd4f9b63f831
SHA256c6ae5b595850ec9d142f00843b63162fd4c5921038d0febe7b76a973f64493ba
SHA51212ac1e3bd58ca92b6ab059c973607a93f22e21f098e0b6e20584dbf0a64085d1f278f6402144023b6c71b48bc2c8db2cf2f7052afc81b1570962ae81952b6b74
-
C:\ProgramData\SqlVersion.dllFilesize
95KB
MD587bf7ce55dba3a9339302fadb215c0a5
SHA1ce5905a284d0dc0984220fa0012107c7417fc491
SHA25628d55c24d4aa08078bc8d3efcc656c7313fb62f883745e1bce8c3e25f5b59483
SHA51229e2d7522dca4594d3753a235d34a72ec2c074747cc4e36a79112386fd417d3926c1bb40dbf04d7a9861139136c482cccff061d789081a102bbfa20efba273ed
-
C:\ProgramData\Thunder\LiveUpdate.datFilesize
36KB
MD5f033471932cc558c5f7a25261967a97b
SHA18186d2f9ae0ea74f2214da3ad0a932e609f25052
SHA2569ab9d6ed62410c38f7045e5fedb39457db70cbb47cf4d1293fa1ef7a24fea41e
SHA512406665d8f77c810e9a19676416249b7159208935b541c9f4f21bec91f74093fa9b4d6acfe511c07d9496064e9e951259b8c98e163ce7c69eff492e307b3423ac
-
C:\ProgramData\Thunder\LiveUpdate.exeFilesize
470KB
MD596e4b47a136910d6f588b40d872e7f9d
SHA10d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e
SHA256f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b
SHA5126776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4
-
C:\ProgramData\Thunder\LiveUpdate.exeFilesize
470KB
MD596e4b47a136910d6f588b40d872e7f9d
SHA10d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e
SHA256f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b
SHA5126776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4
-
C:\ProgramData\Thunder\LiveUpdate.exeFilesize
470KB
MD596e4b47a136910d6f588b40d872e7f9d
SHA10d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e
SHA256f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b
SHA5126776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4
-
C:\ProgramData\setting.iniFilesize
14B
MD588cc3e3a35ac7a57a2d9b2632c7fc5f8
SHA167a04a547a9add726932e00447e1c6939f1639fb
SHA25618739435f66131b1c596d73fada3d1219ea0a4f2d4ccee56573baef4161d5e43
SHA5121c40fc3635b2117a1a970778a8dcc11ba97d77a34cbb43583a018e43c1648138a5f8aacaf4d1767deed0b0e39879476e0069a43506b93d19c4997a10b3060038
-
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_1\_TUProjDT.datFilesize
4B
MD5bd74984124813a14a4b6794b4832c19d
SHA1502ac30df476653c9c2189f97ade61919d132909
SHA256c5d16bf49dfcd5b00c03ee20672285b953eb064de2927cce8628a42899ba3b91
SHA512a9b757b43ac895e520087b28fc8fa7797b4dd29bd848b1159aed41cf065b10245e4ce055200e5cf3231f1558ed104735937de675aaacf7490dbc915d4d3d96eb
-
\ProgramData\SqlVersion.dllFilesize
95KB
MD587bf7ce55dba3a9339302fadb215c0a5
SHA1ce5905a284d0dc0984220fa0012107c7417fc491
SHA25628d55c24d4aa08078bc8d3efcc656c7313fb62f883745e1bce8c3e25f5b59483
SHA51229e2d7522dca4594d3753a235d34a72ec2c074747cc4e36a79112386fd417d3926c1bb40dbf04d7a9861139136c482cccff061d789081a102bbfa20efba273ed
-
memory/1216-94-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1216-80-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1216-87-0x0000000002070000-0x0000000002079000-memory.dmpFilesize
36KB
-
memory/1216-79-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1216-86-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1216-85-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1216-88-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1216-108-0x0000000002070000-0x0000000002079000-memory.dmpFilesize
36KB
-
memory/1484-95-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1484-110-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1484-90-0x0000000000400000-0x000000000053F000-memory.dmpFilesize
1.2MB
-
memory/1944-100-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-101-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-102-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-103-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1944-104-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-106-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-99-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-97-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-109-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-113-0x0000000010000000-0x000000001017B000-memory.dmpFilesize
1.5MB