Analysis
-
max time kernel
101s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 19:11
Behavioral task
behavioral1
Sample
0.exe
Resource
win7-20230220-en
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule C:\Windows\FileName.jpg family_gh0strat \??\c:\windows\filename.jpg family_gh0strat C:\1924200.dll family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1732 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
0.exedescription ioc process File opened for modification C:\Windows\FileName.jpg 0.exe File created C:\Windows\FileName.jpg 0.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
svchost.exepid process 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe 1732 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0.exedescription pid process Token: SeBackupPrivilege 2036 0.exe Token: SeRestorePrivilege 2036 0.exe Token: SeBackupPrivilege 2036 0.exe Token: SeRestorePrivilege 2036 0.exe Token: SeBackupPrivilege 2036 0.exe Token: SeRestorePrivilege 2036 0.exe Token: SeBackupPrivilege 2036 0.exe Token: SeRestorePrivilege 2036 0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1924200.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\Windows\FileName.jpgFilesize
14.0MB
MD5d959bf2879b9999c057b24c2b20293e9
SHA198f00d390cab3e7e3823e346f9ad17e4be63d141
SHA2569b69c0324eb97ad9a45040b1251698e3d80f0e353083495b317a00c4b4c4189e
SHA5123ebd6a9e37c5e41bd243ca77a041fee5a1a766cc4972e08d16a4e3231c9e83e699c47e63f1f40a93f084b122cbd7702cdb9b278d0f1f0dc5ca048bef4e7a925a
-
\??\c:\NT_Path.jpgFilesize
54B
MD5695206fcaf9e8eaa2cbca85d6f7147cd
SHA1cee592bbc57efdc3a6f5a126e3eb2e1eb3975c98
SHA256d26f765a668b8bb4e04337f9ce97b5ff3b7a998e20193dc7733a69e84fa7c68f
SHA5126e8e877db43393d524ea7167906913a747dea98ce95b50d75b09402f118817135403be7eb404a311a4acb801f2e06070adbd659979d034710fd3360b1a8e3eb6
-
\??\c:\windows\filename.jpgFilesize
14.0MB
MD5d959bf2879b9999c057b24c2b20293e9
SHA198f00d390cab3e7e3823e346f9ad17e4be63d141
SHA2569b69c0324eb97ad9a45040b1251698e3d80f0e353083495b317a00c4b4c4189e
SHA5123ebd6a9e37c5e41bd243ca77a041fee5a1a766cc4972e08d16a4e3231c9e83e699c47e63f1f40a93f084b122cbd7702cdb9b278d0f1f0dc5ca048bef4e7a925a