Overview
overview
10Static
static
71111111111...11.exe
windows7-x64
61111111111...11.exe
windows10-1703-x64
61111111111...11.exe
windows10-2004-x64
69VIcoCiitn.exe
windows7-x64
69VIcoCiitn.exe
windows10-1703-x64
69VIcoCiitn.exe
windows10-2004-x64
1Microsoft Windows.exe
windows7-x64
10Microsoft Windows.exe
windows10-1703-x64
10Microsoft Windows.exe
windows10-2004-x64
10New.exe
windows7-x64
7New.exe
windows10-1703-x64
7New.exe
windows10-2004-x64
7SBLlgcMqPg.exe
windows7-x64
10SBLlgcMqPg.exe
windows10-1703-x64
10SBLlgcMqPg.exe
windows10-2004-x64
10hh.chm
windows7-x64
10hh.chm
windows10-1703-x64
8hh.chm
windows10-2004-x64
8nY4Ke1JkQH.exe
windows7-x64
10nY4Ke1JkQH.exe
windows10-1703-x64
10nY4Ke1JkQH.exe
windows10-2004-x64
10qnr.dll
windows7-x64
3qnr.dll
windows10-1703-x64
3qnr.dll
windows10-2004-x64
3˫װ.exe
windows7-x64
7˫װ.exe
windows10-1703-x64
7˫װ.exe
windows10-2004-x64
7�...װ.exe
windows7-x64
7�...װ.exe
windows10-1703-x64
7�...װ.exe
windows10-2004-x64
7Analysis
-
max time kernel
181s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
01-10-2023 09:07
Behavioral task
behavioral1
Sample
1111111111111111111111.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1111111111111111111111.exe
Resource
win10-20230915-en
Behavioral task
behavioral3
Sample
1111111111111111111111.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral4
Sample
9VIcoCiitn.exe
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
9VIcoCiitn.exe
Resource
win10-20230915-en
Behavioral task
behavioral6
Sample
9VIcoCiitn.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
Microsoft Windows.exe
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
Microsoft Windows.exe
Resource
win10-20230915-en
Behavioral task
behavioral9
Sample
Microsoft Windows.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral10
Sample
New.exe
Resource
win7-20230831-en
Behavioral task
behavioral11
Sample
New.exe
Resource
win10-20230915-en
Behavioral task
behavioral12
Sample
New.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
SBLlgcMqPg.exe
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
SBLlgcMqPg.exe
Resource
win10-20230915-en
Behavioral task
behavioral15
Sample
SBLlgcMqPg.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral16
Sample
hh.chm
Resource
win7-20230831-en
Behavioral task
behavioral17
Sample
hh.chm
Resource
win10-20230915-en
Behavioral task
behavioral18
Sample
hh.chm
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
nY4Ke1JkQH.exe
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
nY4Ke1JkQH.exe
Resource
win10-20230915-en
Behavioral task
behavioral21
Sample
nY4Ke1JkQH.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral22
Sample
qnr.dll
Resource
win7-20230831-en
Behavioral task
behavioral23
Sample
qnr.dll
Resource
win10-20230915-en
Behavioral task
behavioral24
Sample
qnr.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral25
Sample
˫װ.exe
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
˫װ.exe
Resource
win10-20230915-en
Behavioral task
behavioral27
Sample
˫װ.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral28
Sample
ٷѰװ.exe
Resource
win7-20230831-en
Behavioral task
behavioral29
Sample
ٷѰװ.exe
Resource
win10-20230831-en
Behavioral task
behavioral30
Sample
ٷѰװ.exe
Resource
win10v2004-20230915-en
General
-
Target
nY4Ke1JkQH.exe
-
Size
214KB
-
MD5
415e87055596d88f1793be910abe60aa
-
SHA1
3182b59a3063df587987a6bc6f7e39c42c075e8f
-
SHA256
399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27
-
SHA512
4129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3
-
SSDEEP
3072:9kIcMtRin3zIf6naro5T6zaKPCbd5XX4E1Tgmn8Y5W646CN:9PPtRJ6NeKfocpnJ5W64
Malware Config
Extracted
gh0strat
154.221.25.208
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral20/memory/4692-28-0x0000000010000000-0x000000001000B000-memory.dmp family_gh0strat behavioral20/memory/4692-31-0x0000000000400000-0x0000000000413000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 4388 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" nY4Ke1JkQH.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: aspnet_regiis.exe File opened (read-only) \??\T: aspnet_regiis.exe File opened (read-only) \??\X: aspnet_regiis.exe File opened (read-only) \??\B: aspnet_regiis.exe File opened (read-only) \??\E: aspnet_regiis.exe File opened (read-only) \??\G: aspnet_regiis.exe File opened (read-only) \??\H: aspnet_regiis.exe File opened (read-only) \??\J: aspnet_regiis.exe File opened (read-only) \??\Z: aspnet_regiis.exe File opened (read-only) \??\U: aspnet_regiis.exe File opened (read-only) \??\I: aspnet_regiis.exe File opened (read-only) \??\K: aspnet_regiis.exe File opened (read-only) \??\M: aspnet_regiis.exe File opened (read-only) \??\O: aspnet_regiis.exe File opened (read-only) \??\S: aspnet_regiis.exe File opened (read-only) \??\P: aspnet_regiis.exe File opened (read-only) \??\Q: aspnet_regiis.exe File opened (read-only) \??\L: aspnet_regiis.exe File opened (read-only) \??\R: aspnet_regiis.exe File opened (read-only) \??\V: aspnet_regiis.exe File opened (read-only) \??\W: aspnet_regiis.exe File opened (read-only) \??\Y: aspnet_regiis.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4388 set thread context of 4692 4388 svchost.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aspnet_regiis.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz aspnet_regiis.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2056 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4940 nY4Ke1JkQH.exe 4388 svchost.exe 4388 svchost.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe 4692 aspnet_regiis.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4940 nY4Ke1JkQH.exe Token: SeDebugPrivilege 4388 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4692 aspnet_regiis.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4940 wrote to memory of 2724 4940 nY4Ke1JkQH.exe 69 PID 4940 wrote to memory of 2724 4940 nY4Ke1JkQH.exe 69 PID 4940 wrote to memory of 2724 4940 nY4Ke1JkQH.exe 69 PID 4940 wrote to memory of 4840 4940 nY4Ke1JkQH.exe 70 PID 4940 wrote to memory of 4840 4940 nY4Ke1JkQH.exe 70 PID 4940 wrote to memory of 4840 4940 nY4Ke1JkQH.exe 70 PID 4840 wrote to memory of 2056 4840 cmd.exe 73 PID 4840 wrote to memory of 2056 4840 cmd.exe 73 PID 4840 wrote to memory of 2056 4840 cmd.exe 73 PID 2724 wrote to memory of 2164 2724 cmd.exe 74 PID 2724 wrote to memory of 2164 2724 cmd.exe 74 PID 2724 wrote to memory of 2164 2724 cmd.exe 74 PID 4840 wrote to memory of 4388 4840 cmd.exe 75 PID 4840 wrote to memory of 4388 4840 cmd.exe 75 PID 4840 wrote to memory of 4388 4840 cmd.exe 75 PID 4388 wrote to memory of 404 4388 svchost.exe 76 PID 4388 wrote to memory of 404 4388 svchost.exe 76 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77 PID 4388 wrote to memory of 4692 4388 svchost.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\nY4Ke1JkQH.exe"C:\Users\Admin\AppData\Local\Temp\nY4Ke1JkQH.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE975.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2056
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"4⤵PID:404
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4692
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5cc5d65641dde4b0d4b9ec19e47845a6c
SHA1f683f4d1af84eb267cff15a38a90696392cfd6bc
SHA25646b42182bdc14ab82a2186f9d035d2ddcee0444452de781e829b911a9efcbf2c
SHA512b218d9f28ded2c32f6ede97e3e8683a68b76e4eaeb8aa32da0ac92ea98f0baf49af36ff1b95c0ca30a1f4ff5a99f32cb688070facce360f0b92473a1f2a82136
-
Filesize
214KB
MD5415e87055596d88f1793be910abe60aa
SHA13182b59a3063df587987a6bc6f7e39c42c075e8f
SHA256399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27
SHA5124129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3
-
Filesize
214KB
MD5415e87055596d88f1793be910abe60aa
SHA13182b59a3063df587987a6bc6f7e39c42c075e8f
SHA256399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27
SHA5124129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3