Overview
overview
10Static
static
71111111111...11.exe
windows7-x64
61111111111...11.exe
windows10-1703-x64
61111111111...11.exe
windows10-2004-x64
69VIcoCiitn.exe
windows7-x64
69VIcoCiitn.exe
windows10-1703-x64
69VIcoCiitn.exe
windows10-2004-x64
1Microsoft Windows.exe
windows7-x64
10Microsoft Windows.exe
windows10-1703-x64
10Microsoft Windows.exe
windows10-2004-x64
10New.exe
windows7-x64
7New.exe
windows10-1703-x64
7New.exe
windows10-2004-x64
7SBLlgcMqPg.exe
windows7-x64
10SBLlgcMqPg.exe
windows10-1703-x64
10SBLlgcMqPg.exe
windows10-2004-x64
10hh.chm
windows7-x64
10hh.chm
windows10-1703-x64
8hh.chm
windows10-2004-x64
8nY4Ke1JkQH.exe
windows7-x64
10nY4Ke1JkQH.exe
windows10-1703-x64
10nY4Ke1JkQH.exe
windows10-2004-x64
10qnr.dll
windows7-x64
3qnr.dll
windows10-1703-x64
3qnr.dll
windows10-2004-x64
3˫װ.exe
windows7-x64
7˫װ.exe
windows10-1703-x64
7˫װ.exe
windows10-2004-x64
7�...װ.exe
windows7-x64
7�...װ.exe
windows10-1703-x64
7�...װ.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
319s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2023 09:07
Behavioral task
behavioral1
Sample
1111111111111111111111.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1111111111111111111111.exe
Resource
win10-20230915-en
Behavioral task
behavioral3
Sample
1111111111111111111111.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral4
Sample
9VIcoCiitn.exe
Resource
win7-20230831-en
Behavioral task
behavioral5
Sample
9VIcoCiitn.exe
Resource
win10-20230915-en
Behavioral task
behavioral6
Sample
9VIcoCiitn.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
Microsoft Windows.exe
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
Microsoft Windows.exe
Resource
win10-20230915-en
Behavioral task
behavioral9
Sample
Microsoft Windows.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral10
Sample
New.exe
Resource
win7-20230831-en
Behavioral task
behavioral11
Sample
New.exe
Resource
win10-20230915-en
Behavioral task
behavioral12
Sample
New.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
SBLlgcMqPg.exe
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
SBLlgcMqPg.exe
Resource
win10-20230915-en
Behavioral task
behavioral15
Sample
SBLlgcMqPg.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral16
Sample
hh.chm
Resource
win7-20230831-en
Behavioral task
behavioral17
Sample
hh.chm
Resource
win10-20230915-en
Behavioral task
behavioral18
Sample
hh.chm
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
nY4Ke1JkQH.exe
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
nY4Ke1JkQH.exe
Resource
win10-20230915-en
Behavioral task
behavioral21
Sample
nY4Ke1JkQH.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral22
Sample
qnr.dll
Resource
win7-20230831-en
Behavioral task
behavioral23
Sample
qnr.dll
Resource
win10-20230915-en
Behavioral task
behavioral24
Sample
qnr.dll
Resource
win10v2004-20230915-en
Behavioral task
behavioral25
Sample
˫װ.exe
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
˫װ.exe
Resource
win10-20230915-en
Behavioral task
behavioral27
Sample
˫װ.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral28
Sample
ٷѰװ.exe
Resource
win7-20230831-en
Behavioral task
behavioral29
Sample
ٷѰװ.exe
Resource
win10-20230831-en
Behavioral task
behavioral30
Sample
ٷѰװ.exe
Resource
win10v2004-20230915-en
General
-
Target
nY4Ke1JkQH.exe
-
Size
214KB
-
MD5
415e87055596d88f1793be910abe60aa
-
SHA1
3182b59a3063df587987a6bc6f7e39c42c075e8f
-
SHA256
399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27
-
SHA512
4129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3
-
SSDEEP
3072:9kIcMtRin3zIf6naro5T6zaKPCbd5XX4E1Tgmn8Y5W646CN:9PPtRJ6NeKfocpnJ5W64
Malware Config
Extracted
gh0strat
154.221.25.208
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral21/memory/468-26-0x0000000010000000-0x000000001000B000-memory.dmp family_gh0strat behavioral21/memory/468-29-0x0000000000400000-0x0000000000413000-memory.dmp family_gh0strat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation nY4Ke1JkQH.exe -
Executes dropped EXE 1 IoCs
pid Process 1884 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" nY4Ke1JkQH.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: AddInProcess32.exe File opened (read-only) \??\O: AddInProcess32.exe File opened (read-only) \??\T: AddInProcess32.exe File opened (read-only) \??\M: AddInProcess32.exe File opened (read-only) \??\P: AddInProcess32.exe File opened (read-only) \??\Q: AddInProcess32.exe File opened (read-only) \??\R: AddInProcess32.exe File opened (read-only) \??\V: AddInProcess32.exe File opened (read-only) \??\Y: AddInProcess32.exe File opened (read-only) \??\I: AddInProcess32.exe File opened (read-only) \??\J: AddInProcess32.exe File opened (read-only) \??\U: AddInProcess32.exe File opened (read-only) \??\X: AddInProcess32.exe File opened (read-only) \??\S: AddInProcess32.exe File opened (read-only) \??\W: AddInProcess32.exe File opened (read-only) \??\E: AddInProcess32.exe File opened (read-only) \??\G: AddInProcess32.exe File opened (read-only) \??\H: AddInProcess32.exe File opened (read-only) \??\K: AddInProcess32.exe File opened (read-only) \??\L: AddInProcess32.exe File opened (read-only) \??\N: AddInProcess32.exe File opened (read-only) \??\Z: AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1884 set thread context of 468 1884 svchost.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AddInProcess32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AddInProcess32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 844 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4920 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 4884 nY4Ke1JkQH.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe 468 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4884 nY4Ke1JkQH.exe Token: SeDebugPrivilege 1884 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 468 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4884 wrote to memory of 4132 4884 nY4Ke1JkQH.exe 88 PID 4884 wrote to memory of 4132 4884 nY4Ke1JkQH.exe 88 PID 4884 wrote to memory of 4132 4884 nY4Ke1JkQH.exe 88 PID 4884 wrote to memory of 1056 4884 nY4Ke1JkQH.exe 90 PID 4884 wrote to memory of 1056 4884 nY4Ke1JkQH.exe 90 PID 4884 wrote to memory of 1056 4884 nY4Ke1JkQH.exe 90 PID 4132 wrote to memory of 844 4132 cmd.exe 92 PID 4132 wrote to memory of 844 4132 cmd.exe 92 PID 4132 wrote to memory of 844 4132 cmd.exe 92 PID 1056 wrote to memory of 4920 1056 cmd.exe 93 PID 1056 wrote to memory of 4920 1056 cmd.exe 93 PID 1056 wrote to memory of 4920 1056 cmd.exe 93 PID 1056 wrote to memory of 1884 1056 cmd.exe 97 PID 1056 wrote to memory of 1884 1056 cmd.exe 97 PID 1056 wrote to memory of 1884 1056 cmd.exe 97 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99 PID 1884 wrote to memory of 468 1884 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\nY4Ke1JkQH.exe"C:\Users\Admin\AppData\Local\Temp\nY4Ke1JkQH.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp80F3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4920
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:468
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5e069f89b098fe49c136c662bad9a74ca
SHA14db0d65af34b8899fd563a0d724574dba9ef7443
SHA256c48f09459db16689c71854c406772b6fb826540921b76f708ee4e506434b3c42
SHA512324604e0d9ccb09422bdb8b341cf3df9c835ceee79d091d769a28d41577447e0646dafec0b095b2e4840236c16ec58df8f02e5c0d994e997c048377641658dc1
-
Filesize
214KB
MD5415e87055596d88f1793be910abe60aa
SHA13182b59a3063df587987a6bc6f7e39c42c075e8f
SHA256399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27
SHA5124129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3
-
Filesize
214KB
MD5415e87055596d88f1793be910abe60aa
SHA13182b59a3063df587987a6bc6f7e39c42c075e8f
SHA256399e60f78e458f5e010da46a45c66ccf9b0fd30c128234a5dd9d9c9aa32ffa27
SHA5124129ed2744ee101e22aefc63e495ddb2b877ae33d4d8aa957992bad9ea46896256c2272597e6c82d6ad94dc6dea24af0e3e706bdaa0b76d0e158b002597feda3