Analysis
-
max time kernel
131s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
217.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
217.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
217.exe
Resource
win10v2004-20231201-en
General
-
Target
217.exe
-
Size
2.9MB
-
MD5
54a5fa5716baa7a839b4e05fc81b6a63
-
SHA1
91d8180e02235e4ab5a0ccb7c6f0c5efb58b014b
-
SHA256
0b8c847eb78a586597beec4b5efc14118f315b7dbcc41b69f863e6f2d315eaa7
-
SHA512
6f75425763f10eeaf5181fa65bd8da3d9beea4b60978d3bf581db92c107e5b6e29bc0571e4fe3a62af86cf7f759aee358afa5e7d62a33ebcfa56e67e9d25f7e1
-
SSDEEP
49152:qlDnVWC15/KCskLST/ouhqu9zQtZfndA43Ei0y1f3UGQzRi7:qvWC15/KLkL4798fnZ11fkDi7
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2296-71-0x0000000003430000-0x00000000035B9000-memory.dmp family_gh0strat behavioral1/memory/2296-72-0x0000000003430000-0x00000000035B9000-memory.dmp family_gh0strat behavioral1/memory/2296-70-0x0000000003430000-0x00000000035B9000-memory.dmp family_gh0strat behavioral1/memory/2296-73-0x0000000003430000-0x00000000035B9000-memory.dmp family_gh0strat behavioral1/memory/2296-75-0x0000000003430000-0x00000000035B9000-memory.dmp family_gh0strat behavioral1/memory/2296-85-0x0000000003430000-0x00000000035B9000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2296 yybrowser.exe -
Loads dropped DLL 7 IoCs
pid Process 2744 217.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe -
resource yara_rule behavioral1/memory/2296-67-0x0000000003430000-0x00000000035B9000-memory.dmp upx behavioral1/memory/2296-71-0x0000000003430000-0x00000000035B9000-memory.dmp upx behavioral1/memory/2296-72-0x0000000003430000-0x00000000035B9000-memory.dmp upx behavioral1/memory/2296-70-0x0000000003430000-0x00000000035B9000-memory.dmp upx behavioral1/memory/2296-73-0x0000000003430000-0x00000000035B9000-memory.dmp upx behavioral1/memory/2296-75-0x0000000003430000-0x00000000035B9000-memory.dmp upx behavioral1/memory/2296-85-0x0000000003430000-0x00000000035B9000-memory.dmp upx -
resource yara_rule behavioral1/files/0x0009000000015c28-59.dat vmprotect behavioral1/files/0x0009000000015c28-60.dat vmprotect behavioral1/memory/2296-61-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect behavioral1/memory/2296-62-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect behavioral1/memory/2296-83-0x0000000010000000-0x00000000100A0000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: yybrowser.exe File opened (read-only) \??\I: yybrowser.exe File opened (read-only) \??\V: yybrowser.exe File opened (read-only) \??\E: yybrowser.exe File opened (read-only) \??\G: yybrowser.exe File opened (read-only) \??\O: yybrowser.exe File opened (read-only) \??\P: yybrowser.exe File opened (read-only) \??\T: yybrowser.exe File opened (read-only) \??\U: yybrowser.exe File opened (read-only) \??\X: yybrowser.exe File opened (read-only) \??\Y: yybrowser.exe File opened (read-only) \??\B: yybrowser.exe File opened (read-only) \??\M: yybrowser.exe File opened (read-only) \??\Z: yybrowser.exe File opened (read-only) \??\N: yybrowser.exe File opened (read-only) \??\Q: yybrowser.exe File opened (read-only) \??\S: yybrowser.exe File opened (read-only) \??\J: yybrowser.exe File opened (read-only) \??\L: yybrowser.exe File opened (read-only) \??\W: yybrowser.exe File opened (read-only) \??\K: yybrowser.exe File opened (read-only) \??\R: yybrowser.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ying-UnInstall.exe 217.exe File opened for modification C:\Windows\SysWOW64\Ying-UnInstall.exe 217.exe File created C:\Windows\SysWOW64\YingInstall\409.ini 217.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 yybrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz yybrowser.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe 2296 yybrowser.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2296 yybrowser.exe Token: SeIncBasePriorityPrivilege 2296 yybrowser.exe Token: 33 2296 yybrowser.exe Token: SeIncBasePriorityPrivilege 2296 yybrowser.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2744 217.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2744 217.exe 2744 217.exe 2744 217.exe 2744 217.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2296 2744 217.exe 28 PID 2744 wrote to memory of 2296 2744 217.exe 28 PID 2744 wrote to memory of 2296 2744 217.exe 28 PID 2744 wrote to memory of 2296 2744 217.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\217.exe"C:\Users\Admin\AppData\Local\Temp\217.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Public\Documents\yybrowser.exeC:\Users\Public\Documents\yybrowser.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
563KB
MD5a528a1efb19f5bee2fa74cd8650dab24
SHA151b72c994283ec899a32732bc60655d3039138a8
SHA256d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608
SHA512bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a
-
Filesize
427KB
MD58b1d762ddec577e6bee5ceff79d34811
SHA1d8a266dab792952415f7bea84843c412418627d5
SHA25675c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4
-
Filesize
75KB
MD5ac85fa80b4c9bcab021ba214c56f7f3e
SHA1f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA25623c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA5128e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928
-
Filesize
320KB
MD5b87e123f675b38a7e5b15b0515040bed
SHA1fe5a958192effbf379f8a3331863069bb1d886a2
SHA2565a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1
-
Filesize
1.2MB
MD571918ce3973e4741542022287de9f947
SHA121baae8623f8ade60954193cf6b2899ff868ccab
SHA256d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf
-
Filesize
1.6MB
MD57870f90ed274348346f499dca9716c6d
SHA1a898355b54b17a80b298210ccb00228384dd2e85
SHA256d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA51268969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b
-
Filesize
198KB
MD5007b92f069cc2445120bcd55ffb01f86
SHA120c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA2566626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e
-
Filesize
189KB
MD546343a46271dcaddf9f5192118d4190a
SHA1998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA5122a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d
-
Filesize
189KB
MD546343a46271dcaddf9f5192118d4190a
SHA1998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA5122a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d
-
Filesize
320KB
MD5b87e123f675b38a7e5b15b0515040bed
SHA1fe5a958192effbf379f8a3331863069bb1d886a2
SHA2565a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05
SHA512531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1
-
Filesize
1.2MB
MD571918ce3973e4741542022287de9f947
SHA121baae8623f8ade60954193cf6b2899ff868ccab
SHA256d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0
SHA512f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf
-
Filesize
1.6MB
MD57870f90ed274348346f499dca9716c6d
SHA1a898355b54b17a80b298210ccb00228384dd2e85
SHA256d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d
SHA51268969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b
-
Filesize
198KB
MD5007b92f069cc2445120bcd55ffb01f86
SHA120c368c75a7f27985d3ba025d96de4404fdbcbd2
SHA2566626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548
SHA512bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e
-
Filesize
427KB
MD58b1d762ddec577e6bee5ceff79d34811
SHA1d8a266dab792952415f7bea84843c412418627d5
SHA25675c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610
SHA512dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4
-
Filesize
75KB
MD5ac85fa80b4c9bcab021ba214c56f7f3e
SHA1f4a03bed71041c21b4f0b56039f207f8ad97662e
SHA25623c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede
SHA5128e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928
-
Filesize
189KB
MD546343a46271dcaddf9f5192118d4190a
SHA1998d84a369d392c76b60082f9e4da31bfff4dc53
SHA256f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001
SHA5122a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d