Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
e295a10d1ae2f01ff66922cd13d950fb.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e295a10d1ae2f01ff66922cd13d950fb.exe
Resource
win10v2004-20231215-en
General
-
Target
e295a10d1ae2f01ff66922cd13d950fb.exe
-
Size
395KB
-
MD5
e295a10d1ae2f01ff66922cd13d950fb
-
SHA1
493ee29384a12b2f5dc13e9f6908b1f668c7b919
-
SHA256
c4e071cd3249b9ec23ef43a02be817d48941fdc86a1870a648e1d23288eedec0
-
SHA512
6c2365d04102b943b6a555c5882b70c3952a4840d7e81db2dcad74ee932a7c963db6c23948f072fce3cf950fda6f11691654f19977bd731c3abd9d363f69874c
-
SSDEEP
12288:+RZ+IoG/n9IQxW3OBsze2X+t4RbeZcdm6LA8:I2G/nvxW3Wh0teZcdm4A8
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e295a10d1ae2f01ff66922cd13d950fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation e295a10d1ae2f01ff66922cd13d950fb.exe -
Drops startup file 2 IoCs
Processes:
server.EXEdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe server.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\142514b06c5331e576c2b748ba1ec681.exe server.EXE -
Executes dropped EXE 3 IoCs
Processes:
server.EXECSGhost-V4.EXEtemp_wrapped_31366.exepid process 3196 server.EXE 5016 CSGhost-V4.EXE 4788 temp_wrapped_31366.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .." server.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\142514b06c5331e576c2b748ba1ec681 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.EXE\" .." server.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
temp_wrapped_31366.exepid process 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe 4788 temp_wrapped_31366.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.EXEdescription pid process Token: SeDebugPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE Token: 33 3196 server.EXE Token: SeIncBasePriorityPrivilege 3196 server.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CSGhost-V4.EXEtemp_wrapped_31366.exepid process 5016 CSGhost-V4.EXE 4788 temp_wrapped_31366.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
e295a10d1ae2f01ff66922cd13d950fb.exeCSGhost-V4.EXEserver.EXEdescription pid process target process PID 3308 wrote to memory of 3196 3308 e295a10d1ae2f01ff66922cd13d950fb.exe server.EXE PID 3308 wrote to memory of 3196 3308 e295a10d1ae2f01ff66922cd13d950fb.exe server.EXE PID 3308 wrote to memory of 3196 3308 e295a10d1ae2f01ff66922cd13d950fb.exe server.EXE PID 3308 wrote to memory of 5016 3308 e295a10d1ae2f01ff66922cd13d950fb.exe CSGhost-V4.EXE PID 3308 wrote to memory of 5016 3308 e295a10d1ae2f01ff66922cd13d950fb.exe CSGhost-V4.EXE PID 5016 wrote to memory of 4788 5016 CSGhost-V4.EXE temp_wrapped_31366.exe PID 5016 wrote to memory of 4788 5016 CSGhost-V4.EXE temp_wrapped_31366.exe PID 5016 wrote to memory of 4788 5016 CSGhost-V4.EXE temp_wrapped_31366.exe PID 3196 wrote to memory of 4884 3196 server.EXE netsh.exe PID 3196 wrote to memory of 4884 3196 server.EXE netsh.exe PID 3196 wrote to memory of 4884 3196 server.EXE netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e295a10d1ae2f01ff66922cd13d950fb.exe"C:\Users\Admin\AppData\Local\Temp\e295a10d1ae2f01ff66922cd13d950fb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.EXE"C:\Users\Admin\AppData\Roaming\server.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.EXE" "server.EXE" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"C:\Users\Admin\AppData\Roaming\CSGhost-V4.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp_wrapped_31366.exeFilesize
60KB
MD56626698df959dedebe4bba05a5212cb6
SHA144b29eea5e11a7805fe74df6d7acc708d4e2c04f
SHA256ca7847a603db8ee2912c946b15ba8f7c6e4a6de13f8192792e58287859dee57a
SHA512312b55a55348dbe85222d80df3142806411537e2fdee5338c0062825f030be73b5142d452c861059988c40c8172d1a3baa3f0d1f97dac6c7dff17c31d01822e8
-
C:\Users\Admin\AppData\Roaming\CSGhost-v4.exeFilesize
68KB
MD5f46ebc4410101fc838ca6dbab76c90e1
SHA1f687b1880256cf8261c16a18cea4b5d2b76c92d3
SHA256724c6c491d8d46f9a7e41192ba5926f0ee7b82e9315761f51520c9b6d2ee4be0
SHA512244f7a5f46178b7c2935e2261d7fef5af8dfb55113388b8dce2dca070885cfe480913e1325a519cfd2e8b3351b12142edb989d2d8da6b153814b0bb3f3e217f1
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
23KB
MD5a873745adb5279248a7ea3cccff26c3c
SHA1551fb96900684f790fca3b2b837d1c88ef0508dc
SHA2568320f6171990184f84338329dae465e33ef90e1a9584e7087b226d682b8e1594
SHA51209d94e876577cd9c1ae164bb6bfa94fc440482f2fc5e775b6d7222508ad4ef53697f2164044b30789d7a2cf4f703a98d4958968c7cd774811a89a2188310b87f
-
memory/3196-22-0x0000000073100000-0x00000000736B1000-memory.dmpFilesize
5.7MB
-
memory/3196-24-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB
-
memory/3196-23-0x0000000073100000-0x00000000736B1000-memory.dmpFilesize
5.7MB
-
memory/3196-26-0x0000000073100000-0x00000000736B1000-memory.dmpFilesize
5.7MB
-
memory/3196-27-0x0000000073100000-0x00000000736B1000-memory.dmpFilesize
5.7MB
-
memory/3196-28-0x0000000001740000-0x0000000001750000-memory.dmpFilesize
64KB