Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 23:06
Behavioral task
behavioral1
Sample
1811e461767ca3de358ef321e0a864d8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1811e461767ca3de358ef321e0a864d8.exe
Resource
win10v2004-20231215-en
General
-
Target
1811e461767ca3de358ef321e0a864d8.exe
-
Size
741KB
-
MD5
1811e461767ca3de358ef321e0a864d8
-
SHA1
881915df35a7a83102632552138f8ef718d1b04a
-
SHA256
29f69d13328efbd0dac5b0a3d2c8d44230a707429dba5bded6a646b16d8649fb
-
SHA512
8cc0362040a8a1c43822951e0f2b728be4cd2a695c955c20e24ddf3a56a18d8651ce8cbe602750da81c70d15f7fbcb43b140312ae4016be59424e86f653a43a5
-
SSDEEP
12288:jt0VPFfsKAkrbPlXhHANUTNqmkTHANUTNQ:SFksb1AmkA
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2032-10-0x0000000000400000-0x00000000004F1000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2032 (null)0.exe -
resource yara_rule behavioral1/memory/2032-10-0x0000000000400000-0x00000000004F1000-memory.dmp upx behavioral1/files/0x000d00000001232d-9.dat upx behavioral1/memory/2688-0-0x0000000000400000-0x00000000004F1000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1811e461767ca3de358ef321e0a864d8.exe" 1811e461767ca3de358ef321e0a864d8.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created \??\c:\Windows\BJ.exe 1811e461767ca3de358ef321e0a864d8.exe File opened for modification \??\c:\Windows\BJ.exe 1811e461767ca3de358ef321e0a864d8.exe File created \??\c:\Windows\(null)0.exe 1811e461767ca3de358ef321e0a864d8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2032 2688 1811e461767ca3de358ef321e0a864d8.exe 28 PID 2688 wrote to memory of 2032 2688 1811e461767ca3de358ef321e0a864d8.exe 28 PID 2688 wrote to memory of 2032 2688 1811e461767ca3de358ef321e0a864d8.exe 28 PID 2688 wrote to memory of 2032 2688 1811e461767ca3de358ef321e0a864d8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1811e461767ca3de358ef321e0a864d8.exe"C:\Users\Admin\AppData\Local\Temp\1811e461767ca3de358ef321e0a864d8.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\Windows\(null)0.exec:\Windows\(null)0.exe2⤵
- Executes dropped EXE
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD550e55af239ad382294020f3539f874da
SHA156182b08bcb8cd164300d6048858c4606a1dbf9b
SHA2565ce42b29fb5ec8c6bd7ab5ffc8767f723030bbefdb0bfefdb924007d309a5d15
SHA5125dc23236deea09517910fe9ef631888cc9bb3bd639bfd62967ce9236a49c85dbad75eb15b68193a64bc528c1b6702e51e6a3279ade0811e8df1c13c0483a3b8d