Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 22:58
Behavioral task
behavioral1
Sample
41b3f3238ed87a35ea06e99b8ca9d58a.exe
Resource
win7-20231215-en
windows7-x64
General
-
Target
41b3f3238ed87a35ea06e99b8ca9d58a.exe
-
Size
155KB
-
MD5
41b3f3238ed87a35ea06e99b8ca9d58a
-
SHA1
ac7ad3508f04530769cd52d7a723bb067dd8c203
-
SHA256
758d6af1bc6a7c011e5a8edf2c5cc3e20749324afe62a69faff2c92372b478de
-
SHA512
4b3111db61bad7dcbf5531dc091d2e924547c42cccb085e4a60e0f4d482af1d10f7c6ae4064f3660da4f37383665577855d172eb2fd08a37eebf3a7932b1ee01
-
SSDEEP
3072:5nzK5S9ERdbsJd84Qc/whoGmip8ntWkgnG7CudC:5qsJeb1m2kwkgGmK
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/memory/4880-0-0x0000000000400000-0x0000000000429000-memory.dmp family_gh0strat behavioral2/files/0x000300000001e982-3.dat family_gh0strat behavioral2/files/0x0007000000022e6a-12.dat family_gh0strat behavioral2/memory/4880-13-0x0000000000400000-0x0000000000429000-memory.dmp family_gh0strat behavioral2/files/0x0007000000022e6a-14.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 788 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe 788 svchost.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Centerv.gzip 41b3f3238ed87a35ea06e99b8ca9d58a.exe File created \??\c:\Program Files\NT_Path.gif 41b3f3238ed87a35ea06e99b8ca9d58a.exe File opened for modification C:\Program Files (x86)\Common Files\Centerv.gzip 41b3f3238ed87a35ea06e99b8ca9d58a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\windows\Prefetch3118600.dll 41b3f3238ed87a35ea06e99b8ca9d58a.exe -
Kills process with taskkill 1 IoCs
pid Process 4820 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe 788 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4820 taskkill.exe Token: SeBackupPrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeRestorePrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeBackupPrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeRestorePrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeBackupPrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeRestorePrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeBackupPrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe Token: SeRestorePrivilege 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4880 wrote to memory of 4820 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe 89 PID 4880 wrote to memory of 4820 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe 89 PID 4880 wrote to memory of 4820 4880 41b3f3238ed87a35ea06e99b8ca9d58a.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\41b3f3238ed87a35ea06e99b8ca9d58a.exe"C:\Users\Admin\AppData\Local\Temp\41b3f3238ed87a35ea06e99b8ca9d58a.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:788
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5eda843f78ad809e1c5a843b5e315956f
SHA1771a5df2fa7e68b9be800458f107c5ca280c219e
SHA25644dd2d7d230875e40569cbefa6a631634ee14970ae7e9f9ef31adab068fe3677
SHA512ed7511585d487c6c4b51cb1ceda4588bdb52e1dfeb30fc7f8e2ad1c9c7404ad8b4119d58c74f987e2e060a614bb0c9c8c307e22762d58de2fb1268f73f26b668
-
Filesize
148KB
MD5ba45c1783e8cda7e1a1df06e31ac2bb8
SHA14a7dacd6f9df249a2bdf0a804e847f4efd50f920
SHA25673bed1b3ed15943f49b86a60ecd2fa86455c873ef3fede98126d346e31df8e4b
SHA512edde4c7be9280f1f468bb4af15eca19ea720a92590bbe8148f3ca7b29c228fcf5560c2faabf1b5e46c3b36b718987a8759da5365b153d7d5a3002f8297022abc
-
Filesize
101B
MD580729f0b1936e65f041fbd95a6b299af
SHA109a739028511e717591573a5d750c588a4af20bf
SHA256db564f15f734bf7292de56576b55660d93fee24175d1d33dbddbe20a12162df3
SHA512fd1d1e0d6fdd78f7d5e2e7c538ac403cb4eb28480ac7325c532656e9d0045c6f6a17bbc764866604d4606680a4e109ae707ee237eb86a58790e5ce34423cdf68
-
Filesize
2.8MB
MD50746746dea3cec3a3ecdcd8615fefb68
SHA12b8d95a68653b073b294e23dbbcc1721b08b06ca
SHA25654a22c2dbca1f2f9fbbe9cb46819d7585d35ee82ec4cfae0bf1c3ca89e99c777
SHA512cbadc1eaea23cfb74a76197fc0cd723c944c6fcb1e5745773d67f56166e8a71f830aa07ba4a0c55fc525a2473e0bd703ec7b3bc1a3fd10bcd66cff27145d7b90
