Analysis
-
max time kernel
102s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 11:50
Behavioral task
behavioral1
Sample
1c0a6c2808eb59a5577d5d415dd624a4.exe
Resource
win7-20231215-en
General
-
Target
1c0a6c2808eb59a5577d5d415dd624a4.exe
-
Size
133KB
-
MD5
1c0a6c2808eb59a5577d5d415dd624a4
-
SHA1
9f7b105a35dcb1604726f00c4b57a8cb0af8d99d
-
SHA256
863268e4b23b69e2bff3395be373ea17395c93c2f67bd3c4a77e892b9730bde2
-
SHA512
f48ad29a047630e0bbc1fb5752dd8f380d2734734ee3d7c0c148ac7bf5c6359e7067307683f0e67e3c3ba143b066d2cdb4da017f9b13c4d2ccdf0c7e5eafacbf
-
SSDEEP
3072:3hRciShZh3/nOZcsUhWPtKhXhCIqSS/Au37t0j8J2YJpD:3hKiSdWZcspt6hTLCAu37u8J2YJpD
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/memory/2012-0-0x0000000000400000-0x0000000000422000-memory.dmp family_gh0strat behavioral1/memory/2012-4-0x0000000000400000-0x0000000000422000-memory.dmp family_gh0strat behavioral1/files/0x0034000000015c9e-3.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2052 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2520 svchost.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\data.dll 1c0a6c2808eb59a5577d5d415dd624a4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\plugin_info.ini 1c0a6c2808eb59a5577d5d415dd624a4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeBackupPrivilege 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe Token: SeRestorePrivilege 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe Token: SeBackupPrivilege 2520 svchost.exe Token: SeRestorePrivilege 2520 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2052 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe 30 PID 2012 wrote to memory of 2052 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe 30 PID 2012 wrote to memory of 2052 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe 30 PID 2012 wrote to memory of 2052 2012 1c0a6c2808eb59a5577d5d415dd624a4.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"2⤵
- Deletes itself
PID:2052
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2520
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5c85398d0770be56dc4610a155ba34423
SHA159b9c7694d4bd51ff602d505409fd84ed2c26015
SHA25652a358458f041027d71358d49a1270f5caf8fdfe796ee0dc3cb7c7681c5d43c9
SHA512354530501132a74567b270f77ad2751ff61d9663c004ceff26ffbb72bafd5ba879d20618e75494802e11d38435ae238af3ca243145de07a26796277df34bba21