Analysis
-
max time kernel
175s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 04:24
Static task
static1
Behavioral task
behavioral1
Sample
53e902d89b285f81cef5e2e9a2782cd7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
53e902d89b285f81cef5e2e9a2782cd7.exe
Resource
win10v2004-20231215-en
General
-
Target
53e902d89b285f81cef5e2e9a2782cd7.exe
-
Size
336KB
-
MD5
53e902d89b285f81cef5e2e9a2782cd7
-
SHA1
369080a95b2dbe23f935febec7b5eda02247de09
-
SHA256
0e0cf649a9677b86d41b380e00e7b5a3fc86733cdd2d27baf32c29081011a7b5
-
SHA512
03321a6e9e2d43a79123c6758d0daf5712fe981db86f61c18cd4f82d65f78648e4a855c13bde17b109e69c7d89c939ed0c8c1fddba6e170bbec57676006ff901
-
SSDEEP
6144:YC3Dee6eDksOFilfPuE857FpY4lpeUaKcOwMrSv2dpCrnG+mxUYUnvI/:4CDksoilfPzI7fY4XeEjrSv2EG3/kva
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0009000000012270-6.dat family_gh0strat behavioral1/files/0x0009000000012270-11.dat family_gh0strat behavioral1/files/0x0009000000012270-10.dat family_gh0strat -
Blocklisted process makes network request 6 IoCs
flow pid Process 4 2908 rundll32.exe 5 2908 rundll32.exe 6 2908 rundll32.exe 7 2908 rundll32.exe 8 2908 rundll32.exe 9 2908 rundll32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Net Logon Framework\Parameters\ServiceDll = "C:\\Windows\\system32\\mtf76ab0em.dll" 53e902d89b285f81cef5e2e9a2782cd7.exe -
Deletes itself 1 IoCs
pid Process 2764 cmd.exe -
Loads dropped DLL 6 IoCs
pid Process 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 2880 svchost.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mtf76ab0em.dll 53e902d89b285f81cef5e2e9a2782cd7.exe File created C:\Windows\SysWOW64\mtf76ab0em.dll 53e902d89b285f81cef5e2e9a2782cd7.exe File opened for modification C:\Windows\SysWOW64\RCXAD5F.tmp 53e902d89b285f81cef5e2e9a2782cd7.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadNetworkName = "Network 3" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecisionTime = c0295f779938da01 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecisionTime = c0295f779938da01 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\ba-c8-60-1a-85-69 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecisionTime = a021e6279938da01 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDecision = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-c8-60-1a-85-69\WpadDetectedUrl rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B} rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABD93BD3-8780-4E1E-AF5D-06D39D93188B}\WpadDecisionTime = a021e6279938da01 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2880 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 2408 53e902d89b285f81cef5e2e9a2782cd7.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2764 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 30 PID 2408 wrote to memory of 2764 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 30 PID 2408 wrote to memory of 2764 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 30 PID 2408 wrote to memory of 2764 2408 53e902d89b285f81cef5e2e9a2782cd7.exe 30 PID 2880 wrote to memory of 2908 2880 svchost.exe 32 PID 2880 wrote to memory of 2908 2880 svchost.exe 32 PID 2880 wrote to memory of 2908 2880 svchost.exe 32 PID 2880 wrote to memory of 2908 2880 svchost.exe 32 PID 2880 wrote to memory of 2908 2880 svchost.exe 32 PID 2880 wrote to memory of 2908 2880 svchost.exe 32 PID 2880 wrote to memory of 2908 2880 svchost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\53e902d89b285f81cef5e2e9a2782cd7.exe"C:\Users\Admin\AppData\Local\Temp\53e902d89b285f81cef5e2e9a2782cd7.exe"1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\53e902d89b285f81cef5e2e9a2782cd7.exe"2⤵
- Deletes itself
PID:2764
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Net Logon Framework"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mtf76ab0em.dll, wince2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5df4ddce8bb885ad35fabdd394139e92a
SHA1528e659a788eb4808f7d8668d3c169343ccc8dc0
SHA25652a5f2f95ea9ec37d7f3edba25f7fb14a9efa4f71922ef74a3445a8e423ab8c1
SHA51290d3490d545c1f78de1aece3b5466530d57c6854d41956fe3ef237e5044e2545eb4ff3649f6ec08e5b3c608008994c61d614391a2f51e7bb89941baccddd15a8
-
Filesize
19KB
MD5b97ea6e0c952cdfeacb2a5bc1ca94601
SHA1f4f7f2fe986a1d99d12e495db5049b841d23a8a1
SHA2569ece5b692941ea765ed1261a948ad0b87587a4135114de922464b45cb988ec9f
SHA5125c2365b88a7f0335bdeea6f901a7975f93a04df1f03e44fd661da90f5fab3a5e401a7b81255cdd5b7e2ccc9f36fb759edcc8f11f39812b981632c5ff1d20882e
-
Filesize
237KB
MD59f16b5334ca188ee93fae45197813288
SHA18c573d3ed4f46e10599a90e50d928b795d02a35e
SHA256dbce55a6313d67fa564fc2c758085ec1c2158f18860a561b586bec0b1972702a
SHA512e5426db3355b2a05a71158569adf9c04ed8111f18d7cd4b3ef87944294ad4242d183a4faef304a7996d3251846ee1d13115ccc0f370e42354b4142f276bdccff