Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 12:00
Static task
static1
Behavioral task
behavioral1
Sample
6ccd76cae0f6b7c290c5a3c40a69c1d1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6ccd76cae0f6b7c290c5a3c40a69c1d1.exe
Resource
win10v2004-20231215-en
General
-
Target
6ccd76cae0f6b7c290c5a3c40a69c1d1.exe
-
Size
2.2MB
-
MD5
6ccd76cae0f6b7c290c5a3c40a69c1d1
-
SHA1
8a6b2da9dc43ab47189a9794c029d09443d263c4
-
SHA256
0a4a6fb97eed17dbfea4e4c09374ae21dec4c0d3ca8c6df67bb5a9fa01b503d0
-
SHA512
71345f635471acc72aa7f12f4bae4f42fb2efee0545cb0f5421eb45eafb8dbe91734bc1400a923caf7514eb260ba72fdeb4261bf7c4195a9d6bb2ed6212b8470
-
SSDEEP
49152:QH67hc//////RT+auKvoGnPQsy+W78TsYdHra88zvURwp2BKsnu:QH67hc//////RYsyT8TzHrV7Ksnu
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001415e-5.dat family_gh0strat -
resource yara_rule behavioral1/files/0x0008000000012263-6.dat aspack_v212_v242 -
Executes dropped EXE 3 IoCs
pid Process 1956 server.exe 2692 TxwuServer.exe 2836 svchost.exe -
Loads dropped DLL 5 IoCs
pid Process 2056 cmd.exe 2368 cmd.exe 2056 cmd.exe 1956 server.exe 1956 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\V2011 = "C:\\WINDOWS\\V2011.exe" svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\V2011.exe svchost.exe File opened for modification C:\WINDOWS\V2011.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1956 server.exe 2836 svchost.exe 2836 svchost.exe 2836 svchost.exe 2836 svchost.exe 2836 svchost.exe 2836 svchost.exe 2692 TxwuServer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2836 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2836 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2692 TxwuServer.exe 2692 TxwuServer.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2692 TxwuServer.exe 2692 TxwuServer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2368 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 28 PID 2172 wrote to memory of 2368 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 28 PID 2172 wrote to memory of 2368 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 28 PID 2172 wrote to memory of 2368 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 28 PID 2172 wrote to memory of 2056 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 29 PID 2172 wrote to memory of 2056 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 29 PID 2172 wrote to memory of 2056 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 29 PID 2172 wrote to memory of 2056 2172 6ccd76cae0f6b7c290c5a3c40a69c1d1.exe 29 PID 2368 wrote to memory of 2692 2368 cmd.exe 33 PID 2368 wrote to memory of 2692 2368 cmd.exe 33 PID 2368 wrote to memory of 2692 2368 cmd.exe 33 PID 2368 wrote to memory of 2692 2368 cmd.exe 33 PID 2056 wrote to memory of 1956 2056 cmd.exe 32 PID 2056 wrote to memory of 1956 2056 cmd.exe 32 PID 2056 wrote to memory of 1956 2056 cmd.exe 32 PID 2056 wrote to memory of 1956 2056 cmd.exe 32 PID 1956 wrote to memory of 2836 1956 server.exe 34 PID 1956 wrote to memory of 2836 1956 server.exe 34 PID 1956 wrote to memory of 2836 1956 server.exe 34 PID 1956 wrote to memory of 2836 1956 server.exe 34 PID 1956 wrote to memory of 2864 1956 server.exe 37 PID 1956 wrote to memory of 2864 1956 server.exe 37 PID 1956 wrote to memory of 2864 1956 server.exe 37 PID 1956 wrote to memory of 2864 1956 server.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ccd76cae0f6b7c290c5a3c40a69c1d1.exe"C:\Users\Admin\AppData\Local\Temp\6ccd76cae0f6b7c290c5a3c40a69c1d1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TxwuServer.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\TxwuServer.exeC:\Users\Admin\AppData\Local\Temp\TxwuServer.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exeC:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat4⤵PID:2864
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5410e2424a78b78473ed6f786478d690e
SHA1e00fc8e126b42949b6d9e4b99c726ca86fb4c241
SHA25642915e2d18ac3d175b0ba851a217687aa0367d6ce554add594948f52c812e559
SHA5124ca4682ee41fc6aec747b5cbae1d9933ca5212660ed0ea81d6f38802d115659c9144b824d6a57b4a546b0fc7357d7332b77dcae6bd4343d8daa0ec6042e051ac
-
Filesize
204KB
MD55ed196a15ef903165be41283952a761b
SHA1abd88d94efaf73f1ffc4a8d9c103730e2902d141
SHA256496e2fef694fa32aa4c8b46ddaada5eb39c3375d499146e8c2badcc69f02521b
SHA512eae6552687ae048aedce16459304050c4e3d6dd9d48d941372914b1d4f77df41f8a295ae43312dab1e18697bdb5bf82ea02a6be8679190dc0d168be8924fe9f1
-
Filesize
1.6MB
MD56e488fd70b4358d0c841e0412882db61
SHA16047de212f92a1de7d0b94a8025065f5263ae74e
SHA25622f561dd05c53abc3c09e99d5f06a50487c531a7c9d5d9c2ff6a0891a1aca8c9
SHA5127b2a3fae3df00019d3939c840b12f1aa4b7b9808f8c76afbbef3c47e60b15182e05be9b899aa2dee98eb26a6b8801ee59b12e2dedd515f663a3be36ef29c5ca7