Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 05:54
Behavioral task
behavioral1
Sample
107890e6e27ae341ee36d8ec579093af.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
107890e6e27ae341ee36d8ec579093af.exe
Resource
win10v2004-20231215-en
General
-
Target
107890e6e27ae341ee36d8ec579093af.exe
-
Size
496KB
-
MD5
107890e6e27ae341ee36d8ec579093af
-
SHA1
246e40b90a30be736730c32ec27962454d8aad19
-
SHA256
659d646e41969c9875112e1454f2215989418e0586ccb19c7a7798b28b97a0e3
-
SHA512
8dbe5a6e477df35e1101aa218e2665dbc1f985c139063bdae0e6fe2f27ba5b4a9c688c349c7fde382a29abf0b76bd342a0fc51f4204541a0de576accbeac1b77
-
SSDEEP
12288:g08PKZVQQxfnr+TK7r79/J0NWNf37JcAayM5ahHjX:b8AVQQxfnr+TK7r79/J0ofrJEyM5ahDX
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000b0000000152bc-4.dat family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 2292 (null)0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "C:\\Users\\Admin\\AppData\\Local\\Temp\\107890e6e27ae341ee36d8ec579093af.exe" 107890e6e27ae341ee36d8ec579093af.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created \??\c:\Windows\BJ.exe 107890e6e27ae341ee36d8ec579093af.exe File opened for modification \??\c:\Windows\BJ.exe 107890e6e27ae341ee36d8ec579093af.exe File created \??\c:\Windows\(null)0.exe 107890e6e27ae341ee36d8ec579093af.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2292 2504 107890e6e27ae341ee36d8ec579093af.exe 28 PID 2504 wrote to memory of 2292 2504 107890e6e27ae341ee36d8ec579093af.exe 28 PID 2504 wrote to memory of 2292 2504 107890e6e27ae341ee36d8ec579093af.exe 28 PID 2504 wrote to memory of 2292 2504 107890e6e27ae341ee36d8ec579093af.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\107890e6e27ae341ee36d8ec579093af.exe"C:\Users\Admin\AppData\Local\Temp\107890e6e27ae341ee36d8ec579093af.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\Windows\(null)0.exec:\Windows\(null)0.exe2⤵
- Executes dropped EXE
PID:2292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496KB
MD5107890e6e27ae341ee36d8ec579093af
SHA1246e40b90a30be736730c32ec27962454d8aad19
SHA256659d646e41969c9875112e1454f2215989418e0586ccb19c7a7798b28b97a0e3
SHA5128dbe5a6e477df35e1101aa218e2665dbc1f985c139063bdae0e6fe2f27ba5b4a9c688c349c7fde382a29abf0b76bd342a0fc51f4204541a0de576accbeac1b77