Analysis
-
max time kernel
71s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 19:40
Behavioral task
behavioral1
Sample
0.zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0.zip
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
0.exe
Resource
win7-20231129-en
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule C:\2388000.dll family_gh0strat \??\c:\windows\filename.jpg family_gh0strat C:\Windows\FileName.jpg family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2360 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
0.exesvchost.exepid process 3056 0.exe 2360 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
0.exedescription ioc process File opened for modification C:\Windows\FileName.jpg 0.exe File created C:\Windows\FileName.jpg 0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 668 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0.exedescription pid process Token: SeBackupPrivilege 3056 0.exe Token: SeRestorePrivilege 3056 0.exe Token: SeBackupPrivilege 3056 0.exe Token: SeRestorePrivilege 3056 0.exe Token: SeBackupPrivilege 3056 0.exe Token: SeRestorePrivilege 3056 0.exe Token: SeBackupPrivilege 3056 0.exe Token: SeRestorePrivilege 3056 0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\2388000.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\Windows\FileName.jpgFilesize
7.4MB
MD5f68c77ca409620e80c721b9dc9ec9311
SHA1d4b46e8508f9bf863b53b2e7705179ecd23dd422
SHA2564436d8f431afce393e4b972abc9114a6fedc0ef4e6094f41599b29b3073b2434
SHA512afdd14fde2bc75280a0f1a2fb1bfa349613434204674e87e9b8473648b19a1a4ba69e042cdae0e09f6d694a095f99c0bab4021c930dbb067eae9748c9bcf8e03
-
\??\c:\NT_Path.jpgFilesize
54B
MD5a814064d29c818a1f448b258c51acb59
SHA1316c22423b33bc44c2154dc4281431af684d5670
SHA256a703ea3d1fd13559e246dfffd9a8cca6f31198340c51bdd3e8e56ce6287e1e06
SHA5125360ead5e07be1b77cdb90a0e63d1a6721d6c94fac66a0726c423624f40a74ac7ce730dac0446f4338a2a2dae86de3e0598b5a9c33f4549c38fbac09dad9f1de
-
\??\c:\windows\filename.jpgFilesize
6.9MB
MD5701e4376d00b6d1267638e55fd2f79b7
SHA144219261b595be377a28cbf4bf95c4283f61f535
SHA25622c44b57646d623e30787aabba1359ed048e093a5350cfd05ac8f3439c8bd383
SHA51264a04b665820ecd7b40f206134809304e14956a85ba4c1fbd5164cfd16f6d77ea8e04be8d3d7ef8c3f13eec8d3ab45d46828738e7bdd9ec49c32e151e64e1ca0