Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:00
Behavioral task
behavioral1
Sample
74eb136b0b32c45c7bcd7f1d150bdc47.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
74eb136b0b32c45c7bcd7f1d150bdc47.exe
Resource
win10v2004-20231222-en
General
-
Target
74eb136b0b32c45c7bcd7f1d150bdc47.exe
-
Size
822KB
-
MD5
74eb136b0b32c45c7bcd7f1d150bdc47
-
SHA1
9e512498aed66cbd7453f45b112ba9bfa4edb5e9
-
SHA256
5bfb34d8140f17cc8738b72f2d7c6679e4c373431a48c35b958d40da8689a5e1
-
SHA512
24e22d65073b2d4969f3e5f19eee576755f478dfc3d9c84491d8271785309cc0c9bbec38e09a58170d2272c5c11ef618dd7e26547842c3bf7a516e5399e4f332
-
SSDEEP
12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZg:iM5j8Z3aKHx5r+TuxX+IwffFZg
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule C:\Windows\svchest432048043204801465662051.exe family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
svchest432048043204801465662051.exepid process 4492 svchest432048043204801465662051.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
74eb136b0b32c45c7bcd7f1d150bdc47.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Kris = "c:\\Windows\\notepab.exe" 74eb136b0b32c45c7bcd7f1d150bdc47.exe -
Drops file in Windows directory 5 IoCs
Processes:
74eb136b0b32c45c7bcd7f1d150bdc47.exedescription ioc process File created \??\c:\Windows\notepab.exe 74eb136b0b32c45c7bcd7f1d150bdc47.exe File created \??\c:\Windows\BJ.exe 74eb136b0b32c45c7bcd7f1d150bdc47.exe File opened for modification \??\c:\Windows\BJ.exe 74eb136b0b32c45c7bcd7f1d150bdc47.exe File created \??\c:\Windows\svchest432048043204801465662051.exe 74eb136b0b32c45c7bcd7f1d150bdc47.exe File opened for modification \??\c:\Windows\svchest432048043204801465662051.exe 74eb136b0b32c45c7bcd7f1d150bdc47.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74eb136b0b32c45c7bcd7f1d150bdc47.exedescription pid process target process PID 2008 wrote to memory of 4492 2008 74eb136b0b32c45c7bcd7f1d150bdc47.exe svchest432048043204801465662051.exe PID 2008 wrote to memory of 4492 2008 74eb136b0b32c45c7bcd7f1d150bdc47.exe svchest432048043204801465662051.exe PID 2008 wrote to memory of 4492 2008 74eb136b0b32c45c7bcd7f1d150bdc47.exe svchest432048043204801465662051.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74eb136b0b32c45c7bcd7f1d150bdc47.exe"C:\Users\Admin\AppData\Local\Temp\74eb136b0b32c45c7bcd7f1d150bdc47.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\Windows\svchest432048043204801465662051.exec:\Windows\svchest432048043204801465662051.exe2⤵
- Executes dropped EXE
PID:4492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\svchest432048043204801465662051.exeFilesize
822KB
MD574eb136b0b32c45c7bcd7f1d150bdc47
SHA19e512498aed66cbd7453f45b112ba9bfa4edb5e9
SHA2565bfb34d8140f17cc8738b72f2d7c6679e4c373431a48c35b958d40da8689a5e1
SHA51224e22d65073b2d4969f3e5f19eee576755f478dfc3d9c84491d8271785309cc0c9bbec38e09a58170d2272c5c11ef618dd7e26547842c3bf7a516e5399e4f332