Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 17:19
Static task
static1
Behavioral task
behavioral1
Sample
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
Resource
win10v2004-20240426-en
General
-
Target
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe
-
Size
1.2MB
-
MD5
95cedef4b8492769934502aa8347d4f8
-
SHA1
ed871d8bac626be91f9bab49745e6be458b9b2f7
-
SHA256
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e
-
SHA512
c5040b8f24fb12ca1e52a0ec4255857e455db4dff6c212ae470846c13abe33c6472515466e7f051567d487916aabe30f3188d6632aa4f380f47a4e8cf76a88c5
-
SSDEEP
24576:TEdksIGN71VVbzYEL+5dNmZG8RRl9T7tmMKTM6I9B7:TEywVVvUji3TsMKTM6Y7
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\259394718.bat family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
GLk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\259394718.bat" GLk.exe -
Executes dropped EXE 2 IoCs
Processes:
GLk.exesvchist.exepid process 2376 GLk.exe 2160 svchist.exe -
Loads dropped DLL 5 IoCs
Processes:
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exeGLk.exesvchost.exesvchist.exepid process 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe 2376 GLk.exe 2384 svchost.exe 2384 svchost.exe 2160 svchist.exe -
Drops file in System32 directory 4 IoCs
Processes:
GLk.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\259394718.bat GLk.exe File opened for modification C:\Windows\SysWOW64\ini.ini GLk.exe File created C:\Windows\SysWOW64\svchist.exe svchost.exe File opened for modification C:\Windows\SysWOW64\svchist.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exepid process 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exesvchost.exedescription pid process target process PID 2316 wrote to memory of 2376 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe GLk.exe PID 2316 wrote to memory of 2376 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe GLk.exe PID 2316 wrote to memory of 2376 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe GLk.exe PID 2316 wrote to memory of 2376 2316 a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe GLk.exe PID 2384 wrote to memory of 2160 2384 svchost.exe svchist.exe PID 2384 wrote to memory of 2160 2384 svchost.exe svchist.exe PID 2384 wrote to memory of 2160 2384 svchost.exe svchist.exe PID 2384 wrote to memory of 2160 2384 svchost.exe svchist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe"C:\Users\Admin\AppData\Local\Temp\a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\GLk.exeC:\Users\Admin\AppData\Local\Temp\\GLk.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchist"1⤵PID:2968
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchist"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\svchist.exeC:\Windows\system32\svchist.exe "c:\windows\system32\259394718.bat",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.2MB
MD595cedef4b8492769934502aa8347d4f8
SHA1ed871d8bac626be91f9bab49745e6be458b9b2f7
SHA256a3cace651438d9a28198010f4a4352e65b9301d5106c7087a48eb329dfe9552e
SHA512c5040b8f24fb12ca1e52a0ec4255857e455db4dff6c212ae470846c13abe33c6472515466e7f051567d487916aabe30f3188d6632aa4f380f47a4e8cf76a88c5
-
\Users\Admin\AppData\Local\Temp\GLk.exeFilesize
337KB
MD5b8e58a96761799f4ad0548dba39d650c
SHA1c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f
SHA256334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df
SHA5121cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3
-
\Windows\SysWOW64\259394718.batFilesize
51KB
MD595dc3f17fb66a45e504e8db1d69cf99c
SHA15a450b29134937b6fb45a59c5481b4c9b82e0950
SHA256477a382a28ab1b53d6132bb75afafc9879ef24d8ca7aa5672a193dd435b84d83
SHA5122eba18e4c73420c3325c854e24fa5e5fec151babc9c5ad288454c73adc3f5aebfaa5e7867af8b6e03473aa08335a4f4803cf3d51f64d7f7884f0baac1fef3346
-
\Windows\SysWOW64\svchist.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d