Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Ghost_Chair.exe
Resource
win7-20240220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
Ghost_Chair.exe
-
Size
902KB
-
MD5
be281884ffdbd2de2c56b96d02c16d15
-
SHA1
8a28794e32a143959fdfd5620b92face0499f632
-
SHA256
098ac3e6c47da12ac756e082e6bb8140bce495f8e8383c9e5ac90e777301485f
-
SHA512
fc95e7b5b6664a08a009b1dea82b18f1ce82c7aafb5719edb128d3f5e2441f58eeb67d77f50d4a57ae209339fce816714a39e79d6a2cee18bf501e3193453269
-
SSDEEP
12288:wm/rWPJbiF+hz5ptMhh5BOjxRwD+DdAs4eWD+PZE9O2bJIC0fDNN:JrWPhiFmzvO1OjTouRBM+O93l0fZ
Malware Config
Signatures
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 436 sc.exe 3848 sc.exe 3948 sc.exe 4276 sc.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1820 taskkill.exe 3056 taskkill.exe 1428 taskkill.exe 1824 taskkill.exe 2296 taskkill.exe 1592 taskkill.exe 3976 taskkill.exe 5056 taskkill.exe 3120 taskkill.exe 1604 taskkill.exe 1948 taskkill.exe 2956 taskkill.exe 1448 taskkill.exe 5036 taskkill.exe 4540 taskkill.exe 4472 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3056 taskkill.exe Token: SeDebugPrivilege 1448 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 3976 taskkill.exe Token: SeDebugPrivilege 5056 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 5036 taskkill.exe Token: SeDebugPrivilege 4540 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 4472 taskkill.exe Token: SeDebugPrivilege 2956 taskkill.exe Token: SeDebugPrivilege 1820 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe Token: SeDebugPrivilege 3120 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Ghost_Chair.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4000 wrote to memory of 2992 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2992 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3472 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3472 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3736 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3736 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2960 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2960 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4972 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4972 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4152 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4152 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4008 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4008 4000 Ghost_Chair.exe cmd.exe PID 3736 wrote to memory of 3056 3736 cmd.exe taskkill.exe PID 3736 wrote to memory of 3056 3736 cmd.exe taskkill.exe PID 4008 wrote to memory of 4592 4008 cmd.exe certutil.exe PID 4008 wrote to memory of 4592 4008 cmd.exe certutil.exe PID 3472 wrote to memory of 1604 3472 cmd.exe taskkill.exe PID 3472 wrote to memory of 1604 3472 cmd.exe taskkill.exe PID 2960 wrote to memory of 436 2960 cmd.exe sc.exe PID 2960 wrote to memory of 436 2960 cmd.exe sc.exe PID 2992 wrote to memory of 1592 2992 cmd.exe taskkill.exe PID 2992 wrote to memory of 1592 2992 cmd.exe taskkill.exe PID 4972 wrote to memory of 1448 4972 cmd.exe taskkill.exe PID 4972 wrote to memory of 1448 4972 cmd.exe taskkill.exe PID 4000 wrote to memory of 1660 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 1660 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2312 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2312 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4636 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 4636 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2436 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2436 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2068 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2068 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3448 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3448 4000 Ghost_Chair.exe cmd.exe PID 4636 wrote to memory of 3976 4636 cmd.exe taskkill.exe PID 4636 wrote to memory of 3976 4636 cmd.exe taskkill.exe PID 1660 wrote to memory of 5056 1660 cmd.exe taskkill.exe PID 1660 wrote to memory of 5056 1660 cmd.exe taskkill.exe PID 2312 wrote to memory of 5036 2312 cmd.exe taskkill.exe PID 2312 wrote to memory of 5036 2312 cmd.exe taskkill.exe PID 2068 wrote to memory of 1428 2068 cmd.exe taskkill.exe PID 2068 wrote to memory of 1428 2068 cmd.exe taskkill.exe PID 2436 wrote to memory of 3848 2436 cmd.exe sc.exe PID 2436 wrote to memory of 3848 2436 cmd.exe sc.exe PID 4000 wrote to memory of 2372 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2372 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 1584 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 1584 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3492 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3492 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2800 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2800 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 612 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 612 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2928 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 2928 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 5060 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 5060 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3924 4000 Ghost_Chair.exe cmd.exe PID 4000 wrote to memory of 3924 4000 Ghost_Chair.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe"C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe" MD52⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe" MD53⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵