098ac3e6c47da12ac756e082e6bb8140bce495f8e8383c9e5ac90e777301485f

General

Target

Ghost_Chair.exe
Size

902KB
MD5

be281884ffdbd2de2c56b96d02c16d15
SHA1

8a28794e32a143959fdfd5620b92face0499f632
SHA256

098ac3e6c47da12ac756e082e6bb8140bce495f8e8383c9e5ac90e777301485f
SHA512

fc95e7b5b6664a08a009b1dea82b18f1ce82c7aafb5719edb128d3f5e2441f58eeb67d77f50d4a57ae209339fce816714a39e79d6a2cee18bf501e3193453269
SSDEEP

12288:wm/rWPJbiF+hz5ptMhh5BOjxRwD+DdAs4eWD+PZE9O2bJIC0fDNN:JrWPhiFmzvO1OjTouRBM+O93l0fZ

Score

8^/10

evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

436 sc.exe
3848 sc.exe
3948 sc.exe
4276 sc.exe

pid	process
436	sc.exe
3848	sc.exe
3948	sc.exe
4276	sc.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1820	taskkill.exe
3056	taskkill.exe
1428	taskkill.exe
1824	taskkill.exe
2296	taskkill.exe
1592	taskkill.exe
3976	taskkill.exe
5056	taskkill.exe
3120	taskkill.exe
1604	taskkill.exe
1948	taskkill.exe
2956	taskkill.exe
1448	taskkill.exe
5036	taskkill.exe
4540	taskkill.exe
4472	taskkill.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ghost_Chair.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4000 wrote to memory of 2992	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2992	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3472	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3472	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3736	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3736	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2960	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2960	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4972	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4972	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4152	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4152	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4008	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4008	4000	Ghost_Chair.exe	cmd.exe
PID 3736 wrote to memory of 3056	3736	cmd.exe	taskkill.exe
PID 3736 wrote to memory of 3056	3736	cmd.exe	taskkill.exe
PID 4008 wrote to memory of 4592	4008	cmd.exe	certutil.exe
PID 4008 wrote to memory of 4592	4008	cmd.exe	certutil.exe
PID 3472 wrote to memory of 1604	3472	cmd.exe	taskkill.exe
PID 3472 wrote to memory of 1604	3472	cmd.exe	taskkill.exe
PID 2960 wrote to memory of 436	2960	cmd.exe	sc.exe
PID 2960 wrote to memory of 436	2960	cmd.exe	sc.exe
PID 2992 wrote to memory of 1592	2992	cmd.exe	taskkill.exe
PID 2992 wrote to memory of 1592	2992	cmd.exe	taskkill.exe
PID 4972 wrote to memory of 1448	4972	cmd.exe	taskkill.exe
PID 4972 wrote to memory of 1448	4972	cmd.exe	taskkill.exe
PID 4000 wrote to memory of 1660	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 1660	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2312	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2312	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4636	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 4636	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2436	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2436	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2068	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2068	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3448	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3448	4000	Ghost_Chair.exe	cmd.exe
PID 4636 wrote to memory of 3976	4636	cmd.exe	taskkill.exe
PID 4636 wrote to memory of 3976	4636	cmd.exe	taskkill.exe
PID 1660 wrote to memory of 5056	1660	cmd.exe	taskkill.exe
PID 1660 wrote to memory of 5056	1660	cmd.exe	taskkill.exe
PID 2312 wrote to memory of 5036	2312	cmd.exe	taskkill.exe
PID 2312 wrote to memory of 5036	2312	cmd.exe	taskkill.exe
PID 2068 wrote to memory of 1428	2068	cmd.exe	taskkill.exe
PID 2068 wrote to memory of 1428	2068	cmd.exe	taskkill.exe
PID 2436 wrote to memory of 3848	2436	cmd.exe	sc.exe
PID 2436 wrote to memory of 3848	2436	cmd.exe	sc.exe
PID 4000 wrote to memory of 2372	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2372	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 1584	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 1584	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3492	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3492	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2800	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2800	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 612	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 612	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2928	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 2928	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 5060	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 5060	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3924	4000	Ghost_Chair.exe	cmd.exe
PID 4000 wrote to memory of 3924	4000	Ghost_Chair.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe
"C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:436

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe" MD5
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Ghost_Chair.exe" MD5
3⤵
PID:4592

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3848

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:3448

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:2372

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:1584

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3492

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2800

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3948

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:612

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
2⤵
PID:2928

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:5060

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
2⤵
PID:3924

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4104

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4276

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
2⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948