Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe
Resource
win10v2004-20240508-en
General
-
Target
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe
-
Size
11.5MB
-
MD5
2ce67ec6c01a4e8ab49a21c224af7c1e
-
SHA1
472a99759ea6cd51bb4986b4fa918efd3ed74af1
-
SHA256
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74
-
SHA512
eeb93cb14863b2fab91d215bc55e307b6dc153bd70dc54dc00256c96bd8f5ca074115aea3618c7a96e4f2d8194f64ec178aaebf356423aadb40fcdbe0f774ae8
-
SSDEEP
196608:c12tnjp+sHMWh+lmnqg/ivIbuUN0tZo+mNbM3bwIihTtvHkP5KhvXRRdCqM4ABrE:cInjsyM9l2R6gamsbmNbGihpHr9Rj5A3
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240610109.bat family_gh0strat -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
GLk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\240610109.bat" GLk.exe -
Executes dropped EXE 3 IoCs
Processes:
GLk.exeHD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exesvchist.exepid process 4352 GLk.exe 1056 HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe 4956 svchist.exe -
Loads dropped DLL 3 IoCs
Processes:
GLk.exesvchost.exesvchist.exepid process 4352 GLk.exe 1516 svchost.exe 4956 svchist.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe upx behavioral2/memory/1056-18-0x0000000000400000-0x0000000001467000-memory.dmp upx behavioral2/memory/1056-28-0x0000000000400000-0x0000000001467000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
GLk.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\240610109.bat GLk.exe File opened for modification C:\Windows\SysWOW64\ini.ini GLk.exe File created C:\Windows\SysWOW64\svchist.exe svchost.exe File opened for modification C:\Windows\SysWOW64\svchist.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exepid process 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exeHD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exepid process 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe 1056 HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe 1056 HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exesvchost.exedescription pid process target process PID 4940 wrote to memory of 4352 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe GLk.exe PID 4940 wrote to memory of 4352 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe GLk.exe PID 4940 wrote to memory of 4352 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe GLk.exe PID 4940 wrote to memory of 1056 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe PID 4940 wrote to memory of 1056 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe PID 4940 wrote to memory of 1056 4940 9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe PID 1516 wrote to memory of 4956 1516 svchost.exe svchist.exe PID 1516 wrote to memory of 4956 1516 svchost.exe svchist.exe PID 1516 wrote to memory of 4956 1516 svchost.exe svchist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe"C:\Users\Admin\AppData\Local\Temp\9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\GLk.exeC:\Users\Admin\AppData\Local\Temp\\GLk.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exeC:\Users\Admin\AppData\Local\Temp\\HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1056
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchist"1⤵PID:2864
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchist"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\svchist.exeC:\Windows\system32\svchist.exe "c:\windows\system32\240610109.bat",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GLk.exeFilesize
337KB
MD5b8e58a96761799f4ad0548dba39d650c
SHA1c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f
SHA256334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df
SHA5121cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3
-
C:\Users\Admin\AppData\Local\Temp\HD_9802f8ab368d0fd1d214ee848997ceb392326d057385b14812a0c3aa9363cf74.exeFilesize
10.4MB
MD56acfaf993d52998a4a084b2df45ef4b1
SHA1f1e732b33315fcb97a094fc32232531ad9e68524
SHA256bf9b32a64e76698d773c7572e1dfd7665a3e951bf1dd6ef51738dc99af58c76e
SHA5129e70133b5a4846f3daa28778e11028f96cbe27da77699c9976a867b5655f704848136a27dbd9ded4c40603eddf045a66d642db7cd7e71e3e674abe57291ec291
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.1MB
MD5dfcc258ed7c2c1d0ddbda108b78a1f16
SHA14bb1e2d0f5452c8d8d682158bea2cacfd8d80427
SHA256093b2510297a5099f8558215c1e860bdc4c9e61f5145ced2f30ecf8a91b35975
SHA512e330e676e803134451e956c9df4c23bee97a26334b5586370084d0909da1595102fdae408819efbc03aaf9f4ab351a208c81721ecd67daf7b0123dfe5068478b
-
C:\Windows\SysWOW64\240610109.batFilesize
51KB
MD5a55fb0da17663ceeaa4f97c87905dac2
SHA1259789bd1b4709d33781d29f37ba567b3e329193
SHA256856fdd57958e4fd07479555c4ed47f1bb4962ed5a6510fbe795fbbd2b8ca9f88
SHA5127bb2b757b3abfc0d72371b27123054a3fddf0761235101e84ad13351707122c60db91a177a771d61a3dcba1a51b7d9cd7f6ae11968099579575bd56833c4c4a6
-
C:\Windows\SysWOW64\svchist.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
memory/1056-18-0x0000000000400000-0x0000000001467000-memory.dmpFilesize
16.4MB
-
memory/1056-19-0x0000000010000000-0x0000000010116000-memory.dmpFilesize
1.1MB
-
memory/1056-28-0x0000000000400000-0x0000000001467000-memory.dmpFilesize
16.4MB