Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
Resource
win10v2004-20240226-en
General
-
Target
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
-
Size
9.7MB
-
MD5
e037e85124b6b3c022f53f0ab75d9a27
-
SHA1
9f5a34c4dc052bd2a82603f67ca31e723b6e93ef
-
SHA256
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f
-
SHA512
6da1671667b0efe4a9a3fa3ed306b9305865e74223a9fb2e2de49c7d9db2bb4026c0f34536215730865478bdcc33cbefc284e21c4c37ce93bf1f9316e6c9a2c1
-
SSDEEP
196608:f8C+Yek+c78EV4s/b0Snsq8o/cC9Ou86LV47jJekfNNGa:kPRk+c78EusD8o0CeljY0
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240655375.bat family_gh0strat -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
look2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240655375.bat" look2.exe -
Executes dropped EXE 3 IoCs
Processes:
look2.exeHD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exesvchcst.exepid process 1876 look2.exe 3576 HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe 464 svchcst.exe -
Loads dropped DLL 3 IoCs
Processes:
look2.exesvchost.exesvchcst.exepid process 1876 look2.exe 696 svchost.exe 464 svchcst.exe -
Drops file in System32 directory 4 IoCs
Processes:
svchost.exelook2.exedescription ioc process File opened for modification C:\Windows\SysWOW64\svchcst.exe svchost.exe File created C:\Windows\SysWOW64\240655375.bat look2.exe File opened for modification C:\Windows\SysWOW64\ini.ini look2.exe File created C:\Windows\SysWOW64\svchcst.exe svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exepid process 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exedescription pid process Token: SeLoadDriverPrivilege 3576 HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exepid process 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exesvchost.exedescription pid process target process PID 332 wrote to memory of 1876 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe look2.exe PID 332 wrote to memory of 1876 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe look2.exe PID 332 wrote to memory of 1876 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe look2.exe PID 332 wrote to memory of 3576 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe PID 332 wrote to memory of 3576 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe PID 332 wrote to memory of 3576 332 cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe PID 696 wrote to memory of 464 696 svchost.exe svchcst.exe PID 696 wrote to memory of 464 696 svchost.exe svchcst.exe PID 696 wrote to memory of 464 696 svchost.exe svchcst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe"C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\look2.exeC:\Users\Admin\AppData\Local\Temp\\look2.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exeC:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchcst"1⤵PID:4488
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchcst"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\svchcst.exeC:\Windows\system32\svchcst.exe "c:\windows\system32\240655375.bat",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5886dd633a8cb415c0e3cfa22190c9022
SHA10920adcc4c72cf2fb454049e740e715c216d325f
SHA2561785a53dffdc114d59599baca35673085af93489ac3b404bdc3259f5c4f55284
SHA5126d8de33f413d99542f864001b54de43f8bb357abfe46d1d78b4216349ca4d2d41bf8e175bdae547806492b52faa854130eed5888dc6f5c7fe323228a5cebd920
-
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
Filesize8.6MB
MD5c41fff8e1bb43f921742f9a0e26b9f30
SHA1e1e196010c6ca1ff6878c7fe6439cf389380cca8
SHA25648b87fb18808215b5dc4e77f74e42de61b1f42ad46a9c5fbb188889f9ca922ce
SHA512f7957ef978f84552db5c8de2f7ecabe93e25264134c82427ad7b3c2fad919199f343f7be27b68eafd9451d8efa568f19373160843581544e0a0ffd74a7a5a6ab
-
Filesize
337KB
MD52f3b6f16e33e28ad75f3fdaef2567807
SHA185e907340faf1edfc9210db85a04abd43d21b741
SHA25686492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4
-
Filesize
51KB
MD512d5607f3ecaf568295820830a59b7f8
SHA12bec8b410c445616344a1fae225901e6b622ecbc
SHA256a91d63d04c16edd527e148cc166df0855dc8e7e94d3ee30696c3f84ddde34726
SHA5127c83bc755ade89d21e1adca7ed12b0c25b9f4943e97645c58b7374e38dd0f5cacd3fa876c6f6ab4a5cd22d51e6341cbcf70757064f2abdc1d25e5c2390d37129
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641