Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe
Resource
win7-20240611-en
General
-
Target
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe
-
Size
444KB
-
MD5
39d865aa4171442b417c40479e63a03f
-
SHA1
0da788f33274472b1b2217a31301eddd95c7e77c
-
SHA256
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f
-
SHA512
619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82
-
SSDEEP
12288:MykIP8aYKbeqA1UtLD45VZ3Mc2YpFjW8D:MKP9YbiR45v3Va8
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-8-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2208-7-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1152-26-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/1152-27-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2708-47-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2708-48-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral1/memory/2708-49-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
Jufrxnb.exepid process 2708 Jufrxnb.exe -
Executes dropped EXE 3 IoCs
Processes:
Jufrxnb.exeJufrxnb.exeJufrxnb.exepid process 1152 Jufrxnb.exe 2632 Jufrxnb.exe 2708 Jufrxnb.exe -
Loads dropped DLL 2 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exepid process 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe -
Processes:
resource yara_rule behavioral1/memory/2208-5-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2208-8-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2208-7-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1152-26-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1152-27-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/1152-24-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2708-47-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2708-48-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral1/memory/2708-49-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Jufrxnb.exedescription ioc process File opened (read-only) \??\E: Jufrxnb.exe File opened (read-only) \??\H: Jufrxnb.exe File opened (read-only) \??\P: Jufrxnb.exe File opened (read-only) \??\T: Jufrxnb.exe File opened (read-only) \??\V: Jufrxnb.exe File opened (read-only) \??\G: Jufrxnb.exe File opened (read-only) \??\I: Jufrxnb.exe File opened (read-only) \??\R: Jufrxnb.exe File opened (read-only) \??\U: Jufrxnb.exe File opened (read-only) \??\X: Jufrxnb.exe File opened (read-only) \??\Y: Jufrxnb.exe File opened (read-only) \??\Z: Jufrxnb.exe File opened (read-only) \??\B: Jufrxnb.exe File opened (read-only) \??\J: Jufrxnb.exe File opened (read-only) \??\Q: Jufrxnb.exe File opened (read-only) \??\S: Jufrxnb.exe File opened (read-only) \??\K: Jufrxnb.exe File opened (read-only) \??\L: Jufrxnb.exe File opened (read-only) \??\M: Jufrxnb.exe File opened (read-only) \??\N: Jufrxnb.exe File opened (read-only) \??\O: Jufrxnb.exe File opened (read-only) \??\W: Jufrxnb.exe -
Drops file in Program Files directory 2 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe File created C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Jufrxnb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jufrxnb.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Jufrxnb.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Jufrxnb.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Jufrxnb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Jufrxnb.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Jufrxnb.exepid process 2708 Jufrxnb.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exeJufrxnb.exeJufrxnb.exeJufrxnb.exedescription pid process Token: SeDebugPrivilege 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Token: SeDebugPrivilege 1152 Jufrxnb.exe Token: SeDebugPrivilege 2632 Jufrxnb.exe Token: SeDebugPrivilege 2632 Jufrxnb.exe Token: SeDebugPrivilege 2708 Jufrxnb.exe Token: SeDebugPrivilege 2708 Jufrxnb.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exeJufrxnb.exedescription pid process target process PID 2208 wrote to memory of 1152 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 2208 wrote to memory of 1152 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 2208 wrote to memory of 1152 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 2208 wrote to memory of 1152 2208 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 2632 wrote to memory of 2708 2632 Jufrxnb.exe Jufrxnb.exe PID 2632 wrote to memory of 2708 2632 Jufrxnb.exe Jufrxnb.exe PID 2632 wrote to memory of 2708 2632 Jufrxnb.exe Jufrxnb.exe PID 2632 wrote to memory of 2708 2632 Jufrxnb.exe Jufrxnb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe"C:\Users\Admin\AppData\Local\Temp\0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444KB
MD539d865aa4171442b417c40479e63a03f
SHA10da788f33274472b1b2217a31301eddd95c7e77c
SHA2560e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f
SHA512619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82