Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe
Resource
win7-20240611-en
General
-
Target
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe
-
Size
444KB
-
MD5
39d865aa4171442b417c40479e63a03f
-
SHA1
0da788f33274472b1b2217a31301eddd95c7e77c
-
SHA256
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f
-
SHA512
619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82
-
SSDEEP
12288:MykIP8aYKbeqA1UtLD45VZ3Mc2YpFjW8D:MKP9YbiR45v3Va8
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4184-7-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/4184-8-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3960-38-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/3960-37-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/1952-56-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat behavioral2/memory/1952-57-0x0000000010000000-0x0000000010362000-memory.dmp family_gh0strat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe -
Deletes itself 1 IoCs
Processes:
Jufrxnb.exepid process 1952 Jufrxnb.exe -
Executes dropped EXE 4 IoCs
Processes:
Jufrxnb.exeJufrxnb.exeJufrxnb.exeJufrxnb.exepid process 5096 Jufrxnb.exe 3960 Jufrxnb.exe 3652 Jufrxnb.exe 1952 Jufrxnb.exe -
Processes:
resource yara_rule behavioral2/memory/4184-4-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/4184-7-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/4184-8-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3960-38-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3960-37-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/3960-33-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/1952-56-0x0000000010000000-0x0000000010362000-memory.dmp upx behavioral2/memory/1952-57-0x0000000010000000-0x0000000010362000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe File created C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1020 4184 WerFault.exe 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe 2996 5096 WerFault.exe Jufrxnb.exe 2272 3960 WerFault.exe Jufrxnb.exe 1456 3652 WerFault.exe Jufrxnb.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Jufrxnb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Jufrxnb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Jufrxnb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Jufrxnb.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exeJufrxnb.exeJufrxnb.exeJufrxnb.exeJufrxnb.exedescription pid process Token: SeDebugPrivilege 4184 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Token: SeDebugPrivilege 5096 Jufrxnb.exe Token: SeDebugPrivilege 3960 Jufrxnb.exe Token: SeDebugPrivilege 3960 Jufrxnb.exe Token: SeDebugPrivilege 3960 Jufrxnb.exe Token: SeDebugPrivilege 1952 Jufrxnb.exe Token: SeDebugPrivilege 3652 Jufrxnb.exe Token: SeDebugPrivilege 1952 Jufrxnb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exeJufrxnb.exedescription pid process target process PID 4184 wrote to memory of 5096 4184 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 4184 wrote to memory of 5096 4184 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 4184 wrote to memory of 5096 4184 0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe Jufrxnb.exe PID 3960 wrote to memory of 3652 3960 Jufrxnb.exe Jufrxnb.exe PID 3960 wrote to memory of 3652 3960 Jufrxnb.exe Jufrxnb.exe PID 3960 wrote to memory of 3652 3960 Jufrxnb.exe Jufrxnb.exe PID 3960 wrote to memory of 1952 3960 Jufrxnb.exe Jufrxnb.exe PID 3960 wrote to memory of 1952 3960 Jufrxnb.exe Jufrxnb.exe PID 3960 wrote to memory of 1952 3960 Jufrxnb.exe Jufrxnb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe"C:\Users\Admin\AppData\Local\Temp\0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 5843⤵
- Program crash
PID:2996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 10642⤵
- Program crash
PID:1020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4184 -ip 41841⤵PID:4548
-
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 5563⤵
- Program crash
PID:1456 -
C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 6482⤵
- Program crash
PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5096 -ip 50961⤵PID:2784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3960 -ip 39601⤵PID:2880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3652 -ip 36521⤵PID:3096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444KB
MD539d865aa4171442b417c40479e63a03f
SHA10da788f33274472b1b2217a31301eddd95c7e77c
SHA2560e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f
SHA512619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82