Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 09:29
Behavioral task
behavioral1
Sample
0.exe
Resource
win7-20240704-en
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule C:\Windows\FileName.jpg family_gh0strat behavioral1/memory/2804-10-0x0000000010000000-0x0000000010013000-memory.dmp family_gh0strat C:\346100.dll family_gh0strat behavioral1/memory/2788-13-0x0000000010000000-0x0000000010013000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 2788 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
0.exedescription ioc process File opened for modification C:\Windows\FileName.jpg 0.exe File created C:\Windows\FileName.jpg 0.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe 2788 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0.exedescription pid process Token: SeBackupPrivilege 2804 0.exe Token: SeRestorePrivilege 2804 0.exe Token: SeBackupPrivilege 2804 0.exe Token: SeRestorePrivilege 2804 0.exe Token: SeBackupPrivilege 2804 0.exe Token: SeRestorePrivilege 2804 0.exe Token: SeBackupPrivilege 2804 0.exe Token: SeRestorePrivilege 2804 0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\346100.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\Windows\FileName.jpgFilesize
17.0MB
MD58a8a086783e838a73393e53959901b7c
SHA144430693079ba6c91ece14a3c5494182b86e37b8
SHA256e1b537f3b84fe8bdcb0c6d2db380699df31a638141a1461b36f89d8caa391224
SHA512c01a145fc1262fd6bbd90db83e87484bf149c81d3d3e1f091197d9f676a2d17e6dad854f5bbafe35cca68c6a60ef7af0f4567eb8d8232b54459e0a5b482b3e11
-
\??\c:\NT_Path.jpgFilesize
53B
MD54ddae4616240724a85d58168c8682187
SHA14810b6fa68a263dff22c6d265f04f0f3599a6097
SHA2560976b555a884a79d4cd4f57bf1991e7519bb6a5d60d866b1e8a656b8c3c91b95
SHA5125dbbe037fe6a55c22d69d49b94abb37232c6c3e05710b160ca71c72c124889afea28e036948fe7b67504384af1d5688321fd981071a2e9c95337f69bc78e462a
-
memory/2788-13-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB
-
memory/2804-0-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/2804-10-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB