Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 09:29
Behavioral task
behavioral1
Sample
0.exe
Resource
win7-20240704-en
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule C:\1380600.dll family_gh0strat \??\c:\windows\filename.jpg family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 4360 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
0.exesvchost.exepid process 1408 0.exe 4360 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
0.exedescription ioc process File opened for modification C:\Windows\FileName.jpg 0.exe File created C:\Windows\FileName.jpg 0.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe 4360 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0.exedescription pid process Token: SeBackupPrivilege 1408 0.exe Token: SeRestorePrivilege 1408 0.exe Token: SeBackupPrivilege 1408 0.exe Token: SeRestorePrivilege 1408 0.exe Token: SeBackupPrivilege 1408 0.exe Token: SeRestorePrivilege 1408 0.exe Token: SeBackupPrivilege 1408 0.exe Token: SeRestorePrivilege 1408 0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1380600.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
\??\c:\NT_Path.jpgFilesize
54B
MD50aa3352404fa38b6a9fdc3075a3d72c8
SHA1494b27ea1a4cf4b673d4233ffb37fda0c3887b2f
SHA2566abd5b7fd22de18a7d1618b8bec08b0693c745124ab13d3290ec5d4ab368ef84
SHA51269428206e48bed639618342750cbd2f122f9a897714974a885eebefa5bdf59a00479c795d2869956f3411cc78395a70c635b2cb7243a34809853665e384e2782
-
\??\c:\windows\filename.jpgFilesize
10.0MB
MD5de059b40a1962eb6debdc9965424f28a
SHA1798446b9c685c3fca442de3e42a1bd9a20cfee8f
SHA25622e0f8b8ea7803eec48bdb52f458504cc395e43ebc565074dd98668a10a6b48b
SHA512433218cdc67c5b897eb005c82446dc19329987e614e59d04b0833ce0baf1d82942ec863c21d03902828fcbaa520d1dc5b8d7aa3154c5d6648edb5414c0b83cc2