Analysis
-
max time kernel
139s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 01:59
Static task
static1
Behavioral task
behavioral1
Sample
d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe
Resource
win7-20240708-en
General
-
Target
d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe
-
Size
96KB
-
MD5
373047647bd25c1d3aa9cd960bcd7af8
-
SHA1
5436d03709612a6b1aa2ebbc9609de33c34b3260
-
SHA256
d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da
-
SHA512
e1ef29b53678bdcf242004cc03494d2b85e16aea86a801ccb000a4e45a0ad2f6448c6426401cd86d3731d1a3aa024c154a8402811ea8b2b97285fa646a86b301
-
SSDEEP
1536:1kFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr9SNsMSaSKd:1WS4jHS8q/3nTzePCwNUh4E99SNiKd
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000b000000023b99-14.dat family_gh0strat behavioral2/memory/4544-16-0x0000000000400000-0x000000000044E2D4-memory.dmp family_gh0strat behavioral2/memory/1792-19-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4852-24-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/5012-29-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 4544 jbponnmwwg -
Executes dropped EXE 1 IoCs
pid Process 4544 jbponnmwwg -
Loads dropped DLL 3 IoCs
pid Process 1792 svchost.exe 4852 svchost.exe 5012 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\xqougssefw svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\xydoovucrr svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\xhrhwyxafn svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4944 1792 WerFault.exe 97 2424 4852 WerFault.exe 104 3384 5012 WerFault.exe 108 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jbponnmwwg -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4544 jbponnmwwg 4544 jbponnmwwg -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 4544 jbponnmwwg Token: SeBackupPrivilege 4544 jbponnmwwg Token: SeBackupPrivilege 4544 jbponnmwwg Token: SeRestorePrivilege 4544 jbponnmwwg Token: SeBackupPrivilege 1792 svchost.exe Token: SeRestorePrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeSecurityPrivilege 1792 svchost.exe Token: SeSecurityPrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeSecurityPrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeSecurityPrivilege 1792 svchost.exe Token: SeBackupPrivilege 1792 svchost.exe Token: SeRestorePrivilege 1792 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeRestorePrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeSecurityPrivilege 4852 svchost.exe Token: SeSecurityPrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeSecurityPrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeSecurityPrivilege 4852 svchost.exe Token: SeBackupPrivilege 4852 svchost.exe Token: SeRestorePrivilege 4852 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeRestorePrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeSecurityPrivilege 5012 svchost.exe Token: SeSecurityPrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeSecurityPrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeSecurityPrivilege 5012 svchost.exe Token: SeBackupPrivilege 5012 svchost.exe Token: SeRestorePrivilege 5012 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1360 wrote to memory of 4544 1360 d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe 88 PID 1360 wrote to memory of 4544 1360 d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe 88 PID 1360 wrote to memory of 4544 1360 d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe"C:\Users\Admin\AppData\Local\Temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\users\admin\appdata\local\jbponnmwwg"C:\Users\Admin\AppData\Local\Temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe" a -sc:\users\admin\appdata\local\temp\d8cdfaa3df200a38488e37eb608e4dc91931c16409f14a28b842a21ec9fa15da.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 11042⤵
- Program crash
PID:4944
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1792 -ip 17921⤵PID:3944
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 7122⤵
- Program crash
PID:2424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 48521⤵PID:3696
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 8402⤵
- Program crash
PID:3384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5012 -ip 50121⤵PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22.3MB
MD5a3a4cca0633bcd32b64dc901e15acfa1
SHA16dacc7d37a799c6866de3979e2624f4fd8019435
SHA2561b33b68f66da95aa654499c06526bfbc9c5676e0c728f80e63d7eb6e1bdec6a2
SHA5126b6be844ca55bf15c7e8ac54845bea1af637b77c39e538a6d61e5dac699ff987f5d3946ec8fc0d7b54e3405aaf6b75aab1c659828fa97fc2e9e541cbb9dd02b3
-
Filesize
204B
MD57f06803077c5e2b3179782c5b7e0d909
SHA144942428883c1e39925973e58e13a88d06967e39
SHA256a6ad0870e1208bbfb8d5de0799147a2675e9b3547335e30c4b46f808cf617959
SHA5122a31ea66bccbf5a6f1f3656844dafe9c27dd030e80ec2d32e4e65cf7e97386cb2311ab56ccfe4777a0e4fee8f8bbbac1d1c0161ea4b6dd3cd08a2bacd7b377bb
-
Filesize
306B
MD5cb1e5bc3923f7bf8dac79a4a99db7ecb
SHA14965e83e7541bbc2a8123b2456c1cc56b27b9f6e
SHA2569a1aa771cd016ee97deacc5ad10b8ceec1e3c41bc57d9d0c1a879c44efc130c3
SHA512d2228695b8557caf50d8560abad2e86140f76d4d791b3575c0b3856482ba05973c4f05e65ac91ef0b435eb3064f32fc979550d419d10c944915df9d498f3db31
-
Filesize
22.1MB
MD57d140cbfb4e3560dc0cf2e3942b4496c
SHA169d96359a90b4969992c1c9627e2310971945e35
SHA25612b11d170529895116f6b9df3310c2e57768985691f557b2433e9159117f057e
SHA51231fcb21cdbaf39f6a1ae64504b779d3ad5a94e5c9279648aad79a2d4c04dd3ad67f7fe148d0e6d511a7b86335436cea51557d65c6bdd86f45132c4d53049b379