Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:30
Static task
static1
Behavioral task
behavioral1
Sample
ZZZVMP~1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ZZZVMP~1.exe
Resource
win10v2004-20241007-en
General
-
Target
ZZZVMP~1.exe
-
Size
250KB
-
MD5
a5604e31ed5ae25df2dfe72af47d8e15
-
SHA1
930320b599e50305475ba3c77f1c84ce234d4fa4
-
SHA256
edcf12512c0b2cbb1c5680ffd56ea020ac5723e7fcf476272bd20315fa18d6cc
-
SHA512
8d9936e1599ea1748aae0212a1efa5dbb23365c6cfceba8c2a8f47554e4d5ddcddb317bca4c6489a9e824e064a5d5d3fe0448da54e8029952f747c86daa31346
-
SSDEEP
6144:q/kuouETjkfHN7VH4tFHpXmLM2vj0jJNbLoJt0wy0Y6Osh:qJ7ETQHfY1FLoJlnHh
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1936-25-0x0000000000400000-0x000000000042E000-memory.dmp family_gh0strat -
Gh0strat family
-
Executes dropped EXE 2 IoCs
pid Process 2584 Output.exe 1936 Output.exe -
Loads dropped DLL 4 IoCs
pid Process 2356 ZZZVMP~1.exe 2356 ZZZVMP~1.exe 2584 Output.exe 2584 Output.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ZZZVMP~1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2584 set thread context of 1936 2584 Output.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZZZVMP~1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Output.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1936 Output.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2356 wrote to memory of 2584 2356 ZZZVMP~1.exe 30 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31 PID 2584 wrote to memory of 1936 2584 Output.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZZZVMP~1.exe"C:\Users\Admin\AppData\Local\Temp\ZZZVMP~1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Output.exe"3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD5baaa4a7d34833b22d9687e255b7d6de6
SHA17a8a50882c5f6ead554a6f9c3d0084a2df0bc507
SHA25642e9d01c78c87aac25988c0c9623912e779e7208496e916841fc2b3d56b5e143
SHA512d3260111bc629ee6365df1697c966e15ac9bac847aa6805fde73defe6068c1f8cd6de15ff5d4f7beea8e2b62e957860da8fd69d384bb5a818218ed1af4d95499