Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 20:50
Static task
static1
Behavioral task
behavioral1
Sample
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
Resource
win10v2004-20241007-en
General
-
Target
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe
-
Size
2.8MB
-
MD5
b35ba959f3d42c9902336dc2d3a0c9b9
-
SHA1
bf675713b46652024da9093a6f4fe90a5c7b577f
-
SHA256
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e
-
SHA512
7a8659ba49cbb8bd4c315dd3da4b9bb8d65ae97b391befb57b54ae7e4678d01d380ec5e8c1df1f0cfbd0b60e3dc922a0a5d5d99cd713690ff8e313d244996f80
-
SSDEEP
49152:NUCCeDMTHzLlCT3ZF4tn+vc2lxehaXGpudG5cJpbhrba:vvMTHdCT3ktnUcixlGKb8
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2864-7809-0x0000000000400000-0x0000000000575000-memory.dmp family_gh0strat -
Gh0strat family
-
Executes dropped EXE 2 IoCs
Processes:
SubRangs.exeInternet Explorer.exepid process 2816 SubRangs.exe 2864 Internet Explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
SubRangs.exepid process 2816 SubRangs.exe 2816 SubRangs.exe 2816 SubRangs.exe 2816 SubRangs.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
Processes:
Internet Explorer.exepid process 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe 2864 Internet Explorer.exe -
Drops file in Windows directory 1 IoCs
Processes:
Internet Explorer.exedescription ioc process File opened for modification C:\Windows\ODBC.INI Internet Explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exeSubRangs.exeInternet Explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SubRangs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Internet Explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exepid process 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exeSubRangs.exeInternet Explorer.exepid process 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe 2816 SubRangs.exe 2864 Internet Explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.execmd.exeSubRangs.exedescription pid process target process PID 1804 wrote to memory of 2684 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe cmd.exe PID 1804 wrote to memory of 2684 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe cmd.exe PID 1804 wrote to memory of 2684 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe cmd.exe PID 1804 wrote to memory of 2684 1804 8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe cmd.exe PID 2684 wrote to memory of 2816 2684 cmd.exe SubRangs.exe PID 2684 wrote to memory of 2816 2684 cmd.exe SubRangs.exe PID 2684 wrote to memory of 2816 2684 cmd.exe SubRangs.exe PID 2684 wrote to memory of 2816 2684 cmd.exe SubRangs.exe PID 2816 wrote to memory of 2864 2816 SubRangs.exe Internet Explorer.exe PID 2816 wrote to memory of 2864 2816 SubRangs.exe Internet Explorer.exe PID 2816 wrote to memory of 2864 2816 SubRangs.exe Internet Explorer.exe PID 2816 wrote to memory of 2864 2816 SubRangs.exe Internet Explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe"C:\Users\Admin\AppData\Local\Temp\8f554c0b99b41ab30974a75688ba733f02bb729f354d04440e88e93f34eefd8e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\windows\system32\cmd.exec:\windows\sysnative\cmd /c "C:\Windows\Temp\SubRangs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\Temp\SubRangs.exeC:\Windows\Temp\SubRangs.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Temp\Internet Explorer.exe"C:\Windows\Temp\Internet Explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5cbd351fc93b61ca74898d8183d36d9a2
SHA13c1ad1055438642571e4160c213bb563085d640c
SHA256ebc9ed2855d5847894414e9e72b729d978d46d8ec81335ae6e1fc3432a838069
SHA512ee4f6897c91e37571d8c1c929593f7aecfbaad5aa6ca896a035203df285d1bc33f3c042f5850e5433d7c599f33371b6de0c527787abc93c581d27d8b190224d3
-
Filesize
666KB
MD5a48c8e538d62c65ca94d7651f1364f37
SHA141a9fe6d151b2880cc4ea37885c4430d353e8159
SHA256e4e34957dfa20c6cd73cc5e1a4d800079d3eeab4899cf2e72cb876da662179ec
SHA512cf900db3656f47ae5c78a1831647e570967e1011a0f50db47ef99438293a071b8e3eb9b1bcf32f393a9d32ff31e8176b9f0da4fd59dca99777f2160b11f2dd79
-
Filesize
1.2MB
MD5a6a397b67ebac717e7ec095bf9b597ee
SHA180c7459654f3564c0cb74a47398d48e0f02cb82f
SHA256847fbe068ff90112d9b76c04587439ee3a3866d8c60466bb4673491d94ddfd89
SHA5120eb5528a4aad4458feddbefb5347d0e2cd84d6240a341ccc425d6ed98d15d8588d8635f21d30af389a2af5ac9537bea56a1d97530ac90e965989e296f1c5d8c8
-
Filesize
60KB
MD598174c8c2995000efbda01e1b86a1d4d
SHA17e71a5a029a203e4ab0afc68eee18c39f4ab4097
SHA25690284c2ead0598faa715cc90c1f53b83b916099c918ce7f816f0b4550ff55ac6
SHA512a37059062a99cd2a9fae15850b49068752ccf0be9f1d86c3f812a689b7c4d024771ec2b66adf9ce950bc5b8b117d457aba87d586cf112a1a30239531bfc8cd06