Analysis
-
max time kernel
136s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
14-09-2022 22:38
General
-
Target
41198bbd6b4858a4d72df3e42acad8a3b5592267907228957926f0ee7ba0e290.exe
-
Size
375KB
-
MD5
01b9e2ee32ee6efca33974fe6d679b92
-
SHA1
73caf3bc1b206b0e0afb0e62fe89a7a95536ea66
-
SHA256
41198bbd6b4858a4d72df3e42acad8a3b5592267907228957926f0ee7ba0e290
-
SHA512
a6cbfec4a920d0e926e49f7f2e74de8d8bb2a323edea5508c0cacc7ffecdba61620cb91b12b64997a72c33db7461511674833fb536ea35f5c826ab11a5cfccf7
-
SSDEEP
6144:av5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:a4VOiF1WD7kE1dTYOi8V5u23zmWFy4
Malware Config
Signatures
-
Gh0st RAT payload 11 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 4 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41198bbd6b4858a4d72df3e42acad8a3b5592267907228957926f0ee7ba0e290.exe"C:\Users\Admin\AppData\Local\Temp\41198bbd6b4858a4d72df3e42acad8a3b5592267907228957926f0ee7ba0e290.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 6442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3372 -ip 33721⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.4MB
MD5c713324f4fad5f2e11181c3ce4cf1ad9
SHA1c173e33bb387bc7b521f2d49eace887b079229b1
SHA2561b6c99912924112863be67ac9cfa6e2aaba21cdf3ca2deea19664e500e7cf6bc
SHA512e6839efce3147d8e150a4b83f7588935622eb78dd6b4c12a81f752534c79339bff37208a7b1193b185a6cb16a0c7e71d5798ec6223c41395ac0616ae9bdd20ec
-
Filesize
39.4MB
MD5c713324f4fad5f2e11181c3ce4cf1ad9
SHA1c173e33bb387bc7b521f2d49eace887b079229b1
SHA2561b6c99912924112863be67ac9cfa6e2aaba21cdf3ca2deea19664e500e7cf6bc
SHA512e6839efce3147d8e150a4b83f7588935622eb78dd6b4c12a81f752534c79339bff37208a7b1193b185a6cb16a0c7e71d5798ec6223c41395ac0616ae9bdd20ec
-
Filesize
39.4MB
MD5c713324f4fad5f2e11181c3ce4cf1ad9
SHA1c173e33bb387bc7b521f2d49eace887b079229b1
SHA2561b6c99912924112863be67ac9cfa6e2aaba21cdf3ca2deea19664e500e7cf6bc
SHA512e6839efce3147d8e150a4b83f7588935622eb78dd6b4c12a81f752534c79339bff37208a7b1193b185a6cb16a0c7e71d5798ec6223c41395ac0616ae9bdd20ec
-
Filesize
39.4MB
MD5c713324f4fad5f2e11181c3ce4cf1ad9
SHA1c173e33bb387bc7b521f2d49eace887b079229b1
SHA2561b6c99912924112863be67ac9cfa6e2aaba21cdf3ca2deea19664e500e7cf6bc
SHA512e6839efce3147d8e150a4b83f7588935622eb78dd6b4c12a81f752534c79339bff37208a7b1193b185a6cb16a0c7e71d5798ec6223c41395ac0616ae9bdd20ec
-
Filesize
39.4MB
MD5c713324f4fad5f2e11181c3ce4cf1ad9
SHA1c173e33bb387bc7b521f2d49eace887b079229b1
SHA2561b6c99912924112863be67ac9cfa6e2aaba21cdf3ca2deea19664e500e7cf6bc
SHA512e6839efce3147d8e150a4b83f7588935622eb78dd6b4c12a81f752534c79339bff37208a7b1193b185a6cb16a0c7e71d5798ec6223c41395ac0616ae9bdd20ec
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
420KB
-
-
Filesize
3.4MB
-
Filesize
420KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
420KB
-
-
Filesize
420KB
-
Filesize
3.4MB
-
Filesize
420KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
420KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
-
Filesize
420KB
-
Filesize
420KB