Analysis

  • max time kernel
    173s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 15:54

General

  • Target

    e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe

  • Size

    156KB

  • MD5

    1710258343ac8af4dae7b976125f119f

  • SHA1

    c69a8f32b03fb5630ba33be642fcff4a756f8cec

  • SHA256

    e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf

  • SHA512

    51bf5c9c4f797b755b7e080a31eecdbd74f352472a362a8133d584f6de569ecce11b764d46f8176162c49ee181820a1ba44005149dbe1a80684fb89e3f1db0c9

  • SSDEEP

    3072:dVZd5rnmoWOQrkdJv5hMFULTvtcMk8Lyji8lkivl05K3i+ITqn:dXd5rmoWOQsJRG4GMkSQi8Tvl05K3DIk

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe
    "C:\Users\Admin\AppData\Local\Temp\e942c0354d31215b34a4625982ae2f792e3b8b10d60348784497e43ffcf02eaf.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\inpleqlxa.exe
      C:\Windows\System32\inpleqlxa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\SysWOW64\userinit.exe
        userinit.exe
        3⤵
        • Loads dropped DLL
        PID:524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240574609_lang.dll

    Filesize

    114KB

    MD5

    84969a0da5920a151b8ae9b4c1afde4c

    SHA1

    284cb96c3933a99d03b8646d22b451d3f5d90a23

    SHA256

    31f523ab4050c6d591dde7cd9ed7a23a38bedd1e1a7a410bada2674e368c983e

    SHA512

    807a215d60a8c3bd19fc27a0c1bfa354c23667106a3611da8a5c78a836cab067a5b5104d33ea1f37a8828ad7ec2d6536ac5d9d73efd9f41091a98090c13a1046

  • C:\Users\Admin\AppData\Local\Temp\240574609_lang.dll

    Filesize

    114KB

    MD5

    84969a0da5920a151b8ae9b4c1afde4c

    SHA1

    284cb96c3933a99d03b8646d22b451d3f5d90a23

    SHA256

    31f523ab4050c6d591dde7cd9ed7a23a38bedd1e1a7a410bada2674e368c983e

    SHA512

    807a215d60a8c3bd19fc27a0c1bfa354c23667106a3611da8a5c78a836cab067a5b5104d33ea1f37a8828ad7ec2d6536ac5d9d73efd9f41091a98090c13a1046

  • C:\Windows\SysWOW64\inpleqlxa.exe

    Filesize

    156KB

    MD5

    0893d226328a4c39bd926eaf9fb56a01

    SHA1

    daeb9f8a694834700b01dd59fafb7948f288c4e1

    SHA256

    ba13c41f8274d831167ce8e919a73082d584cd3712ccbb3c242d1c1a69033c50

    SHA512

    63405540c2dec09ed27a5b721efb2cbd33240a52eb5ea219e5c134140698ce0cff88537d9e9fecb4d463db31f4703373f9176684397aec8badb6705b5e24af7d

  • C:\Windows\SysWOW64\inpleqlxa.exe

    Filesize

    156KB

    MD5

    0893d226328a4c39bd926eaf9fb56a01

    SHA1

    daeb9f8a694834700b01dd59fafb7948f288c4e1

    SHA256

    ba13c41f8274d831167ce8e919a73082d584cd3712ccbb3c242d1c1a69033c50

    SHA512

    63405540c2dec09ed27a5b721efb2cbd33240a52eb5ea219e5c134140698ce0cff88537d9e9fecb4d463db31f4703373f9176684397aec8badb6705b5e24af7d

  • memory/524-135-0x0000000000000000-mapping.dmp

  • memory/4964-132-0x0000000000000000-mapping.dmp