Analysis

  • max time kernel
    122s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2022 01:22

General

  • Target

    c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe

  • Size

    33KB

  • MD5

    fc4fbe618aa4f23e8bbbfa0babb0e4ff

  • SHA1

    cc3eeed97dd8c71f08992cbba002d9cefc6f6585

  • SHA256

    c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0

  • SHA512

    4c3eac897ec9e5309a159c2df4094482df4d8ec4d3a7f1b13d12cb3530f3b63d1be3044bfe5f1b2679d473aaa0563b886c4f9d873f5572ececd316707978a4cf

  • SSDEEP

    768:Yw/iOWTK3JWhOM/qZh7UJGcZ/VQRpWGKnbcuyD7UmGV:3QK52fqZSIA9QQnouy8mGV

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Creates a Windows Service
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe
    "C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"
    1⤵
    • Sets DLL path for service in the registry
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\c4341212d4f2fd752bccce5df68febea6317f4ceb9f864c2dece126f4e63e4b0.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • Runs ping.exe
        PID:944
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "serivecs"
    1⤵
      PID:2084
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "serivecs"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Windows\SysWOW64\serivecs.exe
        C:\Windows\system32\serivecs.exe "c:\windows\system32\240573296.dll",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:1104

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\240573296.dll

      Filesize

      37KB

      MD5

      e6c90401901f1c50afcd1d33d7d38e9c

      SHA1

      1bb4d24d064a2545d1a4a4b8d7291b33713b5c43

      SHA256

      a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d

      SHA512

      83275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a

    • C:\Windows\SysWOW64\240573296.dll

      Filesize

      37KB

      MD5

      e6c90401901f1c50afcd1d33d7d38e9c

      SHA1

      1bb4d24d064a2545d1a4a4b8d7291b33713b5c43

      SHA256

      a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d

      SHA512

      83275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a

    • C:\Windows\SysWOW64\240573296.dll

      Filesize

      37KB

      MD5

      e6c90401901f1c50afcd1d33d7d38e9c

      SHA1

      1bb4d24d064a2545d1a4a4b8d7291b33713b5c43

      SHA256

      a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d

      SHA512

      83275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a

    • C:\Windows\SysWOW64\serivecs.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • C:\Windows\SysWOW64\serivecs.exe

      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

    • \??\c:\windows\SysWOW64\240573296.dll

      Filesize

      37KB

      MD5

      e6c90401901f1c50afcd1d33d7d38e9c

      SHA1

      1bb4d24d064a2545d1a4a4b8d7291b33713b5c43

      SHA256

      a7437b4a3c4657c7d9ec14e6b31b673228efd4fa508b2b9805643c2d75878e1d

      SHA512

      83275f0e5ce1eda75d41343b1f3d3de67a7a5910b0919cdc5bdec4fd1998b5ca6186651ddfe2bd379488fa670fd2634153ba26e2e42af71327398f4f852bbb9a

    • memory/944-138-0x0000000000000000-mapping.dmp

    • memory/1104-139-0x0000000000000000-mapping.dmp

    • memory/2068-136-0x0000000000000000-mapping.dmp

    • memory/4668-132-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

    • memory/4668-137-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB