Overview

overview

10

Static

static

02d5a19dc8...1e.exe

windows7-x64

10

02d5a19dc8...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2022, 04:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    02d5a19dc879f4c12a184fbea0272b5e3b68425a4797900c662e5c535b10eb1e.exe

  • Size

    960KB

  • MD5

    d57075473f47527e120aadd97c041fc3

  • SHA1

    8c2f7ef3bffe4eaad1a7dd3d9e281762afb4f975

  • SHA256

    02d5a19dc879f4c12a184fbea0272b5e3b68425a4797900c662e5c535b10eb1e

  • SHA512

    e4a8ddd313e4d86422d80b347122f61b39c54a518849e5f70b0243a536d1991f5fea7c8e0c734816726abb26087a7b44fd06d734d84a1d5f02a3e44899e5ff1e

  • SSDEEP

    24576:bDZqBmKrshiiLSZcOKiAtrgH/Yflt4S+n:bsZrshiHZcDltrs/ult4t

Score
10/10
gh0stratevasionpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02d5a19dc879f4c12a184fbea0272b5e3b68425a4797900c662e5c535b10eb1e.exe
    "C:\Users\Admin\AppData\Local\Temp\02d5a19dc879f4c12a184fbea0272b5e3b68425a4797900c662e5c535b10eb1e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system32\RnmmtfC.dll Install
      2⤵
      • Sets DLL path for service in the registry
      • Loads dropped DLL
      PID:208
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\02D5A1~1.EXE >> NUL
      2⤵
        PID:4632
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
      1⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe c:\windows\system32\rnmmtfc.dll wintest
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:4260

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\RnmmtfC.dll
            Filesize

            116KB

            MD5

            ec178954ae0ae611ca51636b4ace99b7

            SHA1

            7f207432038e05c06ff082a7fd6451b7bbbb31fe

            SHA256

            4097800176004e544812351a8da27a5d3ffc21e75eace8fd26d3c558d6c0b774

            SHA512

            7305962407585422f7e1f76ae1945cdbf59080322f3507a8976f054ac79538210ded8ec2427c0a848300a1ff1cac55eed7bd647477bea3671fb248918e7af105

            Download Submit

          • C:\Windows\SysWOW64\RnmmtfC.dll
            Filesize

            116KB

            MD5

            ec178954ae0ae611ca51636b4ace99b7

            SHA1

            7f207432038e05c06ff082a7fd6451b7bbbb31fe

            SHA256

            4097800176004e544812351a8da27a5d3ffc21e75eace8fd26d3c558d6c0b774

            SHA512

            7305962407585422f7e1f76ae1945cdbf59080322f3507a8976f054ac79538210ded8ec2427c0a848300a1ff1cac55eed7bd647477bea3671fb248918e7af105

            Download Submit

          • C:\Windows\SysWOW64\RnmmtfC.dll
            Filesize

            116KB

            MD5

            ec178954ae0ae611ca51636b4ace99b7

            SHA1

            7f207432038e05c06ff082a7fd6451b7bbbb31fe

            SHA256

            4097800176004e544812351a8da27a5d3ffc21e75eace8fd26d3c558d6c0b774

            SHA512

            7305962407585422f7e1f76ae1945cdbf59080322f3507a8976f054ac79538210ded8ec2427c0a848300a1ff1cac55eed7bd647477bea3671fb248918e7af105

            Download Submit

          • C:\Windows\SysWOW64\RnmmtfC.dll
            Filesize

            116KB

            MD5

            ec178954ae0ae611ca51636b4ace99b7

            SHA1

            7f207432038e05c06ff082a7fd6451b7bbbb31fe

            SHA256

            4097800176004e544812351a8da27a5d3ffc21e75eace8fd26d3c558d6c0b774

            SHA512

            7305962407585422f7e1f76ae1945cdbf59080322f3507a8976f054ac79538210ded8ec2427c0a848300a1ff1cac55eed7bd647477bea3671fb248918e7af105

            Download Submit

          • memory/208-139-0x0000000010000000-0x0000000010023000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4260-148-0x0000000010000000-0x0000000010023000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4260-146-0x0000000010000000-0x0000000010023000-memory.dmp

            Filesize

            140KB

            Download

          • memory/4716-137-0x0000000077310000-0x00000000774B3000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4716-144-0x0000000000400000-0x00000000005F9000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/4716-145-0x0000000077310000-0x00000000774B3000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4716-138-0x0000000000400000-0x00000000005F9000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/4716-133-0x0000000000400000-0x00000000005F9000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5008-147-0x0000000010000000-0x0000000010023000-memory.dmp

            Filesize

            140KB

            Download

          • memory/5008-149-0x0000000010000000-0x0000000010023000-memory.dmp

            Filesize

            140KB

            Download