Analysis
-
max time kernel
101s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
05/12/2022, 05:34
General
-
Target
f21bfc6660cd64adc45eda10613e5c705273ad7bb6099dad5c4eefa5012c9b6a.exe
-
Size
492KB
-
MD5
323601ea013a93514856cb43a58030b4
-
SHA1
53263b5e5122881756b597e58d90b713ad61e16c
-
SHA256
f21bfc6660cd64adc45eda10613e5c705273ad7bb6099dad5c4eefa5012c9b6a
-
SHA512
6f170cd2dd8b22bc76a05eb591356ae813399f1414d23f129849eadd68a01f830d791e6db86d50d8c1c4a0cbf72edefd5064e28f59ada692841301d8ac8f4b48
-
SSDEEP
6144:o4RFDmLzNZVazYloL8cKCXTq7drxfBr5h1MmUdKrw2Rnh5Esym2E87RzYQR0jXH7:FRFDmH3VHFF3MmUiweh5EsyY8dzPML
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f21bfc6660cd64adc45eda10613e5c705273ad7bb6099dad5c4eefa5012c9b6a.exe"C:\Users\Admin\AppData\Local\Temp\f21bfc6660cd64adc45eda10613e5c705273ad7bb6099dad5c4eefa5012c9b6a.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\½â³ý½û±Õ.exe"C:\Users\Admin\AppData\Local\Temp\½â³ý½û±Õ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\¸¨ÖúÎļþ.exe"C:\Users\Admin\AppData\Local\Temp\¸¨ÖúÎļþ.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 2843⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exeC:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1384 -ip 13841⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD5bfcd6f1d33f043473fd56f3331e60638
SHA1dc0c64bf0579397125259c9f90412864423c1a9f
SHA256c0d6ee695be90042757349307664f25eeced4753dedc03436915c23fb51d542d
SHA512f41a39faa68fe66164fdd97a6019dc4ab49aa1aad3f48cc34551450e1c1127c1ecf46a544442967a72122fe61edca196bef9ecde983c41191758a46d512a639b
-
Filesize
198KB
MD5bfcd6f1d33f043473fd56f3331e60638
SHA1dc0c64bf0579397125259c9f90412864423c1a9f
SHA256c0d6ee695be90042757349307664f25eeced4753dedc03436915c23fb51d542d
SHA512f41a39faa68fe66164fdd97a6019dc4ab49aa1aad3f48cc34551450e1c1127c1ecf46a544442967a72122fe61edca196bef9ecde983c41191758a46d512a639b
-
Filesize
2KB
MD5410e2424a78b78473ed6f786478d690e
SHA1e00fc8e126b42949b6d9e4b99c726ca86fb4c241
SHA25642915e2d18ac3d175b0ba851a217687aa0367d6ce554add594948f52c812e559
SHA5124ca4682ee41fc6aec747b5cbae1d9933ca5212660ed0ea81d6f38802d115659c9144b824d6a57b4a546b0fc7357d7332b77dcae6bd4343d8daa0ec6042e051ac
-
Filesize
198KB
MD5bfcd6f1d33f043473fd56f3331e60638
SHA1dc0c64bf0579397125259c9f90412864423c1a9f
SHA256c0d6ee695be90042757349307664f25eeced4753dedc03436915c23fb51d542d
SHA512f41a39faa68fe66164fdd97a6019dc4ab49aa1aad3f48cc34551450e1c1127c1ecf46a544442967a72122fe61edca196bef9ecde983c41191758a46d512a639b
-
Filesize
198KB
MD5bfcd6f1d33f043473fd56f3331e60638
SHA1dc0c64bf0579397125259c9f90412864423c1a9f
SHA256c0d6ee695be90042757349307664f25eeced4753dedc03436915c23fb51d542d
SHA512f41a39faa68fe66164fdd97a6019dc4ab49aa1aad3f48cc34551450e1c1127c1ecf46a544442967a72122fe61edca196bef9ecde983c41191758a46d512a639b
-
Filesize
98KB
MD5830276d53103857f05a1f9852fff8421
SHA1b60c02c47101f7c189966ffbe3d4a4a7d6636b73
SHA256e39a04bdf23c1dc15780501e128b3779a73e621ee2a3b6497f3dbcab1aebf13c
SHA51243ad60a0ca92b1aa1078df164ad86cb0838a76adb6099d18b17f67c2d985ee9d1a594624113d28fcb2f9893a05eacbf201c49bce480862996cd862715fe54118
-
Filesize
98KB
MD5830276d53103857f05a1f9852fff8421
SHA1b60c02c47101f7c189966ffbe3d4a4a7d6636b73
SHA256e39a04bdf23c1dc15780501e128b3779a73e621ee2a3b6497f3dbcab1aebf13c
SHA51243ad60a0ca92b1aa1078df164ad86cb0838a76adb6099d18b17f67c2d985ee9d1a594624113d28fcb2f9893a05eacbf201c49bce480862996cd862715fe54118
-
Filesize
20KB
MD5fae21ca43806a51cd0cadbf38471ec83
SHA11c56dea7dbbed91a65d739164f2ebc7f5bd238e1
SHA2562df19b1d4b2895071c21a77976957d7217696902d036dbb57e86ccf1614e81f7
SHA512aa2fc20dc8a069eb5a62688bfa536442d9b38accaa2fab35dabdffea3d3f1c24f487a4c8dde63907228c1e6fa0e91f71053d3a84600091b08a5f5d90c222b0f3
-
Filesize
20KB
MD5fae21ca43806a51cd0cadbf38471ec83
SHA11c56dea7dbbed91a65d739164f2ebc7f5bd238e1
SHA2562df19b1d4b2895071c21a77976957d7217696902d036dbb57e86ccf1614e81f7
SHA512aa2fc20dc8a069eb5a62688bfa536442d9b38accaa2fab35dabdffea3d3f1c24f487a4c8dde63907228c1e6fa0e91f71053d3a84600091b08a5f5d90c222b0f3
-
Filesize
180KB