Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2022, 02:57

General

  • Target

    f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe

  • Size

    185KB

  • MD5

    b11e7218cb481804403951feca2b5c23

  • SHA1

    734dd67c960c786c2c55026605d5702dae6d0d86

  • SHA256

    f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721

  • SHA512

    6b7226dec6aa578c6a7f8c179be95604eaf426003d1726b47ebe18f31848df7d018b1396b49c07f4a6366b05b77382f40dc8b94907fb475828f63040e8acd073

  • SSDEEP

    3072:2R1+aJe1mgawzxsBub861jIHxowh8j6X/3VGVnpUlCz764/9xpEEBqbZuwSy/Gmo:2RUTV5nA8j6XPVGpxx9b3wZuwSOGmYTJ

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe
    "C:\Users\Admin\AppData\Local\Temp\f81cefc5b27a8930fa7fd83d5d46df5d46ceb45f244cc0366f3b72d53b5a2721.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\Kscrsu.exe
      "C:\Windows\System32\Kscrsu.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:1176

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\2599100.dll

          Filesize

          113KB

          MD5

          8ac6d30b724bd5669cc6d062da672d9b

          SHA1

          a972660927e926576b492bddbf48f8b920965159

          SHA256

          3f299a304c3781e36dc7746ec4193e1df76df55303e65b4de2b70df0c3259498

          SHA512

          bfc6ff7edaa603bb6bb586c2a66f9b1110bc54544561cb7ca033dcce7ab87652624cbd10fdd2cfe1c6ac6f6de9772b2767ad4d3e76977d9960aaf2c839fb829f

        • C:\2599100.dll

          Filesize

          113KB

          MD5

          8ac6d30b724bd5669cc6d062da672d9b

          SHA1

          a972660927e926576b492bddbf48f8b920965159

          SHA256

          3f299a304c3781e36dc7746ec4193e1df76df55303e65b4de2b70df0c3259498

          SHA512

          bfc6ff7edaa603bb6bb586c2a66f9b1110bc54544561cb7ca033dcce7ab87652624cbd10fdd2cfe1c6ac6f6de9772b2767ad4d3e76977d9960aaf2c839fb829f

        • C:\Program Files (x86)\TvbPlayer\135.jpg

          Filesize

          7.2MB

          MD5

          6e0d143346489059460240f940abbc8e

          SHA1

          6b2bb5255171b76f2e7d6b66321e5726e7e62b3f

          SHA256

          f436cf9f95c4ce0f2280fe63f42407ce6e610d850fd14cc845edcd8275b9c2f2

          SHA512

          3a02ae98606f52a049e43f0a39009a3949d4e09f7645b52ce36c319393d819dc79419ae6b29e675bcd609947a97e6aeddbf1563227faf377b22c6117f9836f5f

        • C:\Windows\SysWOW64\Kscrsu.exe

          Filesize

          145KB

          MD5

          97e4261c496accf6eecb9d1f37fb1074

          SHA1

          951c902816a0ca83769dfdbd34e898d6bcb4af7d

          SHA256

          f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

          SHA512

          1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

        • C:\Windows\SysWOW64\Kscrsu.exe

          Filesize

          145KB

          MD5

          97e4261c496accf6eecb9d1f37fb1074

          SHA1

          951c902816a0ca83769dfdbd34e898d6bcb4af7d

          SHA256

          f424aca7e2c5e124b9a7f3408b623e370dfb8fcc6f43191977547bc5384c3700

          SHA512

          1c17aa947907032e86cb225a85777d11867e45cfddb9365afbccac4455e52c944f73daddd50a0856a9fe64b67151c4220d215d88b78b2f094036f2717d565308

        • \??\c:\NT_Path.jpg

          Filesize

          45B

          MD5

          5842100cc769231b2ab403017c83b3d9

          SHA1

          7e3636e44d7906cf00d391e849ce5ff2bec2a79f

          SHA256

          85089b0ac93d3f4c7addaf25efea7f293d6960827f5fca77a977178e8af39ce2

          SHA512

          15469b0c504d61de3b570dd7942e840d499dc2f291949bcda27a1a17a09e7831b59db22a6efe4770795b9a95466e8d662ab5582919e42e6172c3aa669f60fa87

        • \??\c:\program files (x86)\tvbplayer\135.jpg

          Filesize

          7.2MB

          MD5

          6e0d143346489059460240f940abbc8e

          SHA1

          6b2bb5255171b76f2e7d6b66321e5726e7e62b3f

          SHA256

          f436cf9f95c4ce0f2280fe63f42407ce6e610d850fd14cc845edcd8275b9c2f2

          SHA512

          3a02ae98606f52a049e43f0a39009a3949d4e09f7645b52ce36c319393d819dc79419ae6b29e675bcd609947a97e6aeddbf1563227faf377b22c6117f9836f5f