Overview

overview

10

Static

static

10

0.exe

windows7-x64

10

0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2023 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0.exe

  • Size

    71KB

  • MD5

    2a9d0d06d292a4cbbe4a95da4650ed54

  • SHA1

    44c32dfae9ac971c3651adbd82c821971a5400dc

  • SHA256

    09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c

  • SHA512

    ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d

  • SSDEEP

    1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0.exe
    "C:\Users\Admin\AppData\Local\Temp\0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1988
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Suspicious behavior: EnumeratesProcesses
    PID:1632
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fe9758,0x7fef6fe9768,0x7fef6fe9778
      2⤵
        PID:1768
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1236,i,13762552445179070119,5261218554303562535,131072 /prefetch:2
        2⤵
          PID:624
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1236,i,13762552445179070119,5261218554303562535,131072 /prefetch:8
          2⤵
            PID:2020
        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
          1⤵
            PID:1376

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\1699800.dll
            Filesize

            64KB

            MD5

            45dc749351fd65d71da89ca2ed2766cb

            SHA1

            e080faf81157b7f867cb56938c5e579c206af9b9

            SHA256

            391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25

            SHA512

            7e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74

            Download Submit
          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp
            Filesize

            16B

            MD5

            6752a1d65b201c13b62ea44016eb221f

            SHA1

            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

            SHA256

            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

            SHA512

            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

            Download Submit
          • C:\Windows\FileName.jpg
            Filesize

            98KB

            MD5

            277edc549082862c3c79b1c129b4f4eb

            SHA1

            00e41914b99785302544219f9e2e53a383792654

            SHA256

            9f5592753a07afb09502eba5ce125f3893c1050cb181a39de60a608ce5c0643f

            SHA512

            d6db925606a992ef97c3268ea8587bcfba50a558043cd5f9abd4b46c4aae2ed81af2c95e136209271ee1056538ee8f6f31bf1009c83723167ce27b767a73b010

            Download Submit
          • \??\c:\NT_Path.jpg
            Filesize

            54B

            MD5

            beeabb43a936b044814f219d7900b5bb

            SHA1

            234b53aa487ab598f89dad2fc2d4b159c0ba7333

            SHA256

            d4f290453d98da1d15250b064146871a4f7d3cfb11fff29bb705e318793ecf15

            SHA512

            f85d7a3e78233a26b4fd543ac6969e251ec073d35c6d73e8b1b705ff7cbc0323e3dcbf47ffbaae514f7c4312ade35c483f162923d10539fdd9942b9fc90d11a3

            Download Submit
          • \??\c:\windows\filename.jpg
            Filesize

            98KB

            MD5

            277edc549082862c3c79b1c129b4f4eb

            SHA1

            00e41914b99785302544219f9e2e53a383792654

            SHA256

            9f5592753a07afb09502eba5ce125f3893c1050cb181a39de60a608ce5c0643f

            SHA512

            d6db925606a992ef97c3268ea8587bcfba50a558043cd5f9abd4b46c4aae2ed81af2c95e136209271ee1056538ee8f6f31bf1009c83723167ce27b767a73b010

            Download Submit
          • memory/624-67-0x0000000000060000-0x0000000000061000-memory.dmp
            Filesize

            4KB

            Download