Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
01-04-2023 19:11
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\399000.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\399000.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\399000.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\Windows\FileName.jpgFilesize
9.3MB
MD5a78492a7157cf867e179c0e990a9e46d
SHA18d9d3ff66d057f940f3395d88781df5c183e7f09
SHA256201dde834a778f84fcfbaddba76ddc0a75424d8fc5f518fe9361dc4fe94d246f
SHA512a195ccf4cd44f29c02918555a46b2d13ec15a6a719d2d3cb1c1827996f37a57ca5f3b85babb35dbb8581e4ccd4b486c1568db5c98a6f6fd20dafdce840cbb858
-
\??\c:\NT_Path.jpgFilesize
53B
MD55b555478ab2d0d210f7b2eba209a49c8
SHA13728cad86b6c356bd0b5360fb207cd68b351c3b5
SHA256b1ef7557aba5d422a43ea9576740f6deeb284622a4f4dbd85d0dd016401295b9
SHA5128d30a73cf5226561157da0d4b5b0152bd55d4940da561b96bfbf13a9828ad5661d4858dcd3bc2dd8e9404665b60376cf6cf7e6b3a58506924dfe0136cde71741
-
\??\c:\windows\filename.jpgFilesize
9.3MB
MD5a78492a7157cf867e179c0e990a9e46d
SHA18d9d3ff66d057f940f3395d88781df5c183e7f09
SHA256201dde834a778f84fcfbaddba76ddc0a75424d8fc5f518fe9361dc4fe94d246f
SHA512a195ccf4cd44f29c02918555a46b2d13ec15a6a719d2d3cb1c1827996f37a57ca5f3b85babb35dbb8581e4ccd4b486c1568db5c98a6f6fd20dafdce840cbb858
