Overview

overview

10

Static

static

1

(电-子-�...��.exe

windows7-x64

10

(电-子-�...��.exe

windows10-2004-x64

10

Dekont,pdf.exe

windows7-x64

10

Dekont,pdf.exe

windows10-2004-x64

10

资金账�...��.exe

windows7-x64

10

资金账�...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    (电-子-发-票).exe

  • Size

    36KB

  • MD5

    928c43415fa08992ecf34e90db8c2a5b

  • SHA1

    b2bd43ff4005bce6d39fad9d8bf2c2f25a89f37c

  • SHA256

    e9cc6d34b4e20a11e3af01182672a0ca71d111d1b89d73fc8584a5534d491d7e

  • SHA512

    d1c847fbf19e5d7661ff90b365decc25142de94304c812c016719948901586378909d28424bb388f904f01b072f7840758d6baa4e75a7f857799333acab7976d

  • SSDEEP

    384:4krtyExpPhFmSkkuJ0EKtU/lOgDTp4nuHD80sApEQDeT6lF:jVh93umEeUcgDTWujtP

Score
10/10
gh0stratevasionratupx

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\(电-子-发-票).exe
    "C:\Users\Admin\AppData\Local\Temp\(电-子-发-票).exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2064
  • C:\ProgramData\Thunder\LiveUpdate.exe
    C:\ProgramData\Thunder\LiveUpdate.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SqlVersion.dll
    Filesize

    1.8MB

    MD5

    317f9ff06c076e87e5b1d11242396d5f

    SHA1

    29868086fe5adb4b32c0216d953c419b596246c7

    SHA256

    0e10625daf43a3f4c67f2840ced29d535d0307148819c8ec73a7e76241e9f644

    SHA512

    ba2b12fc365fa232e6c96e1c8ebceb77bf9347fba2ffb4e3cee7d7be829cbab3cec17668cbf401b4904e5b831df3c6550821da1921f214166862dcc83ab44f07

    Download Submit

  • C:\ProgramData\SqlVersion.dll
    Filesize

    1.8MB

    MD5

    317f9ff06c076e87e5b1d11242396d5f

    SHA1

    29868086fe5adb4b32c0216d953c419b596246c7

    SHA256

    0e10625daf43a3f4c67f2840ced29d535d0307148819c8ec73a7e76241e9f644

    SHA512

    ba2b12fc365fa232e6c96e1c8ebceb77bf9347fba2ffb4e3cee7d7be829cbab3cec17668cbf401b4904e5b831df3c6550821da1921f214166862dcc83ab44f07

    Download Submit

  • C:\ProgramData\Thunder\LiveUpdate.dat
    Filesize

    23KB

    MD5

    f149d3f3ef0361ebe4d346811f29b527

    SHA1

    3f985657f0b93a58e9405d32eab4ee3957af12d2

    SHA256

    0929342683de55e572e11428b0cb545f6582c705c59655c0872589ae16043235

    SHA512

    331645f91cecb66fd8c04a26edc58d6e03ad44710b5b35161cbba3831e09855e02292ffb802d3a2c0ce1a4ecd9f301a580ff1d695ae06c7eda7d90ae72ef602c

    Download Submit

  • C:\ProgramData\Thunder\LiveUpdate.exe
    Filesize

    470KB

    MD5

    96e4b47a136910d6f588b40d872e7f9d

    SHA1

    0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

    SHA256

    f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

    SHA512

    6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

    Download Submit

  • C:\ProgramData\Thunder\Media.xml
    Filesize

    1.1MB

    MD5

    fd481828932e558a22651c092d8bc407

    SHA1

    0db0d90b2384197d4136643c11cc42091f2a4943

    SHA256

    b607ba991b27cf9551ffbf51b3e1f2c6a6a63d9748ac9d5c89c4f1b95f76bfa1

    SHA512

    934b78d80f88b2fe27bc2371b891c171852ceb465980e25bc96220edbd32cfd9e7057d59e3152a506baa862face14b7e1bc5221ce524c2845755c6f5b0514e61

    Download Submit

  • C:\ProgramData\setting.ini
    Filesize

    14B

    MD5

    88cc3e3a35ac7a57a2d9b2632c7fc5f8

    SHA1

    67a04a547a9add726932e00447e1c6939f1639fb

    SHA256

    18739435f66131b1c596d73fada3d1219ea0a4f2d4ccee56573baef4161d5e43

    SHA512

    1c40fc3635b2117a1a970778a8dcc11ba97d77a34cbb43583a018e43c1648138a5f8aacaf4d1767deed0b0e39879476e0069a43506b93d19c4997a10b3060038

    Download Submit

  • memory/2064-157-0x0000000074520000-0x00000000746E7000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2064-159-0x0000000074520000-0x00000000746E7000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4976-191-0x0000000002F50000-0x00000000030CB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4976-194-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-168-0x0000000002F50000-0x00000000030CB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4976-171-0x0000000002F50000-0x00000000030CB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4976-189-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-190-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-165-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-192-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-193-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-166-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4976-195-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-196-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-197-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-198-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-199-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-200-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-201-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-202-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-203-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4976-204-0x0000000000400000-0x000000000053F000-memory.dmp

    Filesize

    1.2MB

    Download