Overview

overview

10

Static

static

10

brunoHacker.exe

windows7-x64

10

brunoHacker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2023 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brunoHacker.exe

  • Size

    408KB

  • MD5

    cda724098f73a391b79378ef37177297

  • SHA1

    c452c06614d914765eda8c33b7e618bdcddee50e

  • SHA256

    6e61574af212af8a984e691c74b9bbd91d52285acd60fb778629e9bf13262b2b

  • SHA512

    685f166a531911801fafaef22ddb91b43f040a7fe24a06c02c9bfd0db1b04b3982dbcb907b255fa93174f813aa754483d237a9173cc7788f44f41531ba680e1e

  • SSDEEP

    6144:c2GWQGcZTVN+0yB6oJrcR/QRqrGj7LWd1ZDg7HHEqrGjG5vYEA:c2zQGyTVVYJrjqrG7uMHEqrGkvYE

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Registers new Print Monitor 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brunoHacker.exe
    "C:\Users\Admin\AppData\Local\Temp\brunoHacker.exe"
    1⤵
    • Registers new Print Monitor
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\SysWOW64\netsh.exe
      netsh ipsec static add policy name=Block
      2⤵
        PID:1488
      • C:\Windows\SysWOW64\netsh.exe
        netsh ipsec static add filterlist name=Filter1
        2⤵
          PID:560
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
          2⤵
            PID:664
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
            2⤵
              PID:308
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
              2⤵
                PID:932
              • C:\Windows\SysWOW64\netsh.exe
                netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                2⤵
                  PID:900
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                  2⤵
                    PID:952
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                    2⤵
                      PID:1768
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filteraction name=FilteraAtion1 action=block
                      2⤵
                        PID:1932
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
                        2⤵
                          PID:1656
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static set policy name=Block assign=y
                          2⤵
                            PID:1872
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\Admin\AppData\Local\Temp\brunoHacker.exe"
                            2⤵
                            • Deletes itself
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:484
                        • C:\Windows\SysWOW64\svchost.exe
                          "C:\Windows\SysWOW64\svchost.exe"
                          1⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:324

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • \Windows\Logs\RunDllExe.dll
                          Filesize

                          159KB

                          MD5

                          3d52f96d0dab13ca75902ee709d916f9

                          SHA1

                          7d1d48f95f8ab059d55901cb128148ed7bbab83c

                          SHA256

                          f69397fe89df1aab5fe0af54da7658aff048c716383668909ad7929d6ba3741d

                          SHA512

                          db8187f9f114f84b4fa06bc8392ea93c51b03f1811a592c0bd62dbdfcf8aa82be8f5fee137ce8e0e28977bcc654b5269da1c0fbb34f90f7d585fcf7c5d682f62

                          Download Submit

                        • memory/324-56-0x0000000000400000-0x000000000040B000-memory.dmp

                          Filesize

                          44KB

                          Download

                        • memory/324-57-0x0000000000400000-0x000000000040B000-memory.dmp

                          Filesize

                          44KB

                          Download

                        • memory/484-60-0x0000000002410000-0x0000000002450000-memory.dmp

                          Filesize

                          256KB

                          Download

                        • memory/484-61-0x0000000002410000-0x0000000002450000-memory.dmp

                          Filesize

                          256KB

                          Download