Overview

overview

10

Static

static

10

brunoHacker.exe

windows7-x64

10

brunoHacker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2023 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brunoHacker.exe

  • Size

    408KB

  • MD5

    cda724098f73a391b79378ef37177297

  • SHA1

    c452c06614d914765eda8c33b7e618bdcddee50e

  • SHA256

    6e61574af212af8a984e691c74b9bbd91d52285acd60fb778629e9bf13262b2b

  • SHA512

    685f166a531911801fafaef22ddb91b43f040a7fe24a06c02c9bfd0db1b04b3982dbcb907b255fa93174f813aa754483d237a9173cc7788f44f41531ba680e1e

  • SSDEEP

    6144:c2GWQGcZTVN+0yB6oJrcR/QRqrGj7LWd1ZDg7HHEqrGjG5vYEA:c2zQGyTVVYJrjqrG7uMHEqrGkvYE

Score
10/10
gh0stratpersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Registers new Print Monitor 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brunoHacker.exe
    "C:\Users\Admin\AppData\Local\Temp\brunoHacker.exe"
    1⤵
    • Registers new Print Monitor
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\SysWOW64\netsh.exe
      netsh ipsec static add policy name=Block
      2⤵
        PID:1788
      • C:\Windows\SysWOW64\netsh.exe
        netsh ipsec static add filterlist name=Filter1
        2⤵
          PID:1156
        • C:\Windows\SysWOW64\netsh.exe
          netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
          2⤵
            PID:3684
          • C:\Windows\SysWOW64\netsh.exe
            netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
            2⤵
              PID:4904
            • C:\Windows\SysWOW64\netsh.exe
              netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
              2⤵
                PID:4616
              • C:\Windows\SysWOW64\netsh.exe
                netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                2⤵
                  PID:1084
                • C:\Windows\SysWOW64\netsh.exe
                  netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                  2⤵
                    PID:2340
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
                    2⤵
                      PID:2244
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh ipsec static add filteraction name=FilteraAtion1 action=block
                      2⤵
                        PID:2616
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
                        2⤵
                          PID:2992
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh ipsec static set policy name=Block assign=y
                          2⤵
                            PID:672
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Start-Sleep -s 2;del "C:\Users\Admin\AppData\Local\Temp\brunoHacker.exe"
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4344
                        • C:\Windows\SysWOW64\svchost.exe
                          "C:\Windows\SysWOW64\svchost.exe"
                          1⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:1256
                        • C:\Windows\SysWOW64\svchost.exe
                          "C:\Windows\SysWOW64\svchost.exe"
                          1⤵
                            PID:1100
                          • C:\Windows\SysWOW64\svchost.exe
                            "C:\Windows\SysWOW64\svchost.exe"
                            1⤵
                              PID:1792

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyiuenlo.00t.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Windows\Logs\RunDllExe.dll
                              Filesize

                              166KB

                              MD5

                              2d2fdaf3a484d432718193436bf6dbd1

                              SHA1

                              065d5a5963b3c56a56825f27e2f72478787fbecd

                              SHA256

                              69a12824071f318c6aab30d460efbb8fdaceb6d7c469539a7f19b4390171e372

                              SHA512

                              86159d6a97ae548e4fea3a1f332d1ef3d9c218fb241449daf7429926a8375f0e1d7fba48c6c5aa9ecf6b0bc1ee566e0480b70a929917d9d40b822188d9e916d0

                              Download Submit

                            • memory/1256-135-0x0000000000400000-0x000000000040B000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/1256-136-0x0000000000400000-0x000000000040B000-memory.dmp

                              Filesize

                              44KB

                              Download

                            • memory/4344-145-0x0000000005540000-0x00000000055A6000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/4344-156-0x0000000006240000-0x000000000625E000-memory.dmp

                              Filesize

                              120KB

                              Download

                            • memory/4344-143-0x0000000004F90000-0x0000000004FA0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4344-144-0x00000000053A0000-0x00000000053C2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/4344-141-0x00000000055D0000-0x0000000005BF8000-memory.dmp

                              Filesize

                              6.2MB

                              Download

                            • memory/4344-140-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/4344-146-0x0000000005C00000-0x0000000005C66000-memory.dmp

                              Filesize

                              408KB

                              Download

                            • memory/4344-142-0x0000000004F90000-0x0000000004FA0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4344-157-0x0000000004F90000-0x0000000004FA0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4344-158-0x0000000007930000-0x0000000007FAA000-memory.dmp

                              Filesize

                              6.5MB

                              Download

                            • memory/4344-159-0x00000000072E0000-0x00000000072FA000-memory.dmp

                              Filesize

                              104KB

                              Download

                            • memory/4344-160-0x0000000007420000-0x00000000074B6000-memory.dmp

                              Filesize

                              600KB

                              Download

                            • memory/4344-161-0x00000000073B0000-0x00000000073D2000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/4344-162-0x0000000008560000-0x0000000008B04000-memory.dmp

                              Filesize

                              5.6MB

                              Download