Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
16-08-2023 14:57
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1928500.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\1928500.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\1928500.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
C:\Windows\FileName.jpgFilesize
199KB
MD531150d0631e604eb074a74b1c9af699c
SHA1eb93b0c1b24f46f2819b87df99be606aad66c635
SHA256e835faa1ab036fa120a65949e1aa167191aaa2cbb401572b792da724cda352a0
SHA51270a9486b0959454fe6a76f81a34f8ec29784994e728b184f88f26588aa160e720b5725f4e5506ed80eb149fb9be6a7f08aaa4576effb584e407ecc2c68484ca4
-
\??\c:\NT_Path.jpgFilesize
54B
MD54260d8ae446089ea2ca053b04d561317
SHA1b24e38d2591d938676892e77d96856eab622bfeb
SHA2560f763ca018caaabf679a9ca9690c43ee3c3eba7f79cffa2272dc0e1dab90ee61
SHA512526c1aa251523a7ae74d46d447ccd6bdc97c8c68935d44082bebb29f929d287594a23cd84371918f7d7e4c9997d4ec3306e97c67580da56723358e12a7de379d
-
\??\c:\windows\filename.jpgFilesize
199KB
MD531150d0631e604eb074a74b1c9af699c
SHA1eb93b0c1b24f46f2819b87df99be606aad66c635
SHA256e835faa1ab036fa120a65949e1aa167191aaa2cbb401572b792da724cda352a0
SHA51270a9486b0959454fe6a76f81a34f8ec29784994e728b184f88f26588aa160e720b5725f4e5506ed80eb149fb9be6a7f08aaa4576effb584e407ecc2c68484ca4
