Overview

overview

10

Static

static

7

New_4.8.10.exe

windows7-x64

10

New_4.8.10.exe

windows10-1703-x64

10

New_4.8.10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    302s
  • max time network
    315s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-08-2023 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_4.8.10.exe

  • Size

    124.3MB

  • MD5

    f89701701ace82ef08972d55b68e232f

  • SHA1

    084888e907329c480518220990fc4a8dcd108463

  • SHA256

    a896be695060cae32a70973ebba049139b27ae837e870e5faf728392b32854dd

  • SHA512

    f5f9e7b1f6ae0e5983a58c91be5558feb10bb07ffa10a289580759cc1abba8c829d7f9752873c62fbb0f552119e5fc9ebe3a02cdb649919d1743ee933bc49bf1

  • SSDEEP

    3145728:dRrHJ5u0UJ140kRRGtBOPMx332CVB4JeMz9MrI/:dRrHb/UJSrR8hbxPrI/

Score
10/10
gh0stratratupx

Malware Config

Extracted

Family

gh0strat

C2

zhodaji.com

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 16 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New_4.8.10.exe
    "C:\Users\Admin\AppData\Local\Temp\New_4.8.10.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\ProgramData\tsetup-x64.4.9.2.exe
      "C:\ProgramData\tsetup-x64.4.9.2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\is-OJPBL.tmp\tsetup-x64.4.9.2.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-OJPBL.tmp\tsetup-x64.4.9.2.tmp" /SL5="$30234,40524263,814592,C:\ProgramData\tsetup-x64.4.9.2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
          "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
          4⤵
          • Drops desktop.ini file(s)
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:700
    • C:\ProgramData\handinput.exe
      "C:\ProgramData\handinput.exe"
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~3\HANDIN~1.EXE > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3596
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:4396
  • C:\ProgramData\Aqiyq.exe
    C:\ProgramData\Aqiyq.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:60
    • C:\ProgramData\Aqiyq.exe
      C:\ProgramData\Aqiyq.exe -acsi
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Aqiyq.exe
    Filesize

    834KB

    MD5

    a7bb376117fd97810fa4b41a46d3ab97

    SHA1

    14ef3d161a262270c2db1696f06c9a4067da1984

    SHA256

    09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

    SHA512

    a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

    Download Submit

  • C:\ProgramData\Aqiyq.exe
    Filesize

    834KB

    MD5

    a7bb376117fd97810fa4b41a46d3ab97

    SHA1

    14ef3d161a262270c2db1696f06c9a4067da1984

    SHA256

    09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

    SHA512

    a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

    Download Submit

  • C:\ProgramData\Aqiyq.exe
    Filesize

    834KB

    MD5

    a7bb376117fd97810fa4b41a46d3ab97

    SHA1

    14ef3d161a262270c2db1696f06c9a4067da1984

    SHA256

    09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

    SHA512

    a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

    Download Submit

  • C:\ProgramData\Aqiyq.exe
    Filesize

    834KB

    MD5

    a7bb376117fd97810fa4b41a46d3ab97

    SHA1

    14ef3d161a262270c2db1696f06c9a4067da1984

    SHA256

    09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

    SHA512

    a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

    Download Submit

  • C:\ProgramData\Server.log
    Filesize

    112KB

    MD5

    06fbabe3121f537287e6f834e6a1d44e

    SHA1

    8ed8a90f0de4203133a9432e61f3d2191bbe4008

    SHA256

    3a0bf79af3a94c98d8ab121d9e2faa1d7f6639ecbef3369d68fa9a88f4bbe11f

    SHA512

    d142dc8cc89f86c1a1bacaa94e78f030159c72d681cc9ae387e87c21e975e839d1cc6f2d07246ba599d3e9c8af77a775b2accbf0bd18185d4619d80d7da9136e

    Download Submit

  • C:\ProgramData\VCRUNTIME140.dll
    Filesize

    74KB

    MD5

    a075828073369628bcca8a80fa225744

    SHA1

    2d576b316860c141d81ba9916d5915aceb336c7e

    SHA256

    dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

    SHA512

    f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

    Download Submit

  • C:\ProgramData\XDLL.dll
    Filesize

    83.2MB

    MD5

    eb86e41abd837c01151298eaef1ae4d3

    SHA1

    51e9b5afdd681ed7d9c893780cfc881119b90234

    SHA256

    587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

    SHA512

    7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

    Download Submit

  • C:\ProgramData\Xdll.dll
    Filesize

    83.2MB

    MD5

    eb86e41abd837c01151298eaef1ae4d3

    SHA1

    51e9b5afdd681ed7d9c893780cfc881119b90234

    SHA256

    587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

    SHA512

    7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

    Download Submit

  • C:\ProgramData\handinput.exe
    Filesize

    834KB

    MD5

    a7bb376117fd97810fa4b41a46d3ab97

    SHA1

    14ef3d161a262270c2db1696f06c9a4067da1984

    SHA256

    09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

    SHA512

    a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

    Download Submit

  • C:\ProgramData\handinput.exe
    Filesize

    834KB

    MD5

    a7bb376117fd97810fa4b41a46d3ab97

    SHA1

    14ef3d161a262270c2db1696f06c9a4067da1984

    SHA256

    09930bfc1962f0b0d500fc1cb67d528f21b11d6d911f1fa3c251399483728b80

    SHA512

    a4a0ae8ce7c6b9a57f04a4a9a450e243b04743717d4860421538e47879e48561d37d02c1b7a0dd682c5e1eaa8bb2a98bd72e58cfe5a5b47b79c710832fd60b23

    Download Submit

  • C:\ProgramData\tsetup-x64.4.9.2.exe
    Filesize

    39.5MB

    MD5

    ea3b525e8235810679f604b4cb504cb3

    SHA1

    8f238faf46acfaa4b170cd2babf8222f12c24828

    SHA256

    3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

    SHA512

    0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

    Download Submit

  • C:\ProgramData\tsetup-x64.4.9.2.exe
    Filesize

    39.5MB

    MD5

    ea3b525e8235810679f604b4cb504cb3

    SHA1

    8f238faf46acfaa4b170cd2babf8222f12c24828

    SHA256

    3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

    SHA512

    0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\autA629.tmp
    Filesize

    39.5MB

    MD5

    ea3b525e8235810679f604b4cb504cb3

    SHA1

    8f238faf46acfaa4b170cd2babf8222f12c24828

    SHA256

    3087d90cf63d1cf2d40a5c19def7aa166024e66a6b8f20ff9cd28527edd5a74c

    SHA512

    0ea5ce2c1e54515cb752f8ec8f2217311f13695b84c3efe1d5104464a9ad64d015f56cfd9360bc46569e3eb64bddfabb55f7d26d5ded9e0fee67c28750b0f982

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-OJPBL.tmp\tsetup-x64.4.9.2.tmp
    Filesize

    3.0MB

    MD5

    b0a8085decfb065f44561789f4be1b92

    SHA1

    5f3abb84bb78f3d447c999a99983b93b41c3adcb

    SHA256

    ae2d3dd7b7682a11f57d3fe637a6481017810450a67ab9a608bd37114e20f510

    SHA512

    4fbfc613112ba439217f7133214d4b7381c390286aaccacbcb484ab4c3280fd413f6d4ef2273b2a904ef996ffca898f071f0e97ff7056265c605ae8eedd6150a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-OJPBL.tmp\tsetup-x64.4.9.2.tmp
    Filesize

    3.0MB

    MD5

    b0a8085decfb065f44561789f4be1b92

    SHA1

    5f3abb84bb78f3d447c999a99983b93b41c3adcb

    SHA256

    ae2d3dd7b7682a11f57d3fe637a6481017810450a67ab9a608bd37114e20f510

    SHA512

    4fbfc613112ba439217f7133214d4b7381c390286aaccacbcb484ab4c3280fd413f6d4ef2273b2a904ef996ffca898f071f0e97ff7056265c605ae8eedd6150a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    130.1MB

    MD5

    3df5bcea0ca91ab9fc317bcc6d9ea15f

    SHA1

    843a46a3a2495ec3b25eac11ae24b4c4988e7b36

    SHA256

    4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

    SHA512

    490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    130.1MB

    MD5

    3df5bcea0ca91ab9fc317bcc6d9ea15f

    SHA1

    843a46a3a2495ec3b25eac11ae24b4c4988e7b36

    SHA256

    4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

    SHA512

    490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    Filesize

    130.1MB

    MD5

    3df5bcea0ca91ab9fc317bcc6d9ea15f

    SHA1

    843a46a3a2495ec3b25eac11ae24b4c4988e7b36

    SHA256

    4e5cfb0d2ad36e4bd55b02cbad768b979f712d780ffde9b055f0fcabb1919ff4

    SHA512

    490f4840a83ba49295abd14c815973822af0de18ab34f525318a6075c3cba23fcfcd56d006e9d13df91fa32569d0f740d183d7d9c8a764a69f54d70760a58911

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
    Filesize

    4.7MB

    MD5

    62a89e7867d853fee9ad07b7c9d64379

    SHA1

    944a53602492187308352103d80ff27af1093abf

    SHA256

    d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

    SHA512

    7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

    Download Submit

  • \ProgramData\Xdll.dll
    Filesize

    83.2MB

    MD5

    eb86e41abd837c01151298eaef1ae4d3

    SHA1

    51e9b5afdd681ed7d9c893780cfc881119b90234

    SHA256

    587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

    SHA512

    7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

    Download Submit

  • \ProgramData\Xdll.dll
    Filesize

    83.2MB

    MD5

    eb86e41abd837c01151298eaef1ae4d3

    SHA1

    51e9b5afdd681ed7d9c893780cfc881119b90234

    SHA256

    587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

    SHA512

    7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

    Download Submit

  • \ProgramData\Xdll.dll
    Filesize

    83.2MB

    MD5

    eb86e41abd837c01151298eaef1ae4d3

    SHA1

    51e9b5afdd681ed7d9c893780cfc881119b90234

    SHA256

    587a48a6ab153356f5cd94c47c817413047ed2e04636a4e90d693d8f6d325f14

    SHA512

    7568223cde9a13bf8945673009869638909ffdfb8b2bdfb5a2e3d3a9b53e5c93f8a5c581d442aee6458cff9b6ac32087849c186d8d397a9eecc1f482d3cda892

    Download Submit

  • \ProgramData\vcruntime140.dll
    Filesize

    74KB

    MD5

    a075828073369628bcca8a80fa225744

    SHA1

    2d576b316860c141d81ba9916d5915aceb336c7e

    SHA256

    dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

    SHA512

    f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

    Download Submit

  • \ProgramData\vcruntime140.dll
    Filesize

    74KB

    MD5

    a075828073369628bcca8a80fa225744

    SHA1

    2d576b316860c141d81ba9916d5915aceb336c7e

    SHA256

    dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

    SHA512

    f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

    Download Submit

  • \ProgramData\vcruntime140.dll
    Filesize

    74KB

    MD5

    a075828073369628bcca8a80fa225744

    SHA1

    2d576b316860c141d81ba9916d5915aceb336c7e

    SHA256

    dbc5559ca8d99f045c5511f56a2c4dd156d2672d189935e242284a835c0d7f92

    SHA512

    f92bc90a1d75268f2961e8a83268afc1efbf1381c884742658bca135367104b148fdbb8c0d643daa10063a98e032bcd7d4da50daebf4fa96e203814030a2c993

    Download Submit

  • \Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
    Filesize

    4.7MB

    MD5

    62a89e7867d853fee9ad07b7c9d64379

    SHA1

    944a53602492187308352103d80ff27af1093abf

    SHA256

    d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

    SHA512

    7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

    Download Submit

  • memory/60-138-0x0000000001520000-0x000000000153D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/700-435-0x00000208AA460000-0x00000208AA470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/700-434-0x00000208B0150000-0x00000208B017F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/700-262-0x00000208B0150000-0x00000208B017F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/700-100-0x00000208AA460000-0x00000208AA470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/700-225-0x00000208AA460000-0x00000208AA470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2552-52-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2552-116-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2552-61-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2604-58-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-62-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2604-64-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-88-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2604-109-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2604-115-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3396-0-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/3396-59-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/3396-124-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/4052-146-0x0000000002BB0000-0x0000000002BCD000-memory.dmp

    Filesize

    116KB

    Download

  • memory/4448-126-0x0000000002BB0000-0x0000000002BCD000-memory.dmp

    Filesize

    116KB

    Download