Analysis
-
max time kernel
131s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 15:08
Static task
static1
Behavioral task
behavioral1
Sample
MCluster.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
MCluster.exe
Resource
win10-20231023-en
General
-
Target
MCluster.exe
-
Size
678KB
-
MD5
3ade61a87c1769fe52d3c739e225b960
-
SHA1
f6bc0f131ae67d5409894e54a885fcd17c262970
-
SHA256
ee00fe31c6120dbae806f36edadffd92f0483135e60e306665a25b1400cdfcc7
-
SHA512
8aafcee9c6a81938d28855dfda434068cbb41736ba31595b55aebf7a086b133990d61b07f687a6e3f452740da40a859015ef06c5f9b39bce88fb7fcfaab3b46e
-
SSDEEP
12288:t2a5mCNPv6iJVNHLuNljPpVv03pwiLhhmJhFuK7Fa:oa5mCN6UNHARVaxtp
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/1432-34-0x0000000002D80000-0x0000000002E16000-memory.dmp family_gh0strat behavioral3/memory/1432-35-0x0000000010000000-0x000000001007B000-memory.dmp family_gh0strat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MCluster.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation MCluster.exe -
Executes dropped EXE 1 IoCs
Processes:
ppstreamsetup.exepid process 1432 ppstreamsetup.exe -
Loads dropped DLL 3 IoCs
Processes:
ppstreamsetup.exepid process 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ppstreamsetup.exedescription ioc process File opened (read-only) \??\E: ppstreamsetup.exe File opened (read-only) \??\H: ppstreamsetup.exe File opened (read-only) \??\K: ppstreamsetup.exe File opened (read-only) \??\L: ppstreamsetup.exe File opened (read-only) \??\X: ppstreamsetup.exe File opened (read-only) \??\Z: ppstreamsetup.exe File opened (read-only) \??\I: ppstreamsetup.exe File opened (read-only) \??\O: ppstreamsetup.exe File opened (read-only) \??\R: ppstreamsetup.exe File opened (read-only) \??\U: ppstreamsetup.exe File opened (read-only) \??\V: ppstreamsetup.exe File opened (read-only) \??\W: ppstreamsetup.exe File opened (read-only) \??\M: ppstreamsetup.exe File opened (read-only) \??\N: ppstreamsetup.exe File opened (read-only) \??\P: ppstreamsetup.exe File opened (read-only) \??\Q: ppstreamsetup.exe File opened (read-only) \??\S: ppstreamsetup.exe File opened (read-only) \??\Y: ppstreamsetup.exe File opened (read-only) \??\B: ppstreamsetup.exe File opened (read-only) \??\G: ppstreamsetup.exe File opened (read-only) \??\J: ppstreamsetup.exe File opened (read-only) \??\T: ppstreamsetup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ppstreamsetup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ppstreamsetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ppstreamsetup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ppstreamsetup.exepid process 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe 1432 ppstreamsetup.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
MCluster.exedescription pid process target process PID 4440 wrote to memory of 1432 4440 MCluster.exe ppstreamsetup.exe PID 4440 wrote to memory of 1432 4440 MCluster.exe ppstreamsetup.exe PID 4440 wrote to memory of 1432 4440 MCluster.exe ppstreamsetup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MCluster.exe"C:\Users\Admin\AppData\Local\Temp\MCluster.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Public\TingTing1\ppstreamsetup.exe"C:\Users\Public\TingTing1\ppstreamsetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5bc83108b18756547013ed443b8cdb31b
SHA179bcaad3714433e01c7f153b05b781f8d7cb318d
SHA256b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671
SHA5126e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
576KB
MD5e9b18700013d2444f5f36c6648ee65c0
SHA1172ffa0baaf036c97f4b7f76232ea1c8059b1b57
SHA256a2ac178a1746adeea2d3551841e0a3a59c6e09f83b5fd1f6660106c118e74a32
SHA512bd64a6102c69734d518e346821a6368a7115b2e71ff3f39536fcab5e1b200698082ce94fe127f4eaa60f3b18cfda4a95d47469c7947d24e48f5bae894b596a0f
-
Filesize
368KB
MD511c766419aa95b3b686032599058b797
SHA1bc98ae462510d11e2a5afadd97c6ac829fb3cc09
SHA2561c38e815aff329a2d00db447da9629020b00300d1ae82f83b0780cd9f3bb9626
SHA5129e3d9043c9babe53fa57d8b78ab4295ebd918f6fbf7e1edb0e5f96049905d062e7d43004e74aedc90d234a213e2fe1c2c47f572368cdf11026ce188415acd314
-
Filesize
368KB
MD511c766419aa95b3b686032599058b797
SHA1bc98ae462510d11e2a5afadd97c6ac829fb3cc09
SHA2561c38e815aff329a2d00db447da9629020b00300d1ae82f83b0780cd9f3bb9626
SHA5129e3d9043c9babe53fa57d8b78ab4295ebd918f6fbf7e1edb0e5f96049905d062e7d43004e74aedc90d234a213e2fe1c2c47f572368cdf11026ce188415acd314
-
Filesize
411KB
MD5bc83108b18756547013ed443b8cdb31b
SHA179bcaad3714433e01c7f153b05b781f8d7cb318d
SHA256b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671
SHA5126e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
61B
MD5d9411a9bceff012f9d19cb356d70c034
SHA1dae68512e5e2c9c24071d9194b693e75e3e23d5d
SHA256a1538143d8f1e02b2e357db309bd8f1ec7a0ee4f656797185a54aef7c2f9fec1
SHA512e004720a939bb4f259b9b62ac14ed7d5365c324a554f5868a0e1ba51587706d2e4d4fc801b5758dc6e80d5a3eb75f2ef17780bbaf6f6b512df04dc6c34ffcb61
-
Filesize
678KB
MD589c753dfc41e368f0907d3b2ecf46279
SHA1439e2649923476fbfe9e85a9f3eee0b201e6f1ba
SHA256354f09fd303d2c339e288f4af5bb1017a5df8c97a67ed3ccd2b85f07d8700972
SHA512dcc5a5336d8562e2a015aa377c12c8419a3b913e5d567afd08995ff54f67b42956b65ac90c375ad72d39431bbb857010984a0f28c9a2764b1c26c14c915d4f52
-
Filesize
678KB
MD589c753dfc41e368f0907d3b2ecf46279
SHA1439e2649923476fbfe9e85a9f3eee0b201e6f1ba
SHA256354f09fd303d2c339e288f4af5bb1017a5df8c97a67ed3ccd2b85f07d8700972
SHA512dcc5a5336d8562e2a015aa377c12c8419a3b913e5d567afd08995ff54f67b42956b65ac90c375ad72d39431bbb857010984a0f28c9a2764b1c26c14c915d4f52
-
Filesize
678KB
MD589c753dfc41e368f0907d3b2ecf46279
SHA1439e2649923476fbfe9e85a9f3eee0b201e6f1ba
SHA256354f09fd303d2c339e288f4af5bb1017a5df8c97a67ed3ccd2b85f07d8700972
SHA512dcc5a5336d8562e2a015aa377c12c8419a3b913e5d567afd08995ff54f67b42956b65ac90c375ad72d39431bbb857010984a0f28c9a2764b1c26c14c915d4f52
-
Filesize
85B
MD50267bb47a55c8e373139a14bad5a93a0
SHA1d7e637235effebda878eabcc56fffd8216be3980
SHA2564b08861a524557164ab79418d19b0f814055556934aa6614191879d54f64db17
SHA5129d6260bc31dd7b2e549af1c7383232c692d284fa030087baeb026823819a0d58fe42f7513b56248c6f8ed596092c43f7c0595945f9f91091475f83e268bad39b