Overview

overview

10

Static

static

3

11L3O67.exe

windows7-x64

10

11L3O67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 15:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    11L3O67.exe

  • Size

    3.3MB

  • MD5

    55676704ea30ec80782a6fe129ecd07a

  • SHA1

    b2935565cc449db1ceb78618f06b145eed7b129f

  • SHA256

    add99c5e79d3b6736133c2d0336c8386b7c68ce99839b83208ba3b832e5627ff

  • SHA512

    3ceead21394022fd33cbfec8332a67791223d52189d7b383c714662fcb8d2f7354a3070a80219e49840f793402a7726b003bd5a1a9aa77e014c26a6e9c5fcd9c

  • SSDEEP

    98304:ZGwl5CrmnosDeIp8ZoctqhBtky7zZ+iDCRDtVCQ4:ZXl5HnoipqkhBtky7zZeRDtZ4

Score
10/10
gh0stratevasionrattrojan

Malware Config

Extracted

Family

gh0strat

C2

27.124.10.162

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies RDP port number used by Windows 1 TTPs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11L3O67.exe
    "C:\Users\Admin\AppData\Local\Temp\11L3O67.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C regedit /s Uac.reg
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1240
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s Uac.reg
        3⤵
        • UAC bypass
        • Runs .reg file with regedit
        PID:2624

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Uac.reg
          Filesize

          245B

          MD5

          3259410b95978a44d4a95a1d1815cc6d

          SHA1

          26d3928a81f9d754c7991673c6b856652ce38f98

          SHA256

          182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5

          SHA512

          44b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b

          Download Submit

        • memory/4052-0-0x0000000000400000-0x00000000009EF000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/4052-1-0x00000000031C0000-0x00000000031ED000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4052-12-0x0000000000400000-0x00000000009EF000-memory.dmp

          Filesize

          5.9MB

          Download