Analysis

  • max time kernel
    41s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/12/2023, 04:32

General

  • Target

    217.exe

  • Size

    2.9MB

  • MD5

    54a5fa5716baa7a839b4e05fc81b6a63

  • SHA1

    91d8180e02235e4ab5a0ccb7c6f0c5efb58b014b

  • SHA256

    0b8c847eb78a586597beec4b5efc14118f315b7dbcc41b69f863e6f2d315eaa7

  • SHA512

    6f75425763f10eeaf5181fa65bd8da3d9beea4b60978d3bf581db92c107e5b6e29bc0571e4fe3a62af86cf7f759aee358afa5e7d62a33ebcfa56e67e9d25f7e1

  • SSDEEP

    49152:qlDnVWC15/KCskLST/ouhqu9zQtZfndA43Ei0y1f3UGQzRi7:qvWC15/KLkL4798fnZ11fkDi7

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\217.exe
    "C:\Users\Admin\AppData\Local\Temp\217.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:692
    • C:\Users\Public\Documents\yybrowser.exe
      C:\Users\Public\Documents\yybrowser.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4220

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\20231208043321401~YingInstall-TopFramePicture.bmp

          Filesize

          563KB

          MD5

          a528a1efb19f5bee2fa74cd8650dab24

          SHA1

          51b72c994283ec899a32732bc60655d3039138a8

          SHA256

          d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608

          SHA512

          bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a

        • C:\Users\Public\Documents\MSVCP140.dll

          Filesize

          427KB

          MD5

          8b1d762ddec577e6bee5ceff79d34811

          SHA1

          d8a266dab792952415f7bea84843c412418627d5

          SHA256

          75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610

          SHA512

          dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

        • C:\Users\Public\Documents\VCRUNTIME140.dll

          Filesize

          75KB

          MD5

          ac85fa80b4c9bcab021ba214c56f7f3e

          SHA1

          f4a03bed71041c21b4f0b56039f207f8ad97662e

          SHA256

          23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede

          SHA512

          8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

        • C:\Users\Public\Documents\dwbase.dll

          Filesize

          320KB

          MD5

          b87e123f675b38a7e5b15b0515040bed

          SHA1

          fe5a958192effbf379f8a3331863069bb1d886a2

          SHA256

          5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05

          SHA512

          531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

        • C:\Users\Public\Documents\dwbase.dll

          Filesize

          320KB

          MD5

          b87e123f675b38a7e5b15b0515040bed

          SHA1

          fe5a958192effbf379f8a3331863069bb1d886a2

          SHA256

          5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05

          SHA512

          531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1

        • C:\Users\Public\Documents\dwutility.dll

          Filesize

          1.2MB

          MD5

          71918ce3973e4741542022287de9f947

          SHA1

          21baae8623f8ade60954193cf6b2899ff868ccab

          SHA256

          d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0

          SHA512

          f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

        • C:\Users\Public\Documents\dwutility.dll

          Filesize

          1.2MB

          MD5

          71918ce3973e4741542022287de9f947

          SHA1

          21baae8623f8ade60954193cf6b2899ff868ccab

          SHA256

          d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0

          SHA512

          f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf

        • C:\Users\Public\Documents\libcurl.dll

          Filesize

          1.6MB

          MD5

          7870f90ed274348346f499dca9716c6d

          SHA1

          a898355b54b17a80b298210ccb00228384dd2e85

          SHA256

          d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d

          SHA512

          68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

        • C:\Users\Public\Documents\libcurl.dll

          Filesize

          1.6MB

          MD5

          7870f90ed274348346f499dca9716c6d

          SHA1

          a898355b54b17a80b298210ccb00228384dd2e85

          SHA256

          d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d

          SHA512

          68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b

        • C:\Users\Public\Documents\meshrpc.dll

          Filesize

          198KB

          MD5

          007b92f069cc2445120bcd55ffb01f86

          SHA1

          20c368c75a7f27985d3ba025d96de4404fdbcbd2

          SHA256

          6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548

          SHA512

          bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

        • C:\Users\Public\Documents\meshrpc.dll

          Filesize

          198KB

          MD5

          007b92f069cc2445120bcd55ffb01f86

          SHA1

          20c368c75a7f27985d3ba025d96de4404fdbcbd2

          SHA256

          6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548

          SHA512

          bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e

        • C:\Users\Public\Documents\msvcp140.dll

          Filesize

          427KB

          MD5

          8b1d762ddec577e6bee5ceff79d34811

          SHA1

          d8a266dab792952415f7bea84843c412418627d5

          SHA256

          75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610

          SHA512

          dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4

        • C:\Users\Public\Documents\vcruntime140.dll

          Filesize

          75KB

          MD5

          ac85fa80b4c9bcab021ba214c56f7f3e

          SHA1

          f4a03bed71041c21b4f0b56039f207f8ad97662e

          SHA256

          23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede

          SHA512

          8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

        • C:\Users\Public\Documents\vcruntime140.dll

          Filesize

          75KB

          MD5

          ac85fa80b4c9bcab021ba214c56f7f3e

          SHA1

          f4a03bed71041c21b4f0b56039f207f8ad97662e

          SHA256

          23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede

          SHA512

          8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928

        • C:\Users\Public\Documents\yybrowser.exe

          Filesize

          189KB

          MD5

          46343a46271dcaddf9f5192118d4190a

          SHA1

          998d84a369d392c76b60082f9e4da31bfff4dc53

          SHA256

          f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001

          SHA512

          2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d

        • memory/4220-65-0x00000000036F0000-0x000000000374F000-memory.dmp

          Filesize

          380KB

        • memory/4220-60-0x0000000010000000-0x00000000100A0000-memory.dmp

          Filesize

          640KB

        • memory/4220-63-0x00000000035A0000-0x00000000035A1000-memory.dmp

          Filesize

          4KB

        • memory/4220-61-0x0000000010000000-0x00000000100A0000-memory.dmp

          Filesize

          640KB

        • memory/4220-66-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB

        • memory/4220-70-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB

        • memory/4220-71-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB

        • memory/4220-69-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB

        • memory/4220-72-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB

        • memory/4220-74-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB

        • memory/4220-82-0x0000000010000000-0x00000000100A0000-memory.dmp

          Filesize

          640KB

        • memory/4220-83-0x00000000038A0000-0x0000000003A29000-memory.dmp

          Filesize

          1.5MB