Overview

overview

10

Static

static

3

668e7df7c1...ba.exe

windows7-x64

10

668e7df7c1...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba.exe

  • Size

    5.6MB

  • MD5

    0a33a1bfd046c651c8c91edb3d7b972c

  • SHA1

    fe93b5f6242be4e5b89c5e2dcd46640b456cd71d

  • SHA256

    668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba

  • SHA512

    5be38c53d2471c19c15aa1212839cd8bafcf42796977ea7f27daebf9a840af0dcfcdc20b244bf85902d6365d1eed52f8efff0c04cd389bf1a570b6d007d49ad6

  • SSDEEP

    98304:GBGw4JTYdg7szAofgIlGE4JmUwMDeQo9vCRxNwimxt2Nv6GAsF7EyZ1pjZBZYZZ0:GBGw4JmqcxgiGE4JiMqF6DChU6AvfjBf

Score
10/10
gh0stratratupxvmprotect

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba.exe
    "C:\Users\Admin\AppData\Local\Temp\668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      2⤵
      • Deletes itself
      PID:1500
    • C:\Program Files (x86)\asfasf\PlantsVsZombies.exe
      "C:\Program Files (x86)\asfasf\PlantsVsZombies.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\asfasf\PlantsVsZombies.exe
    Filesize

    1KB

    MD5

    a66cffc96645d79c73d2b240158f7277

    SHA1

    0938d84bc98acc301e02dd95ec244d05f40e1287

    SHA256

    ebc55cc7f5f8b5e0dbd81dd50cce8b42f6007cc33c5e722bef398ea6d0b6996e

    SHA512

    e442fe6fc6708a323bc5158e3ba86aaf9e6dccd5ea43acfa34f97ae1e021a9111b38147641161d4b233426fbcb47931dcde924f9b5666ec347487b9b3a0c5b13

    Download Submit

  • C:\Program Files (x86)\asfasf\bass.dll
    Filesize

    238KB

    MD5

    cb4e2e1f2524d55531c4975ed6335156

    SHA1

    09824664ff6c3afae28f39fade417f780b873be5

    SHA256

    6490c22ac196715713fb22e6451fc7f573f5ed3428cf92e2c9c52e2ebaa643d8

    SHA512

    8b815f6aa4de413b93190fcfb40315f9da3479335b46d924a39448bbe623ca459cd49243d6c170995531e89f9897bc5d59913bac48b3204a65811daf3dd9bc5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\asfasf\asfasfStep\Install\zh-CN\3.png
    Filesize

    42KB

    MD5

    23f2a0f91881756076fafe9ebf153fae

    SHA1

    f735820595a59910a8d1a9f455c6eaab76054e47

    SHA256

    7dc15af60f0a7ef4a93d70211008892f2bcfb3c19d5fb3e5d2fe64c27c2499d9

    SHA512

    4adb2582e6b3b89a170cd955642bf8a63957c69efbab15baf6c9efd245638692a9b3377e1d3b4f40ad5577a490be73b72f73c06390db2d3b1246079b59349df8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    11fa0e8418835a4bc8799095d58c0f43

    SHA1

    4e1125bdd1be4162fe59872cf75cb57ab24a73c3

    SHA256

    d3a84536a8b2aac7c7de6eeb072feb1aecf53c58738d314313ea4779080e8788

    SHA512

    56491bbfd7354422f8ae62f4ff19e14d18f503bce6ae4a1e158491d952216ffc84cb57df60f00a0071f03f163f5e31fbd6480aeeeb89d5b5bd83388720575144

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\nsSkinEngine.dll
    Filesize

    191KB

    MD5

    b46e715a17523c95e90f45a9a9485653

    SHA1

    3674609e1fa4b4374eab67b3a0955610f1bc1cef

    SHA256

    01d6775e7531d73070336af3594192ef8b446e093789777081282bf595a805f3

    SHA512

    cce153b6e6dda3c884da71d345eeb0963e8ae54cfde57f38193cb38a9b8953533711e5384e7ce5919e1b3152f20173bf8d32effbc6b1726fecf08ea1f4eccd50

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\nsUtils.dll
    Filesize

    136KB

    MD5

    b50c1e76fde17b21c947fea92f907d52

    SHA1

    de261d3fb93a7d049a5886ae5617292a5f7ab8db

    SHA256

    19b9ca949730cdee3e047dd9033d490993417c428065c1c3497224e8f6a24b85

    SHA512

    77ca60c8d6184d0c96a358e19caeb0a1a5cb35c202b33b5fed6cf52d828846119ffd647700b0793e1c35bee21418ad5055e20e2fba27875484246b1ae60fbaff

    Download Submit

  • \Program Files (x86)\asfasf\PlantsVsZombies.exe
    Filesize

    171KB

    MD5

    205847a4d7fbeceeab235efee438ec6f

    SHA1

    9dbb60d7d9091d8aa2f3fe2bf3cc04ae620ca90c

    SHA256

    b65740708035df76c572f62878126fe4bc6556bd597b7d878b1bd4af3e06ab9e

    SHA512

    54de8ac627ea91892f66afe524e99f3943c67297c7a71d1315b9e8b9eb080d5b99aa0109dc4fe123abd1eef7af45c96dce4bcfffac95b6119167c32d1135cc9d

    Download Submit

  • \Program Files (x86)\asfasf\bass.dll
    Filesize

    272KB

    MD5

    5866760637d833c54101f7b114d28b55

    SHA1

    234c7c8e189e6b2555b517e91407e1203f385d10

    SHA256

    7b37983edd5b0a2562ad3d9333e9792d92661acd4992c732f0cad69706db422c

    SHA512

    66889dfe39ad693968b10fb845b823bfc8f6f191cd99671eeff2485cfd1bdefc8285138ac4d83aea3133c26561db11bbcb5a481530f6b1156c4a4bb0b6df9b12

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyF5D.tmp\SelfDel.dll
    Filesize

    5KB

    MD5

    ca8bcdded6b265453cf68bae8bbd0b3a

    SHA1

    9dbe872ac53e075c0954c882d034aa009c733092

    SHA256

    299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

    SHA512

    a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyF5D.tmp\System.dll
    Filesize

    11KB

    MD5

    553d576d77585b9e3a2819256694e81f

    SHA1

    9cbbfeff076d3edc1385be5d8972a3faf0022546

    SHA256

    96975506cfa9563dbdf01e03e8c4450b0ba085d04b204c7ffc372687e426bfc4

    SHA512

    f678d4af21f420df8b845d67bf00982e0a3126904da6467a61b604394fa9a641e1bfcbe73c9ebe9f9e49870ee116e5bdaccd245577a8c328af6047c00c3859b7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyF5D.tmp\nsSkinEngine.dll
    Filesize

    646KB

    MD5

    a36e3a886375a1c1473d77a1f37d24e1

    SHA1

    8ba667e1ec2de2ed19919953f433a7b99e3bc413

    SHA256

    21acb9006b8106ef01e5dcbc6d731317414b8a4649d077714860821bf4af8927

    SHA512

    608932a7f269b0967d66714a8d4b9e2b038200caf5cce8ad6e555f8bdd2a09af93dc57aefcfdc5fe38e76526b6c0a1b185ccd604e5f86695e78299044f9b93c9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyF5D.tmp\nsUtils.dll
    Filesize

    113KB

    MD5

    8329c5597faf5e6b1dbfb839c7575b80

    SHA1

    69f3863fe8c0e921f1b99ba22fdf53e880f3947b

    SHA256

    cd8bb1c046a0fb15ec92600bb65ef265931ee4e6ec3cd9f496a97c7201cb09a6

    SHA512

    49ba91b35f7c088f97dbfb90a2c757d81d0f0d569e3f30d4f1278c5f13eb3b1516c191c1f512788fb6ebe770adab8128820bb6422bc314591160902894fc2d97

    Download Submit

  • memory/2372-122-0x0000000073F20000-0x0000000073F29000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2372-105-0x0000000073F20000-0x0000000073F29000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2424-114-0x0000000004A40000-0x0000000004A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2424-120-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-107-0x0000000002290000-0x000000000229A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2424-111-0x0000000074260000-0x000000007434D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/2424-116-0x0000000004F90000-0x0000000004FEF000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2424-117-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-106-0x0000000002290000-0x000000000229A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2424-121-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-123-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-125-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-110-0x0000000074260000-0x000000007434D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/2424-134-0x0000000002290000-0x000000000229A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2424-133-0x0000000002290000-0x000000000229A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2424-135-0x0000000074260000-0x000000007434D000-memory.dmp

    Filesize

    948KB

    Download

  • memory/2424-136-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download