Overview

overview

10

Static

static

3

668e7df7c1...ba.exe

windows7-x64

10

668e7df7c1...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba.exe

  • Size

    5.6MB

  • MD5

    0a33a1bfd046c651c8c91edb3d7b972c

  • SHA1

    fe93b5f6242be4e5b89c5e2dcd46640b456cd71d

  • SHA256

    668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba

  • SHA512

    5be38c53d2471c19c15aa1212839cd8bafcf42796977ea7f27daebf9a840af0dcfcdc20b244bf85902d6365d1eed52f8efff0c04cd389bf1a570b6d007d49ad6

  • SSDEEP

    98304:GBGw4JTYdg7szAofgIlGE4JmUwMDeQo9vCRxNwimxt2Nv6GAsF7EyZ1pjZBZYZZ0:GBGw4JmqcxgiGE4JiMqF6DChU6AvfjBf

Score
10/10
gh0stratratupxvmprotect

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba.exe
    "C:\Users\Admin\AppData\Local\Temp\668e7df7c1d1bb5ec520f495c57338e4888a29307c8f4e79e6594609b6bdecba.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Program Files (x86)\asfasf\PlantsVsZombies.exe
      "C:\Program Files (x86)\asfasf\PlantsVsZombies.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1584
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      2⤵
      • Deletes itself
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\asfasf\PlantsVsZombies.exe
    Filesize

    2.6MB

    MD5

    a8738b3c3d4c6fe4026317a576a1691b

    SHA1

    7f71398f5d61073934c6c0002c370acf264a248e

    SHA256

    1ff153a4678c1834aecaa892933e83f20bbd6b293b799a4e1298ce4105337038

    SHA512

    2f449ccfcca863652566491add74e4b293577e4a90fc3e0c3d3297107e9ceb809f95081e29f34bb81b5e3927316bd9eb2496c25e8f8a5a9da4b0a0cc31580bc0

    Download Submit

  • C:\Program Files (x86)\asfasf\PlantsVsZombies.exe
    Filesize

    2.1MB

    MD5

    ed6708f44a7e2b28d844b3f9aee955fd

    SHA1

    a0e2a94f9e677242b023f948661d01d038e76f24

    SHA256

    8d28b3fca22be16e422812364905119dcf2a231d1564148344927584c8c018cc

    SHA512

    60f42f8cb7cedb403e4e6b94ffee268528c416b6e3b4b1d943b2d5743e72b115f6f18442875d8aefda4698ca925011ca2a8c7aec046bfb4884ea24ee7a313e8d

    Download Submit

  • C:\Program Files (x86)\asfasf\bass.dll
    Filesize

    678KB

    MD5

    0948eafedbba6c194b72dba58526413d

    SHA1

    2c2e2e2b3fe54aacd21cac03e2c0f2496c1df95d

    SHA256

    f62fcb2a59a7ea41fc3ebc79c844855fa1bc6260a4467a4d00371c0e066bc108

    SHA512

    5a6ff4d99e89962cbe541ffb8eec31d537862133ab1a468074727e04afa6af51afcbe3a152efe56eb2a4398a598d14c793813aae1d7b409cfca955c7bdea6411

    Download Submit

  • C:\Program Files (x86)\asfasf\bass.dll
    Filesize

    363KB

    MD5

    8217a0a493ec1c9326ef7c2553e75908

    SHA1

    63b090b4858d762b0aa203693eeff092a3ed9778

    SHA256

    cd5d568e76fd8a4333c9011c8218581d849c3d314117223b3213e59a6fe1c347

    SHA512

    199faad44d5c13e639d7bd24ae94c1525bf2cd01e09fc5de95ff26e422214013196f68b90c74c8611000b2f7fe50b178020ea33f0687bb1d214dc6b8a2729ba2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\asfasf\asfasfStep\Install\zh-CN\3.png
    Filesize

    42KB

    MD5

    23f2a0f91881756076fafe9ebf153fae

    SHA1

    f735820595a59910a8d1a9f455c6eaab76054e47

    SHA256

    7dc15af60f0a7ef4a93d70211008892f2bcfb3c19d5fb3e5d2fe64c27c2499d9

    SHA512

    4adb2582e6b3b89a170cd955642bf8a63957c69efbab15baf6c9efd245638692a9b3377e1d3b4f40ad5577a490be73b72f73c06390db2d3b1246079b59349df8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskA0B5.tmp\SelfDel.dll
    Filesize

    5KB

    MD5

    ca8bcdded6b265453cf68bae8bbd0b3a

    SHA1

    9dbe872ac53e075c0954c882d034aa009c733092

    SHA256

    299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184

    SHA512

    a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskA0B5.tmp\System.dll
    Filesize

    11KB

    MD5

    553d576d77585b9e3a2819256694e81f

    SHA1

    9cbbfeff076d3edc1385be5d8972a3faf0022546

    SHA256

    96975506cfa9563dbdf01e03e8c4450b0ba085d04b204c7ffc372687e426bfc4

    SHA512

    f678d4af21f420df8b845d67bf00982e0a3126904da6467a61b604394fa9a641e1bfcbe73c9ebe9f9e49870ee116e5bdaccd245577a8c328af6047c00c3859b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskA0B5.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    11fa0e8418835a4bc8799095d58c0f43

    SHA1

    4e1125bdd1be4162fe59872cf75cb57ab24a73c3

    SHA256

    d3a84536a8b2aac7c7de6eeb072feb1aecf53c58738d314313ea4779080e8788

    SHA512

    56491bbfd7354422f8ae62f4ff19e14d18f503bce6ae4a1e158491d952216ffc84cb57df60f00a0071f03f163f5e31fbd6480aeeeb89d5b5bd83388720575144

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskA0B5.tmp\nsSkinEngine.dll
    Filesize

    646KB

    MD5

    a36e3a886375a1c1473d77a1f37d24e1

    SHA1

    8ba667e1ec2de2ed19919953f433a7b99e3bc413

    SHA256

    21acb9006b8106ef01e5dcbc6d731317414b8a4649d077714860821bf4af8927

    SHA512

    608932a7f269b0967d66714a8d4b9e2b038200caf5cce8ad6e555f8bdd2a09af93dc57aefcfdc5fe38e76526b6c0a1b185ccd604e5f86695e78299044f9b93c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nskA0B5.tmp\nsUtils.dll
    Filesize

    166KB

    MD5

    f94ced0f40a82f6828e498377230f041

    SHA1

    bc926b0a2344a82ee6262bfbfe12c54eca6db31a

    SHA256

    7339d2fdfc5d9fa055c8b932c708104a7bf055154062107d51e55da412a49d7e

    SHA512

    31ae5ed3886be569ad9daa1df958228a11d147b09a9f6bfa4193ab13f8be619dc03c46bcaa6e7d5df2f7d9594b55eb7287f43f48d4ef5d03c1648f126c23f631

    Download Submit

  • memory/1584-99-0x00000000742E0000-0x00000000743CD000-memory.dmp

    Filesize

    948KB

    Download

  • memory/1584-100-0x00000000742E0000-0x00000000743CD000-memory.dmp

    Filesize

    948KB

    Download

  • memory/1584-103-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-105-0x00000000742E0000-0x00000000743CD000-memory.dmp

    Filesize

    948KB

    Download

  • memory/1584-106-0x0000000005F20000-0x0000000005F7F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1584-107-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1584-111-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1584-110-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1584-112-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1584-114-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1584-122-0x0000000010000000-0x0000000010189000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3816-95-0x0000000073340000-0x0000000073349000-memory.dmp

    Filesize

    36KB

    Download