Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 15:21

General

  • Target

    0383d9b89c79c31c78dc3fc01b6bd4fb.exe

  • Size

    668KB

  • MD5

    0383d9b89c79c31c78dc3fc01b6bd4fb

  • SHA1

    dd2c003bef0b2b9800404178a5582af4cf86d5ad

  • SHA256

    66fd0db31f99ed1ca05b961ab1a86ec56d3d54e3cef269ed906be1c32d302f02

  • SHA512

    0ccac8a7a18a6cb9afefe44234462b34c967b4c467dc3513595554dcdb724016f7eecb8622799246ca26fe9b8cb100af12275c066b2eb91302ad88f955a39b86

  • SSDEEP

    12288:3/eC0vZVQQxfnr+TK7r79/JenWAG36ATphjM5Bv9:3/XwVQQxfnr+TK7r79/Je3GqArjM5Bv9

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0383d9b89c79c31c78dc3fc01b6bd4fb.exe
    "C:\Users\Admin\AppData\Local\Temp\0383d9b89c79c31c78dc3fc01b6bd4fb.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2028
    • \??\c:\Windows\svchest000.exe
      c:\Windows\svchest000.exe
      2⤵
      • Executes dropped EXE
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchest000.exe

    Filesize

    623KB

    MD5

    f445212baec163e174e0f3d6b232c502

    SHA1

    c6f4b4873ad4c1fefb47f5ccf4f3f2256e14d70c

    SHA256

    53f100c831ea189fb06c2bea92cee8e80589925594f54d7e8c2f31c9373f3f3f

    SHA512

    8403875f04cc3a3b4c3cd94ace1343f3882e059061462c7f07672657d48994ba7ba70f34e9a4630cd83f2a876f5ed6ae3485cebc1bc2be53eb6bd6f36646a73c

  • C:\Windows\svchest000.exe

    Filesize

    434KB

    MD5

    5c47aa979da42a463f42ec3c18d4525b

    SHA1

    ccacd5ed63c03630784f4b0cf036f210422f7d44

    SHA256

    57ea051feee18c284d6a33446aacfe9a67f8c34bf7d226ffdde41b8291a25fd9

    SHA512

    99a39cccf0f402b984ed638aab16afff1d9f78b55b4857ba87d6b1f6b09ecaba0ef40c8366e6d9ee57bdaa672d0eb212ce546ac090db085e49c7c2c7036ef26d