Analysis

  • max time kernel
    102s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 11:50

General

  • Target

    1c0a6c2808eb59a5577d5d415dd624a4.exe

  • Size

    133KB

  • MD5

    1c0a6c2808eb59a5577d5d415dd624a4

  • SHA1

    9f7b105a35dcb1604726f00c4b57a8cb0af8d99d

  • SHA256

    863268e4b23b69e2bff3395be373ea17395c93c2f67bd3c4a77e892b9730bde2

  • SHA512

    f48ad29a047630e0bbc1fb5752dd8f380d2734734ee3d7c0c148ac7bf5c6359e7067307683f0e67e3c3ba143b066d2cdb4da017f9b13c4d2ccdf0c7e5eafacbf

  • SSDEEP

    3072:3hRciShZh3/nOZcsUhWPtKhXhCIqSS/Au37t0j8J2YJpD:3hKiSdWZcspt6hTLCAu37u8J2YJpD

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe
    "C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\1c0a6c2808eb59a5577d5d415dd624a4.exe"
      2⤵
      • Deletes itself
      PID:2052
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\data.dll

    Filesize

    112KB

    MD5

    c85398d0770be56dc4610a155ba34423

    SHA1

    59b9c7694d4bd51ff602d505409fd84ed2c26015

    SHA256

    52a358458f041027d71358d49a1270f5caf8fdfe796ee0dc3cb7c7681c5d43c9

    SHA512

    354530501132a74567b270f77ad2751ff61d9663c004ceff26ffbb72bafd5ba879d20618e75494802e11d38435ae238af3ca243145de07a26796277df34bba21

  • memory/2012-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2012-4-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB