Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 12:00

General

  • Target

    6ccd76cae0f6b7c290c5a3c40a69c1d1.exe

  • Size

    2.2MB

  • MD5

    6ccd76cae0f6b7c290c5a3c40a69c1d1

  • SHA1

    8a6b2da9dc43ab47189a9794c029d09443d263c4

  • SHA256

    0a4a6fb97eed17dbfea4e4c09374ae21dec4c0d3ca8c6df67bb5a9fa01b503d0

  • SHA512

    71345f635471acc72aa7f12f4bae4f42fb2efee0545cb0f5421eb45eafb8dbe91734bc1400a923caf7514eb260ba72fdeb4261bf7c4195a9d6bb2ed6212b8470

  • SSDEEP

    49152:QH67hc//////RT+auKvoGnPQsy+W78TsYdHra88zvURwp2BKsnu:QH67hc//////RYsyT8TzHrV7Ksnu

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ccd76cae0f6b7c290c5a3c40a69c1d1.exe
    "C:\Users\Admin\AppData\Local\Temp\6ccd76cae0f6b7c290c5a3c40a69c1d1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\TxwuServer.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\TxwuServer.exe
        C:\Users\Admin\AppData\Local\Temp\TxwuServer.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        C:\Users\Admin\AppData\Local\Temp\server.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
          C:\Users\Admin\AppData\Local\Temp\V2011\svchost.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2836
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c afc9fe2f418b00a0.bat
          4⤵
            PID:2864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

      Filesize

      2KB

      MD5

      410e2424a78b78473ed6f786478d690e

      SHA1

      e00fc8e126b42949b6d9e4b99c726ca86fb4c241

      SHA256

      42915e2d18ac3d175b0ba851a217687aa0367d6ce554add594948f52c812e559

      SHA512

      4ca4682ee41fc6aec747b5cbae1d9933ca5212660ed0ea81d6f38802d115659c9144b824d6a57b4a546b0fc7357d7332b77dcae6bd4343d8daa0ec6042e051ac

    • C:\Users\Admin\AppData\Local\Temp\server.exe

      Filesize

      204KB

      MD5

      5ed196a15ef903165be41283952a761b

      SHA1

      abd88d94efaf73f1ffc4a8d9c103730e2902d141

      SHA256

      496e2fef694fa32aa4c8b46ddaada5eb39c3375d499146e8c2badcc69f02521b

      SHA512

      eae6552687ae048aedce16459304050c4e3d6dd9d48d941372914b1d4f77df41f8a295ae43312dab1e18697bdb5bf82ea02a6be8679190dc0d168be8924fe9f1

    • \Users\Admin\AppData\Local\Temp\TxwuServer.exe

      Filesize

      1.6MB

      MD5

      6e488fd70b4358d0c841e0412882db61

      SHA1

      6047de212f92a1de7d0b94a8025065f5263ae74e

      SHA256

      22f561dd05c53abc3c09e99d5f06a50487c531a7c9d5d9c2ff6a0891a1aca8c9

      SHA512

      7b2a3fae3df00019d3939c840b12f1aa4b7b9808f8c76afbbef3c47e60b15182e05be9b899aa2dee98eb26a6b8801ee59b12e2dedd515f663a3be36ef29c5ca7

    • memory/2172-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/2172-3-0x0000000000400000-0x0000000000642000-memory.dmp

      Filesize

      2.3MB

    • memory/2368-10-0x0000000001F60000-0x000000000221B000-memory.dmp

      Filesize

      2.7MB

    • memory/2692-25-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

    • memory/2692-13-0x0000000000400000-0x00000000006BB000-memory.dmp

      Filesize

      2.7MB

    • memory/2692-29-0x0000000000400000-0x00000000006BB000-memory.dmp

      Filesize

      2.7MB

    • memory/2692-30-0x0000000000400000-0x00000000006BB000-memory.dmp

      Filesize

      2.7MB

    • memory/2692-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

    • memory/2692-42-0x0000000000400000-0x00000000006BB000-memory.dmp

      Filesize

      2.7MB