Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26-12-2023 16:21
General
-
Target
7c5088dec29353a5967706a9bd7bc4f1.exe
-
Size
957KB
-
MD5
7c5088dec29353a5967706a9bd7bc4f1
-
SHA1
7468ae4e9bcf24f0da72e7ec4980e7f56cf58ae8
-
SHA256
f188c80e547043111322a1814ef8db1cbda450b4208df815ccc6b06148408cf8
-
SHA512
190a1a3bc6c2531065240aaabaf590d04b5613fea1c616e095bfca114b74c0f0b41c655eeeb3af634553f8ddaa217310ef80160898bed3bdfe597e4ff37c7709
-
SSDEEP
12288:iM5jZKbBL3aKHx5r+TuxX+fWbwFBfdGmZKl:iM5j8Z3aKHx5r+TuxX+IwffFZKl
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c5088dec29353a5967706a9bd7bc4f1.exe"C:\Users\Admin\AppData\Local\Temp\7c5088dec29353a5967706a9bd7bc4f1.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\svchest432048043204801465662051.exec:\Windows\svchest432048043204801465662051.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
957KB
MD57c5088dec29353a5967706a9bd7bc4f1
SHA17468ae4e9bcf24f0da72e7ec4980e7f56cf58ae8
SHA256f188c80e547043111322a1814ef8db1cbda450b4208df815ccc6b06148408cf8
SHA512190a1a3bc6c2531065240aaabaf590d04b5613fea1c616e095bfca114b74c0f0b41c655eeeb3af634553f8ddaa217310ef80160898bed3bdfe597e4ff37c7709
-
Filesize
382KB
MD52404361d97b6cfaa440bc4d90327421b
SHA125fa8f7576568f5197bdd330ff36386217fc670b
SHA256ebd984ffecf9bd635d8cdbfe43039531138ae4ee0824589d2b31a08f139c9bd9
SHA512ea257a3dfb9165a1cfb9469ada357984dfe2d4e54e49957eb30179efc64bf8bbad02e5eae95dceda4d82e509bd50169d3c3d5cfa48e501944ca7bfddbec2fa94