Analysis

  • max time kernel
    151s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 05:54

General

  • Target

    107890e6e27ae341ee36d8ec579093af.exe

  • Size

    496KB

  • MD5

    107890e6e27ae341ee36d8ec579093af

  • SHA1

    246e40b90a30be736730c32ec27962454d8aad19

  • SHA256

    659d646e41969c9875112e1454f2215989418e0586ccb19c7a7798b28b97a0e3

  • SHA512

    8dbe5a6e477df35e1101aa218e2665dbc1f985c139063bdae0e6fe2f27ba5b4a9c688c349c7fde382a29abf0b76bd342a0fc51f4204541a0de576accbeac1b77

  • SSDEEP

    12288:g08PKZVQQxfnr+TK7r79/J0NWNf37JcAayM5ahHjX:b8AVQQxfnr+TK7r79/J0ofrJEyM5ahDX

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\107890e6e27ae341ee36d8ec579093af.exe
    "C:\Users\Admin\AppData\Local\Temp\107890e6e27ae341ee36d8ec579093af.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2504
    • \??\c:\Windows\(null)0.exe
      c:\Windows\(null)0.exe
      2⤵
      • Executes dropped EXE
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\(null)0.exe

    Filesize

    496KB

    MD5

    107890e6e27ae341ee36d8ec579093af

    SHA1

    246e40b90a30be736730c32ec27962454d8aad19

    SHA256

    659d646e41969c9875112e1454f2215989418e0586ccb19c7a7798b28b97a0e3

    SHA512

    8dbe5a6e477df35e1101aa218e2665dbc1f985c139063bdae0e6fe2f27ba5b4a9c688c349c7fde382a29abf0b76bd342a0fc51f4204541a0de576accbeac1b77