Analysis
-
max time kernel
170s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
03/01/2024, 14:38
General
-
Target
38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
-
Size
3.5MB
-
MD5
9faace482045ab5df714a1e42ccca112
-
SHA1
85156d4347decd70b060f7f90aea67fc7ca7bde8
-
SHA256
38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33
-
SHA512
874f04dfad6149d0635c84bf3e6c51caf74a7d5ae7ac62477d6760cfa19dfe8571c2da6e1b149e7f837407cc5e905b4767015e0608d3554ef2a9e05bb87ca083
-
SSDEEP
49152:9YREXSVMDi34QnsHyjtk2MYC5GDsVN/wEwqq8u5zn:S2SVMD8dnsmtk2alWqTuxn
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
-
ParallaxRat payload 21 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\look2.exeC:\Users\Admin\AppData\Local\Temp\\look2.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exeC:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"4⤵
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate5⤵
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchcst"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "svchcst"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchcst.exeC:\Windows\system32\svchcst.exe "c:\windows\system32\240649968.bat",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5172ad4330f354a946837c90d0a4e56b2
SHA1d79f808f72e9403aea8880e95ecbbee5ad555cd7
SHA256296789f4ee01c92f8e4a6547d190385f699faa518ebd949a09b3eb215ad90810
SHA512312b7a163bbe8322bb98a88ecea40fa784863c491b79deb6a4da494af6ee1056d809e3f367736b756498cc597e8c6017776c327f00f10fa7dc1a51843ff7445d
-
Filesize
197KB
MD54a18a5ef2bd1e3cc2993b305b049b1db
SHA12c36ecab91be49abd270d505e5035f621b2310f6
SHA256e02b2becadf16c3a6b7a159037652dca8243ae55a842d9fbca9e751cf7a7e832
SHA512d784d1414adabc132e5112190979752fd6c843887e9d203a52822af2401eaa6ffe5cf40395adcf241eff34f58f514a76b1b7f62898ee6d950be643cc08eaa188
-
Filesize
1.1MB
MD5afbaff5b0f0641f35768f0022f4e0e8f
SHA13557f9e1fdf407bf523d851410a26f7512d88111
SHA256e000ac762a38933cb03ae247615b5335a5f12b6114c769c29e7d05fc940fffd4
SHA512336400ea3b37a5f218f83fef49b360725fda5cb54c3a7cfe3b8b43e2fda0a40ce4d56d954cbdeb623caa0e537059ec948b28f492d7d5280cc37d08803653bc8c
-
Filesize
96KB
MD5dec1c063e6fba01678c9078ec2e87894
SHA15119f1d4627444adaf73c8721b4fb1d5c4ea2a75
SHA25678fcaf28dc78ba6bebac7f963e41972ff173cd561f3bc1e27d5db2cef01fec82
SHA512ed34ac1ff24c5511f1d3293745352cee8394902bb3b659523ddfe9ce291f14b5da55b90e758f6720c34cc4f5c6388f23c35a5205bbde187df43c3c8d621db1c2
-
Filesize
337KB
MD52f3b6f16e33e28ad75f3fdaef2567807
SHA185e907340faf1edfc9210db85a04abd43d21b741
SHA25686492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857
SHA512db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4
-
Filesize
51KB
MD5c49425fc170f0f409fb14b26d92e6825
SHA1b98bce0ff50d054d44b2aa337057fccb9964aa71
SHA2568dbd24c9f28b90fef859ae3a9dadcd35d48bc0ddb954145becf2371f32cb5a7a
SHA512bb81910323b65c445b094ac23fea784417458e70bc31435c9dd878f366888ea5df32ccc9501c9ee3b8c4bd8db15884611e7264e6960186518b9ded9e684875cc
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
960KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB