Overview

overview

10

Static

static

3

2024-02-19...ia.exe

windows7-x64

10

2024-02-19...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-02-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-19_537fc4fd0308fa48f6ff8565446983be_mafia.exe

  • Size

    1.9MB

  • MD5

    537fc4fd0308fa48f6ff8565446983be

  • SHA1

    88f1da61ad5b13a82f8fdbefefbd0583cf337e15

  • SHA256

    6e1aa1a73830b30b12eb4fb67a6977f4e4818eefd01048c7d9e9df53e82fe2d2

  • SHA512

    c66790f9c9d7bdba65d9290bfb6e5a1e2373f64ccb281a5a699bdec2c58426d3e978e8628fd0bde08058293cfaecfb0224e23f7f6ea5522b1dbad2626e3286f8

  • SSDEEP

    49152:XZLB4CgdSv2133M+vQ80O4nlgb7b2bCzrboqm0biyMEw4sk9DX3DLB:f4CgdSv2133M+J0jlgb7b2bCzrboqnwC

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_537fc4fd0308fa48f6ff8565446983be_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_537fc4fd0308fa48f6ff8565446983be_mafia.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-02-19_537fc4fd0308fa48f6ff8565446983be_mafia.exe > nul
      2⤵
        PID:2776
    • C:\Program Files (x86)\Wkueoqb.exe
      "C:\Program Files (x86)\Wkueoqb.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Program Files (x86)\Wkueoqb.exe
        "C:\Program Files (x86)\Wkueoqb.exe" Win7
        2⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~2\Wkueoqb.exe > nul
          3⤵
            PID:1704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Wkueoqb.exe
        Filesize

        1.9MB

        MD5

        537fc4fd0308fa48f6ff8565446983be

        SHA1

        88f1da61ad5b13a82f8fdbefefbd0583cf337e15

        SHA256

        6e1aa1a73830b30b12eb4fb67a6977f4e4818eefd01048c7d9e9df53e82fe2d2

        SHA512

        c66790f9c9d7bdba65d9290bfb6e5a1e2373f64ccb281a5a699bdec2c58426d3e978e8628fd0bde08058293cfaecfb0224e23f7f6ea5522b1dbad2626e3286f8

        Download Submit

      • C:\Program Files (x86)\Wkueoqb.exe
        Filesize

        965KB

        MD5

        8f1ff37491507ae8a96967eae7832058

        SHA1

        7790134a689a561ddabe0f3b030b870f70c4fcdf

        SHA256

        90fc288ca826d81569b0a30409a27e2739908050cf5c244ab0e38dce046cdbd2

        SHA512

        85080c84e6ce6e00537715c3e5d007d937038a45c214a6cdf6a2f9804f1d8ba6230a575cf57c5c382843e0703d9d7d4b552507ed9ac4919d049b90d9f137d5d6

        Download Submit

      • C:\Program Files (x86)\Wkueoqb.exe
        Filesize

        640KB

        MD5

        e59567706e4cdecb0eb4e70bcd8a135e

        SHA1

        1d14b968ffa36e602dab3aad13483f09ae9673f3

        SHA256

        a26a6f03a965a1ee891f49410c3e221a1217c10e1c97a3d80cc49d6bb6fe7555

        SHA512

        edc763943e87a3b5346deb558e0b94317bb6bb2b913de94998c98d422c70568cd7c1938320006ab9aaf996bb126fdc29eca0ca50069bf307892ed04c95c30385

        Download Submit

      • C:\Users\Public\Documents\pass.txt
        Filesize

        8B

        MD5

        71d864b6b132a9235400af39917131b3

        SHA1

        b79d02acde8be0d57bedef9bd3edeab0a5a066f3

        SHA256

        f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

        SHA512

        f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

        Download Submit

      • memory/1664-2-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB

        Download