Malware Analysis Report

2024-09-11 08:40

Sample ID 240613-rvetyasgjc
Target 064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe
SHA256 064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d
Tags
gh0strat rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d

Threat Level: Known bad

The file 064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe was found to be: Known bad.

Malicious Activity Summary

gh0strat rat upx

Gh0st RAT payload

Gh0strat

Deletes itself

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:30

Reported

2024-06-13 14:33

Platform

win7-20240611-en

Max time kernel

132s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Deletes itself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A
File opened for modification C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A
File created C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2028 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2028 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2028 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2812 wrote to memory of 2776 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2812 wrote to memory of 2776 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2812 wrote to memory of 2776 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2812 wrote to memory of 2776 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
PID 2812 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 2180 N/A C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe

"C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe"

C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe

"C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe"

C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe

"C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe"

C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe

"C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 344

Network

Country Destination Domain Proto
US 8.8.8.8:53 star.sp168.tv udp
HK 156.241.4.189:7744 star.sp168.tv tcp
US 8.8.8.8:53 star.sp168.tv udp
HK 156.241.4.189:10091 star.sp168.tv tcp
HK 156.241.4.189:10091 star.sp168.tv tcp
HK 156.241.4.189:10091 star.sp168.tv tcp
HK 156.241.4.189:10091 star.sp168.tv tcp

Files

C:\Program Files\AppPatch\8.77.dll

MD5 0a74e0bffbce3cc5466796739cfdeb44
SHA1 c3b50df0a1de18b7053bff1b0293f5512f824055
SHA256 cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30
SHA512 9fb4f39d95820f63da2d8767b76f317c512a8db1b86428f04baf4b163d0deaee5c4726c9f66807a3b1c223d575557fabc88e0cde73a4561b304f6edd76b8cc36

memory/2028-5-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2028-8-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2028-10-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2028-9-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2028-11-0x0000000010000000-0x000000001034B000-memory.dmp

\Program Files (x86)\Microsoft Bltenu\svchostss.exe

MD5 fc58e29974c49a329c30188f5a468e08
SHA1 e90e06cdffe124bd1255ad0e42ba2ddd1a0c815f
SHA256 064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d
SHA512 4d6cd006d1ddd38c8e7a0fc2f6c4674c2d75aa0dd86eac478038362299b7eb249887270998855463827908391767ad288648af13111ccfe9d6285c8e7b133b21

memory/2660-22-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2660-27-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2660-25-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2660-26-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2812-34-0x0000000010000000-0x000000001034B000-memory.dmp

memory/2812-45-0x0000000010000000-0x000000001034B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:30

Reported

2024-06-13 14:33

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\AppPatch\8.77.dll C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe

"C:\Users\Admin\AppData\Local\Temp\064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp
US 8.8.8.8:53 star.sp168.tv udp

Files

N/A