Analysis Overview
SHA256
cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f
Threat Level: Known bad
The file cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
Server Software Component: Terminal Services DLL
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 05:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 05:38
Reported
2024-06-19 05:41
Platform
win7-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259400365.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\259400365.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
"C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\259400365.bat",MainThread
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
Files
\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
\Windows\SysWOW64\259400365.bat
| MD5 | 12d5607f3ecaf568295820830a59b7f8 |
| SHA1 | 2bec8b410c445616344a1fae225901e6b622ecbc |
| SHA256 | a91d63d04c16edd527e148cc166df0855dc8e7e94d3ee30696c3f84ddde34726 |
| SHA512 | 7c83bc755ade89d21e1adca7ed12b0c25b9f4943e97645c58b7374e38dd0f5cacd3fa876c6f6ab4a5cd22d51e6341cbcf70757064f2abdc1d25e5c2390d37129 |
\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
| MD5 | c41fff8e1bb43f921742f9a0e26b9f30 |
| SHA1 | e1e196010c6ca1ff6878c7fe6439cf389380cca8 |
| SHA256 | 48b87fb18808215b5dc4e77f74e42de61b1f42ad46a9c5fbb188889f9ca922ce |
| SHA512 | f7957ef978f84552db5c8de2f7ecabe93e25264134c82427ad7b3c2fad919199f343f7be27b68eafd9451d8efa568f19373160843581544e0a0ffd74a7a5a6ab |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 886dd633a8cb415c0e3cfa22190c9022 |
| SHA1 | 0920adcc4c72cf2fb454049e740e715c216d325f |
| SHA256 | 1785a53dffdc114d59599baca35673085af93489ac3b404bdc3259f5c4f55284 |
| SHA512 | 6d8de33f413d99542f864001b54de43f8bb357abfe46d1d78b4216349ca4d2d41bf8e175bdae547806492b52faa854130eed5888dc6f5c7fe323228a5cebd920 |
\Windows\SysWOW64\svchcst.exe
| MD5 | 51138beea3e2c21ec44d0932c71762a8 |
| SHA1 | 8939cf35447b22dd2c6e6f443446acc1bf986d58 |
| SHA256 | 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124 |
| SHA512 | 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 05:38
Reported
2024-06-19 05:41
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
161s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\240655375.bat" | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchcst.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\240655375.bat | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ini.ini | C:\Users\Admin\AppData\Local\Temp\look2.exe | N/A |
| File created | C:\Windows\SysWOW64\svchcst.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
"C:\Users\Admin\AppData\Local\Temp\cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe"
C:\Users\Admin\AppData\Local\Temp\look2.exe
C:\Users\Admin\AppData\Local\Temp\\look2.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
C:\Windows\SysWOW64\svchcst.exe
C:\Windows\system32\svchcst.exe "c:\windows\system32\240655375.bat",MainThread
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kinh.xmcxmr.com | udp |
| CN | 114.55.25.226:442 | kinh.xmcxmr.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\look2.exe
| MD5 | 2f3b6f16e33e28ad75f3fdaef2567807 |
| SHA1 | 85e907340faf1edfc9210db85a04abd43d21b741 |
| SHA256 | 86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857 |
| SHA512 | db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4 |
C:\Windows\SysWOW64\240655375.bat
| MD5 | 12d5607f3ecaf568295820830a59b7f8 |
| SHA1 | 2bec8b410c445616344a1fae225901e6b622ecbc |
| SHA256 | a91d63d04c16edd527e148cc166df0855dc8e7e94d3ee30696c3f84ddde34726 |
| SHA512 | 7c83bc755ade89d21e1adca7ed12b0c25b9f4943e97645c58b7374e38dd0f5cacd3fa876c6f6ab4a5cd22d51e6341cbcf70757064f2abdc1d25e5c2390d37129 |
C:\Users\Admin\AppData\Local\Temp\HD_cb73badf0e8c310b22a569dc32bf99b534c0ab2cc7c89ebac4654422a6ad1e1f.exe
| MD5 | c41fff8e1bb43f921742f9a0e26b9f30 |
| SHA1 | e1e196010c6ca1ff6878c7fe6439cf389380cca8 |
| SHA256 | 48b87fb18808215b5dc4e77f74e42de61b1f42ad46a9c5fbb188889f9ca922ce |
| SHA512 | f7957ef978f84552db5c8de2f7ecabe93e25264134c82427ad7b3c2fad919199f343f7be27b68eafd9451d8efa568f19373160843581544e0a0ffd74a7a5a6ab |
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
| MD5 | 886dd633a8cb415c0e3cfa22190c9022 |
| SHA1 | 0920adcc4c72cf2fb454049e740e715c216d325f |
| SHA256 | 1785a53dffdc114d59599baca35673085af93489ac3b404bdc3259f5c4f55284 |
| SHA512 | 6d8de33f413d99542f864001b54de43f8bb357abfe46d1d78b4216349ca4d2d41bf8e175bdae547806492b52faa854130eed5888dc6f5c7fe323228a5cebd920 |
C:\Windows\SysWOW64\svchcst.exe
| MD5 | 889b99c52a60dd49227c5e485a016679 |
| SHA1 | 8fa889e456aa646a4d0a4349977430ce5fa5e2d7 |
| SHA256 | 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910 |
| SHA512 | 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641 |