Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 15:00

General

  • Target

    0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe

  • Size

    444KB

  • MD5

    39d865aa4171442b417c40479e63a03f

  • SHA1

    0da788f33274472b1b2217a31301eddd95c7e77c

  • SHA256

    0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f

  • SHA512

    619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82

  • SSDEEP

    12288:MykIP8aYKbeqA1UtLD45VZ3Mc2YpFjW8D:MKP9YbiR45v3Va8

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe
    "C:\Users\Admin\AppData\Local\Temp\0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
      "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
  • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
    "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
      "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe

    Filesize

    444KB

    MD5

    39d865aa4171442b417c40479e63a03f

    SHA1

    0da788f33274472b1b2217a31301eddd95c7e77c

    SHA256

    0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f

    SHA512

    619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82

  • memory/1152-37-0x0000000000400000-0x0000000000863000-memory.dmp

    Filesize

    4.4MB

  • memory/1152-26-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/1152-24-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/1152-27-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/1152-28-0x0000000000400000-0x0000000000863000-memory.dmp

    Filesize

    4.4MB

  • memory/2208-9-0x0000000000400000-0x0000000000863000-memory.dmp

    Filesize

    4.4MB

  • memory/2208-2-0x0000000000310000-0x0000000000371000-memory.dmp

    Filesize

    388KB

  • memory/2208-19-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

  • memory/2208-5-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/2208-7-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/2208-1-0x0000000000950000-0x0000000000A50000-memory.dmp

    Filesize

    1024KB

  • memory/2208-8-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/2208-20-0x0000000000400000-0x0000000000863000-memory.dmp

    Filesize

    4.4MB

  • memory/2208-3-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

  • memory/2632-36-0x0000000000400000-0x0000000000863000-memory.dmp

    Filesize

    4.4MB

  • memory/2708-47-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/2708-48-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/2708-49-0x0000000010000000-0x0000000010362000-memory.dmp

    Filesize

    3.4MB

  • memory/2708-50-0x0000000000400000-0x0000000000863000-memory.dmp

    Filesize

    4.4MB