Overview

overview

10

Static

static

3

Server.exe

windows7-x64

10

Server.exe

windows10-1703-x64

10

Server.exe

windows10-2004-x64

10

Server.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-07-2024 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Server.exe

  • Size

    766KB

  • MD5

    f84318afa382ae2f74f08be8ba328b7a

  • SHA1

    8673e0f055ac85c6e256a7d6c3de33d6ccb9a554

  • SHA256

    26c8103ac0b724de4d9d018f6b94fa9868cbe82dc4006460533d1cd92c72274b

  • SHA512

    d6e6bd5561b6762b33370370e5f368605cdcf7ace6b49114adc6ad1df7d891a2fdc51b554893a379a18fe376872f1a0d99600d043f7c2822f5bc422e636f656e

  • SSDEEP

    12288:7LlEGwAWQPHNEqEFXfkbJt0KF62v6zc3g3bDLsa0vNb/1oLff9pGHNu4B2UoHd:HlEGwHQPKqEFPkbJt0KrsWNb1oLfCI4r

Score
10/10
gh0strataspackv2defense_evasiondiscoveryevasionrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Public\Documents\unzip.exe
      C:/Users/Public/Documents/unzip.exe -o -P Server8888 C:/Users/Public/Documents/Server.dat -d C:/Users/Public/Documents
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1176
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c attrib C:/Users/Public/Documents/unzip.exe +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:/Users/Public/Documents/unzip.exe +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2252
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c attrib C:/Users/Public/Documents/Server.dat +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:/Users/Public/Documents/Server.dat +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2796
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\Server.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2464
    • C:\Users\Public\Documents\FileSmasher.exe
      C:/Users/Public/Documents/FileSmasher.exe power.jar power
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\Server.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4044
  • C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\ProgramData"&echo Server>Server.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Users\Public\Documents\unzip.exe
        C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\ProgramData"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\FileSmasher.exe
    Filesize

    54KB

    MD5

    8b58f37fefc0665fff67f2b8c7d45d2b

    SHA1

    eac428a1b047cb58b211db3f3d0e2c188b0f6709

    SHA256

    4994600f901938b072bac73c78b2ca14302a54144fde1d9d53062be5df628b8b

    SHA512

    b897b68232db4281fb742ca7c678436a4f2745c7993f6fb7f44ade86f92c1dfd47e1e166bf9fe7808c5ee57b7be74dd067308caead23f684ce44d7243d3685ec

    Download Submit

  • C:\Users\Public\Documents\Server.dat
    Filesize

    216KB

    MD5

    bb001712c53c4626de4d0d1abe081e03

    SHA1

    a5979ccc540674488d40da87bdedc39c9bc7aeff

    SHA256

    da8ceca0bc1943fa834c57b769bf6bfdce9f16727bc27e37c18726bd1160dc60

    SHA512

    47b55d43c1c9730d10c0da9259416ca40d924b290518e77f43f96c5c193ad35e9ad8c8c3d91d9307eba5000fcef66b386e39b26f06ecde297a7a537bfffa4d3d

    Download Submit

  • C:\Users\Public\Documents\Server.dll
    Filesize

    8B

    MD5

    7f0186e15bd2ed575de530aa406fcab2

    SHA1

    0aa7e29c250325809d30d1dfd668f552af279bf3

    SHA256

    8877e71ca0704eff1a46776d4d5aac070e79796e289dffada5889450663772ff

    SHA512

    7c0a274932580ead3ddd7eed69233fcf026ffab5d352a5271f0221fdb15d3e643f68a8111a25c8bd23986f4b0037fe2f6e0c1a574ac51294fa0e7ffa564602ed

    Download Submit

  • C:\Users\Public\Documents\Server.log
    Filesize

    184KB

    MD5

    745574d6f759f7fd4bdf3f3deefbc760

    SHA1

    bb4c31d9679680a4191690d6bbb8b8fd61d4a34d

    SHA256

    2428235295c64cd7715bd373bee777af7aaf4fbf96f70938bc7a3969e7d4406c

    SHA512

    d61f6e820104246fe6d24ae977da9c170c6b30e611fea6adb0d2ab17987c804abdeefc21ba55325853ce80d6e4fbb53729385887d8b6585f095601caa8760fec

    Download Submit

  • C:\Users\Public\Documents\Server.vbe
    Filesize

    179B

    MD5

    d569f44ce5792ee816b4182e3c7bc7da

    SHA1

    f16a402cd6030b5c7faa5c85ade3005d66d5232a

    SHA256

    59ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf

    SHA512

    bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b

    Download Submit

  • C:\Users\Public\Documents\power.jar
    Filesize

    22KB

    MD5

    335e061a7b856f105fb1f6effda07ac1

    SHA1

    5298878cb0bbeffa5e615355bf2307b87071f919

    SHA256

    73b44891180756977ca5cf7bb3d4774832f133c75a82b4a7b398de2b37b66b25

    SHA512

    29316fe23c1c0de555bc53b09f7114d1de05b13582da2c58032b29b6bf3ebb68839a365360649c9910414652c3d1d91e1f8f4ae48515ff8dc3a3b127d8aa3ca5

    Download Submit

  • C:\Users\Public\Documents\unzip.dat
    Filesize

    1KB

    MD5

    46fd9813deaefd32bf23cac077bd98a6

    SHA1

    f4d628e2c58ca1641b09e7f8c10c01067042b43b

    SHA256

    f5c05f0d497d3810043f25aacfe861ab861be42913117dfaa6cb6bd3bb92e41b

    SHA512

    c89a936b56eac724acfc62ef0973aeeae6cd57e471bdb70ad3db83e309002abd01d9e2cd919811045d33d680dbc3eaafb4c753c912d25f98ffcf6aa9604745bd

    Download Submit

  • C:\Users\Public\Documents\unzip.exe
    Filesize

    178KB

    MD5

    3fb8214a8c2fe26ab7f2c334160a4781

    SHA1

    b47a504a76cbd3756bb0f91a24062bbc989941c0

    SHA256

    0719aad2178504a6a1b3d2ef5fb944a95f5de7a93025964c6ea5863724b9d3fd

    SHA512

    5c76b9986cd5d3e932c17c60a54648aeec829689c045a5126245d3d5d8d071166bd7e9be49eb13de1180ee131875f724d08bcb2722eadd5008d6485b32313047

    Download Submit

  • C:\Users\Public\Documents\unzip.lnk
    Filesize

    1KB

    MD5

    895564ef1b2c916945032283ff16a548

    SHA1

    6f1172303ee39fe059e8ac436493e5531862a673

    SHA256

    00817c578672e9084aa49f4f51a86180954c5de43769d88b917a131d9e9ded45

    SHA512

    09744d953bfb8ed5e44cd7ed833c17b3a4786532f14144156d1f609ebc492c5fc96253e99956cc02decede9d721ce9723615d4ab0e8a1a5a8e701760beb311ec

    Download Submit

  • memory/828-31-0x0000000074990000-0x000000007499E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/828-32-0x0000000010000000-0x0000000010032000-memory.dmp

    Filesize

    200KB

    Download