Overview

overview

10

Static

static

3

13865eb38a...a5.exe

windows7-x64

10

13865eb38a...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13865eb38ab54fd36a8b649a35671dd98428424ead66fa5b35246567e79a20a5.exe

  • Size

    766KB

  • MD5

    4a11de9321553f4cae5edf002b9352df

  • SHA1

    18db73e6d8cf084817555daaeeb6e4dba16457ef

  • SHA256

    13865eb38ab54fd36a8b649a35671dd98428424ead66fa5b35246567e79a20a5

  • SHA512

    54c19ca564dcd4935e2f1e4eb8564e6fa9ceefd15df9f0b8935e0e42de46e1b147fc078df8969f4a0700f0aa215193d71f3a513713dbbb85f18ddc90355d2523

  • SSDEEP

    12288:ULlEGwAWQPHNEqI8eT6JgNVJleEKcwnpU3qVfsE3U/ivNb/1oLff9pGHNu4B2Uo9:ClEGwHQPKqIhTRJleEcnpUSpE/iNb1oM

Score
10/10
gh0strataspackv2defense_evasiondiscoveryevasionrat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\13865eb38ab54fd36a8b649a35671dd98428424ead66fa5b35246567e79a20a5.exe
    "C:\Users\Admin\AppData\Local\Temp\13865eb38ab54fd36a8b649a35671dd98428424ead66fa5b35246567e79a20a5.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Public\Documents\unzip.exe
      C:/Users/Public/Documents/unzip.exe -o -P Server8888 C:/Users/Public/Documents/Server.dat -d C:/Users/Public/Documents
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c attrib C:/Users/Public/Documents/unzip.exe +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:/Users/Public/Documents/unzip.exe +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:220
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c attrib C:/Users/Public/Documents/Server.dat +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3168
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:/Users/Public/Documents/Server.dat +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1484
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\Server.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2224
    • C:\Users\Public\Documents\FileSmasher.exe
      C:/Users/Public/Documents/FileSmasher.exe power.jar power
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1556
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\13865eb38ab54fd36a8b649a35671dd98428424ead66fa5b35246567e79a20a5.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2940
  • C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\ProgramData"&echo Server>Server.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Users\Public\Documents\unzip.exe
        C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\ProgramData"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\FileSmasher.exe
    Filesize

    54KB

    MD5

    8b58f37fefc0665fff67f2b8c7d45d2b

    SHA1

    eac428a1b047cb58b211db3f3d0e2c188b0f6709

    SHA256

    4994600f901938b072bac73c78b2ca14302a54144fde1d9d53062be5df628b8b

    SHA512

    b897b68232db4281fb742ca7c678436a4f2745c7993f6fb7f44ade86f92c1dfd47e1e166bf9fe7808c5ee57b7be74dd067308caead23f684ce44d7243d3685ec

    Download Submit

  • C:\Users\Public\Documents\Server.dat
    Filesize

    216KB

    MD5

    bcfce71e718d2a7dfca16e8f0e87b4d9

    SHA1

    aa095f7b16b6950a34d01912afeef4737870355a

    SHA256

    11436afffd49621c8e507d43daeec3389f906a244b65e34083dcfc94420dc3f2

    SHA512

    813cbb5f134f522c33ff71e6e92d7bca049dc145bba5c0ca643e99efbd01a266342af2e8319d20b63a9cb4f27f304b491b51cad8ff10e113eb91d87d5359ce8b

    Download Submit

  • C:\Users\Public\Documents\Server.dll
    Filesize

    8B

    MD5

    7f0186e15bd2ed575de530aa406fcab2

    SHA1

    0aa7e29c250325809d30d1dfd668f552af279bf3

    SHA256

    8877e71ca0704eff1a46776d4d5aac070e79796e289dffada5889450663772ff

    SHA512

    7c0a274932580ead3ddd7eed69233fcf026ffab5d352a5271f0221fdb15d3e643f68a8111a25c8bd23986f4b0037fe2f6e0c1a574ac51294fa0e7ffa564602ed

    Download Submit

  • C:\Users\Public\Documents\Server.log
    Filesize

    184KB

    MD5

    745574d6f759f7fd4bdf3f3deefbc760

    SHA1

    bb4c31d9679680a4191690d6bbb8b8fd61d4a34d

    SHA256

    2428235295c64cd7715bd373bee777af7aaf4fbf96f70938bc7a3969e7d4406c

    SHA512

    d61f6e820104246fe6d24ae977da9c170c6b30e611fea6adb0d2ab17987c804abdeefc21ba55325853ce80d6e4fbb53729385887d8b6585f095601caa8760fec

    Download Submit

  • C:\Users\Public\Documents\Server.vbe
    Filesize

    179B

    MD5

    d569f44ce5792ee816b4182e3c7bc7da

    SHA1

    f16a402cd6030b5c7faa5c85ade3005d66d5232a

    SHA256

    59ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf

    SHA512

    bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b

    Download Submit

  • C:\Users\Public\Documents\power.jar
    Filesize

    22KB

    MD5

    335e061a7b856f105fb1f6effda07ac1

    SHA1

    5298878cb0bbeffa5e615355bf2307b87071f919

    SHA256

    73b44891180756977ca5cf7bb3d4774832f133c75a82b4a7b398de2b37b66b25

    SHA512

    29316fe23c1c0de555bc53b09f7114d1de05b13582da2c58032b29b6bf3ebb68839a365360649c9910414652c3d1d91e1f8f4ae48515ff8dc3a3b127d8aa3ca5

    Download Submit

  • C:\Users\Public\Documents\unzip.dat
    Filesize

    1KB

    MD5

    46fd9813deaefd32bf23cac077bd98a6

    SHA1

    f4d628e2c58ca1641b09e7f8c10c01067042b43b

    SHA256

    f5c05f0d497d3810043f25aacfe861ab861be42913117dfaa6cb6bd3bb92e41b

    SHA512

    c89a936b56eac724acfc62ef0973aeeae6cd57e471bdb70ad3db83e309002abd01d9e2cd919811045d33d680dbc3eaafb4c753c912d25f98ffcf6aa9604745bd

    Download Submit

  • C:\Users\Public\Documents\unzip.exe
    Filesize

    178KB

    MD5

    3fb8214a8c2fe26ab7f2c334160a4781

    SHA1

    b47a504a76cbd3756bb0f91a24062bbc989941c0

    SHA256

    0719aad2178504a6a1b3d2ef5fb944a95f5de7a93025964c6ea5863724b9d3fd

    SHA512

    5c76b9986cd5d3e932c17c60a54648aeec829689c045a5126245d3d5d8d071166bd7e9be49eb13de1180ee131875f724d08bcb2722eadd5008d6485b32313047

    Download Submit

  • C:\Users\Public\Documents\unzip.lnk
    Filesize

    1KB

    MD5

    895564ef1b2c916945032283ff16a548

    SHA1

    6f1172303ee39fe059e8ac436493e5531862a673

    SHA256

    00817c578672e9084aa49f4f51a86180954c5de43769d88b917a131d9e9ded45

    SHA512

    09744d953bfb8ed5e44cd7ed833c17b3a4786532f14144156d1f609ebc492c5fc96253e99956cc02decede9d721ce9723615d4ab0e8a1a5a8e701760beb311ec

    Download Submit

  • memory/1556-31-0x00000000742F0000-0x00000000742FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1556-33-0x0000000010000000-0x0000000010032000-memory.dmp

    Filesize

    200KB

    Download