Overview
overview
10Static
static
100.exe.zip
windows7-x64
10.exe.zip
windows10-2004-x64
10.exe
windows7-x64
100.exe
windows10-2004-x64
10.data
windows7-x64
3.data
windows10-2004-x64
3.rdata
windows7-x64
3.rdata
windows10-2004-x64
3.reloc
windows7-x64
3.reloc
windows10-2004-x64
3.rsrc/BITMAP/103.bmp
windows7-x64
3.rsrc/BITMAP/103.bmp
windows10-2004-x64
7.rsrc/MANIFEST/1.xml
windows7-x64
3.rsrc/MANIFEST/1.xml
windows10-2004-x64
1.rsrc/MENU/102
windows7-x64
1.rsrc/MENU/102
windows10-2004-x64
1.rsrc/version.txt
windows7-x64
1.rsrc/version.txt
windows10-2004-x64
1.text
windows7-x64
3.text
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 09:26
Behavioral task
behavioral1
Sample
0.exe.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0.exe.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
0.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
0.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
.data
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
.data
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
.rdata
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
.rdata
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
.reloc
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
.reloc
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
.rsrc/BITMAP/103.bmp
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
.rsrc/BITMAP/103.bmp
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
.rsrc/MANIFEST/1.xml
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
.rsrc/MANIFEST/1.xml
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
.rsrc/MENU/102
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
.rsrc/MENU/102
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
.rsrc/version.txt
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
.rsrc/version.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
.text
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
.text
Resource
win10v2004-20240802-en
General
-
Target
0.exe
-
Size
71KB
-
MD5
2a9d0d06d292a4cbbe4a95da4650ed54
-
SHA1
44c32dfae9ac971c3651adbd82c821971a5400dc
-
SHA256
09a1c17ac55cde962b4f3bcd61140d752d86362296ee74736000a6a647c73d8c
-
SHA512
ed15670a18bffa1c5c1d79f1a5a653d6b2bde649164c955473580321f4ab3d048124c26e1a92e9d8ba0edaf754617d2d2c13d8db92323e09957b6de225b5314d
-
SSDEEP
1536:jWZpTtLcWyeYd4//yEZc1GJf7/QP4uirySj5e:+pZTvnyEZiGJ7/QguiryS5e
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule C:\2163300.dll family_gh0strat \??\c:\windows\filename.jpg family_gh0strat -
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1808 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
0.exesvchost.exepid process 1284 0.exe 1808 svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
0.exedescription ioc process File opened for modification C:\Windows\FileName.jpg 0.exe File created C:\Windows\FileName.jpg 0.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe 1808 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 656 -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
0.exedescription pid process Token: SeBackupPrivilege 1284 0.exe Token: SeRestorePrivilege 1284 0.exe Token: SeBackupPrivilege 1284 0.exe Token: SeRestorePrivilege 1284 0.exe Token: SeBackupPrivilege 1284 0.exe Token: SeRestorePrivilege 1284 0.exe Token: SeBackupPrivilege 1284 0.exe Token: SeRestorePrivilege 1284 0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\2163300.dllFilesize
64KB
MD545dc749351fd65d71da89ca2ed2766cb
SHA1e080faf81157b7f867cb56938c5e579c206af9b9
SHA256391109432ba2df9f3ebc74e0144f42a490405f7c8ecb51da01b4ce793be72f25
SHA5127e63d8778a4656a19397849a6edb483993f1183257fb8c0793ad4b5c625ed69d1b9472969bac6dfc98938e19baed7e3e61ab80085a1a6edd8a50ca660ce3bf74
-
\??\c:\NT_Path.jpgFilesize
54B
MD5599ac1dcf1ca906fc609a86d5ada1ed3
SHA1f1599d1bbeca04ac753c1858b0b1829a44e2eeaf
SHA256a6530d33f26ef0a42bbb2b3730607b05baf86babd2887951a39bddb577cd1e37
SHA512a37c93e8c1918531974439e10a802447c5129b7f6fc582680b117826030fa239fd9d4447309626b7758464dd9464a2453591e1a6cf8636eb392f799748b0e2d3
-
\??\c:\windows\filename.jpgFilesize
18.2MB
MD560e653e8c75fc43badba8fbbae40eecb
SHA186836d29b17c640f5fb1b8c370ea3b2fa66370cc
SHA25689c2a19aa60118d94db8bf0d349dfe8ca186b9bd9c952de189fb4c4af9933649
SHA512f6c4d2a5107b88b6cd73a1f8c68a51c13abcace25a6d549a54ce6d70c7b74146d6ada1a7d9a68c1ba5710d7d54ec345550bfcc109645261cdb63f4ac02604b2d